[tor-bugs] #10730 [- Select a component]: Privacy leak ONLY on Ubuntu 13.10/Unity using default official Tor Browser Bundle (including Vidalia issues)

["Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>]

#10730: Privacy leak ONLY on Ubuntu 13.10/Unity using default official Tor Browser
Bundle (including Vidalia issues)
----------------------------------+---------------------
 Reporter:  damico                |          Owner:
     Type:  defect                |         Status:  new
 Priority:  major                 |      Milestone:
Component:  - Select a component  |        Version:
 Keywords:                        |  Actual Points:
Parent ID:                        |         Points:
----------------------------------+---------------------
 I had filed this bug to Canonical, but they immediately said to file it
 here, against Tor, instead:
 URL: launchpad
 TITLE: Privacy leak ONLY on Ubuntu 13.10/Unity using default official Tor
 Browser Bundle (including Vidalia)
 DESCRIPTION:
 There is an insidious privacy leak (aka security flaw) when using the
 default Tor Browser Bundle on Ubuntu 13.10/Unity.

 I do not know if this problem occurs on any other Ubuntu version, but, I
 do know that this problem does NOT occur on four other operating systems
 where I currently use the Tor Browser Bundle (namely Windows 7, Windows
 XP, Centos6, and RHEL6).

 The problem is that every single user who follows the standard
 instructions to install the default Tor Browser Bundle on Ubuntu 13.10
 will constantly have to doublecheck Ubuntu 13.10 to see WHICH browser they
 are opening (which, arbitrarily, will either be the secure Tor or the
 insecure Firefox). While having to check the Help->About every time one
 opens up a browser is a problem enough to report as a bug, the worse
 effect is when a user inadvertently uses the wrong browser. Make no
 mistake about this - the repercussions can be severe (even fatal). If
 someone has a need for privacy, one single mistake can get them into a lot
 of trouble.

 At the very least, that inevitable mistake would compromise an entire
 anonymous nym; and at the worse, well, I don't even want to think about
 what could happen in the worst case (depending on the government of the
 user whose anonymity is betrayed).

 Fact is, with this bug, Ubuntu 13.10 can not be trusted with the Tor
 Browser Bundle. Period.

 That's why this seemingly simple bug where, only on Ubuntu 13.10, Tor and
 Firefox are confused by the operating system, is actually a severe
 usability bug.

 To reproduce, first simply install the Tor Browser Bundle on Ubuntu 13.10
 , following published instructions.
 Note that the Tor Browser Bundle is NOT in the repositories (AFAIK) so
 you'll need to get it off the default Tor web site.
 I installed the 64-bit Tor on Ubuntu 13.10, but, the problem appears to be
 the same on 32-bit Ubuntu 13.10.

 Then, once you have installed the Tor Browser Bundle using the standard
 method published on the Tor web site, launch both Tor and Firefox any way
 you like on Ubuntu 13.10.

 You'll immediately find out that, by default, the (secure) Tor icon is
 inexplicably confused with the (insecure) Firefox.
 That is, the launcher for Tor will not exist; so if you open a (secure)
 Tor browser and an (insecure) Firefox browser, you have to constantly
 click on the (insecure) Firefox launcher, and then carefully scrutinize
 the similar-looking windows (sometimes having to go as far as Help->About)
 in order to determine WHICH browser you're actually running.

 One mistake (which is inevitable), and you're dead.
 Note: On all other operating systems, the Tor Browser Bundle shows up as a
 DIFFERENT browser than the (insecure) Firefox., so there is vastly fewer
 chances for an inadvertent mistake.

 To make matters worse, only on Ubuntu 13.10 (and not on all other
 operating systems tested), the Vidalia Control Panel (which comes standard
 with the Tor Browser Bundle) also doesn't show up after installing the Tor
 Browser Bundle as per the instructions on the Tor web site.

 This means that all the control settings of Vidalia are NOT AVAILABLE to
 the user on Ubuntu, further potentially compromising the Ubuntu 13.10
 users.

 On the Ubuntu forums, there are long threads on how to partially work
 around these severe usability bugs, but, nobody yet has proposed a
 solution that actually works. All you can do so far is PARTIALLY disengage
 the (insecure) Firefox from the (secure) Tor Browser Bundle - but you
 still can't get Vidalia to come up, even with the proposed workarounds.

 For INSTRUCTIONS on how to install the Tor Browser Bundle (English) on
 Ubuntu 13.10, simply go here:
 https://www.torproject.org/projects/torbrowser.html.en
 There is no sense reproducing those instructions here because they are
 standard for all Linux operating systems.

 Once you install the Tor Browser Bundle, the problems I've described above
 will show themselves instantly, the moment you launch both an (insecure)
 Firefox browser and a (secure) Tor browser.

 When this bug is fixed, I'd expect:
 1. When you install the Tor Browser Bundle on Ubuntu, a SEPARATE launcher
 for the (secure) Tor browser will result
 2. Also, a SEPARATE control panel for Vidalia will be available to the
 user.
 3. It would be expected that the (insecure) Firefox launcher will be
 unaffected.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10730>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs