Over the past couple of years, the Tor browser has started to show cracks in its armor as some hackers and law enforcement agencies have learned the identities of people using the anonymous browsing tool, mainly by exploiting vulnerabilities in the Firefox browser on which it is based. Firefox creator Mozilla has taken six years to bring even partial sandboxing to its browser, so Tor developers have built their own sandboxing (isolation from other processes) into their software. An alpha version of the more secure Tor browser is now available on Linux.
Firefox’s Security Failures
The Tor Project picked Firefox because it was the only major open source browser at the time that also had a strong focus on privacy. The team eventually considered Chromium as a replacement for the Firefox core base, because Chromium had per-process sandboxing and a bigger security team behind it, but some missing APIs needed to preserve anonymity and a lack of trust in Google led Tor's developers to stick with Firefox.
Yet it's becoming clear that Firefox lacks the necessary security to serve as Tor's base. Mozilla has been working since 2010 to bring a sandboxing architecture similar to that of Chromium to Firefox, but the best the organization could do so far is split the content (tabs) and the UI into two different isolated processes. The organization intends to improve this solution over the next year, but so far it doesn’t plan to enable more than five sandboxed processes. Therefore, Firefox may never be as secure as Chrome, which uses a per-process sandboxing model.
Perhaps Mozilla will eventually replace all of Firefox’s critical components with safer ones written in the memory-safe Rust programming language, which by itself would eliminate entire classes of memory corruption bugs. However, achieving such a goal is likely at least a few years away.
Earlier this September, a Tor developer unveiled a better sandboxed version of the Tor browser for Linux. The project splits the browser into two separate parts: a “launcher” and the browser itself. The launcher’s functions include downloading and updating the Tor browser in a way that’s secure and verified with cryptographic keys. Meanwhile, the Tor browser is run in a container and with Linux sandboxing features such as seccomp-bpf and namespaces being applied to it.
Seccomp (secure computing mode) restricts a process' system calls, while namespaces are isolated environments that give only a limited view to the operating system's files and resources. These features mitigate exploits that use vulnerabilities such as the one recently found in the Tor and Firefox browsers, which can help attackers infect computers and then discover a target's real IP address.
This version of the Tor browser is only available for Linux for two reasons: one, the project is in the early stages; and two, Windows doesn’t have the same sandboxing features as Linux. Eventually, once the Linux variant is stable enough, the developers will try to sandbox the Windows variant of the Tor browser as much as possible, too, but it’s not clear yet if it can achieve the same level of security.
Tor Sandboxing For Windows
Microsoft recently announced perhaps an even better way to secure a browser on Windows 10. The company used its Hyper-V hypervisor to create a new separate minimal Windows installation on which Edge would run within a container that would only give it access to the Windows services Edge needs to run. The container would be discarded when the user closes an untrusted page, thus wiping any malicious files that may have been downloaded within that container.
However, so far this “Application Guard” security feature was only promised for Windows 10 Enterprise, so it’s not clear whether it will even be available for Windows 10 Home and Pro users. It’s also not clear whether Microsoft will ever make this security feature available to other non-Microsoft applications.
In the meantime, Windows users could still run the new sandboxed Tor browser in a Linux virtual machine, if they want to avoid deanonymization attacks through browser exploitation. However, at that point it may be worth considering running Whonix, a two-VMs solution specifically designed around sandboxing and securing Tor connections and the Tor browser. A simpler ad-hoc sandboxing solution for Windows could be running Tor on Sandboxie, an app that creates its own filesystem to contain sandboxed files. However, like other app-level solutions, it’s vulnerable to kernel exploits.
For now users can only compile the new sandboxed Tor browser from the source files, but the binary files should be released later this week.