Connect with us

Hi, what are you looking for?



Developers Get Advice on Hardening Tor Browser Bundle

A recent study conducted by iSEC Partners provided the developers of the Tor Browser Bundle with several long and short-term recommendations on how to make the application more secure.

A recent study conducted by iSEC Partners provided the developers of the Tor Browser Bundle with several long and short-term recommendations on how to make the application more secure.

The study, commissioned by the Open Technology Fund, the primary funder of the Tor Browser, focused on reviewing current hardening options and finding additional ways of making the software more difficult to exploit.

Tor Hardeneing

Since the Tor Browser is based on Firefox, researchers have also performed a historical vulnerability analysis on Mozilla’s Web browser. This, along with other information on public and private exploits, is useful for the Security Slider, an upcoming feature that will allow users to disable certain elements of the browser for enhanced security.

The Security Slider will have four levels: low, medium-low, medium-high and high. For example, the “low” mode will be the current Tor Browser settings, with the addition of JIT support. In the “high” level, JavaScript will be completely disabled, remote fonts will be blocked via NoScript, and all media codecs (except WebM, which remains click-to-play) will be disabled.

One of the short-term recommendations made by iSEC is re-enabling Address Space Layout Randomization (ASLR) on Windows and Mac builds. Mike Perry, lead developer of the Tor Browser, admitted in a blog post that several hardening features have been disabled due to the use of cross-compilation and non-standard toolchains in the reproducible build system. He says they’re working on addressing the Windows issues, but it’s more complicated for Mac and they might have to build 64-bit versions of the Tor Browser for full support. 

The developers of the Tor Browser should also consider testing and recommending the use of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET), which detects and neutralizes certain exploitation techniques.

Another recommendation made by iSEC is to find vulnerabilities in the Tor Browser by entering it the Pwn2Own competition that takes place each year along the CanSecWest security conference. The idea is to give Pwn2Own participants the opportunity to find flaws specific to the browser in a semi-hardened configuration. While the Tor Project is interested in the idea and encourages potential sponsors to step forward, it’s uncertain if they’ll be able to prepare for the March 2015 edition.

Advertisement. Scroll to continue reading.

The list of long-term recommendations includes replacing the “jemalloc” allocator with “ctmalloc” and other partition object allocation types to make the exploitation of heap corruption vulnerabilities more difficult. The Tor Browser Bundle team should also look for ways to enhance protection against use-after-free exploits. One method would be to use the partitioning features of PartitionAlloc, which has been developed by the Chrome security team, to separate DOM objects from user-controlled buffers such as strings and arrays.


iSEC also advised Tor to closely follow the work of the Chrome security team, which is considered a source of innovation when it comes to browser security.

“Tor Browser Bundle is based on Firefox and thus inherits progress made by Mozilla automatically. While improvements in Chrome may not be appropriate for Firefox, they could be integrated in Tor Browser Bundle. In a best case scenario, members of the Chrome Security team may be allowed to work with the Tor Project on these changes,” iSEC researchers noted in their report.

Perry admits that Chrome is more secure then Firefox, especially since it has a multiprocess sandboxing architecture and other hardening options.

“Unfortunately, our budget for the browser project is still very constrained compared to the amount of work that is required to provide the privacy properties we feel are important, and Firefox remains a far more cost-effective platform for us for several reasons,” Perry explained. “In particular, Firefox’s flexible extension system, fully scriptable UI, solid proxy support, and its long Extended Support Release cycle all allow us to accomplish far more with fewer resources than we could with any other web browser.”

For Chrome to become a viable option, either funding for the project must be increased considerably, or Google must agree to make some changes in certain features that are crucial for the Tor Browser, Perry said.

In July, Tor Project representatives warned of an attack attempting to deanonymize users. Fortunately, the attack appeared to have been carried out by a group of researchers who were planning to hold a presentation on cracking Tor at the Black Hat security conference in Las Vegas. The talk was cancelled, but the experts had tested their methods in the wild.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.