cross-posted from: https://futurology.today/post/4000823

And by burned, I mean “realize they have been burning for over a year”. I’m referring to a bug in the Tor Browser flatpak that prevented the launcher from updating the actual browser, despite the launcher itself updating every week or so. The fix requires manual intervention, and this was never communicated to users. The browser itself also doesn’t alert the user that it is outdated. The only reason I found out today was because the NoScript extension broke due to the browser being so old.

To make matters worse, the outdated version of the browser that I had, differs from the outdated version reported in the Github thread. In other words, if you were hoping that at least everybody affected by the bug would be stuck at the same version (and thus have the same fingerprint), that doesn’t seem to be the case.

This is an extreme fingerprinting vulnerability. In fact I checked my fingerprint on multiple websites, and I had a unique fingerprint even with javascript disabled. So in other words, despite following the best privacy and security advice of:

  1. using Tor Browser
  2. disabling javascript
  3. keeping software updated

My online habits have been tracked for over a year. Even if Duckduckgo or Startpage doesn’t fingerprint users, Reddit sure does (to detect ban evasions, etc), and we all know 90% of searches lead to Reddit, and that Reddit sells data to Google. So I have been browsing the web for over a year with a false sense of security, all the while most of my browsing was linked to a single identity, and that much data is more than enough to link it to my real identity.

How was I supposed to catch this? Manually check the About page of my browser to make sure the number keeps incrementing? Browse the Github issue tracker before bed? Is all this privacy and security advice actually good, or does it just give people a false sense of security, when in reality the software isn’t maintained enough for those recommendations to make a difference? Sorry for the rant, it’s just all so tiring.

Edit: I want to clarify that this is not an attack on the lone dev maintaining the Tor Browser flatpak. They mention in the issue that they were fairly busy last year. I just wanted to know how other people handled this issue.

  • lemel@lemmy.ml
    link
    fedilink
    English
    arrow-up
    2
    ·
    3 hours ago

    How do you even access Reddit from Tor? I always see the message saying that my attempt was blocked by “Network Security”.

    • nikqwxq550@futurology.todayOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 hour ago

      switch to the old.reddit.com site (onion version tends to work more often), and if that doesn’t work, switch Tor circuits (the option is under Tor Browser menu bar, I have it pinned to the top-bar for convenience)

    • nikqwxq550@futurology.todayOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      16 minutes ago

      I get what you’re saying, but at the same time if every developer released software as pre-compiled binaries on their website, installing stuff on Linux would become such a PITA. (This is different from how Windows works because apps for Windows are distributed using installers like xxx.msi, and Linux does not have a unified installation system across distros)

  • narc0tic_bird@lemm.ee
    link
    fedilink
    arrow-up
    15
    ·
    11 hours ago

    Why don’t they bundle the browser itself in the Flatpak and update it via the default Flatpak update mechanism?

  • muhyb
    link
    fedilink
    arrow-up
    18
    ·
    edit-2
    13 hours ago

    Well, for Tor Browser even AUR isn’t recommended. Just download it from official website and put it under somewhere like ~/.local/opt.

      • muhyb
        link
        fedilink
        arrow-up
        4
        ·
        4 hours ago

        There might not be problems with other packaging but the point here is to not trust anything other than the official sources for maximum privacy I believe.

    • nikqwxq550@futurology.todayOP
      link
      fedilink
      English
      arrow-up
      4
      ·
      10 hours ago

      This seems like something that Flatpak should be able to handle though. Afaik Mullvad Browser never had this issue. Flatpaks also have numerous advantages, like automatically handling desktop shortcuts.

      • Asparagus0098@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        4
        ·
        4 hours ago

        I’d like to add that you can setup desktop shortcuts pretty easily for Mullvad and TOR browser manual installs. For TOR browser simply run this after opening a terminal in the folder it was extracted to:

        ./start-tor-browser.desktop --register-app
        

        Same thing should work for mullvad.

        • nikqwxq550@futurology.todayOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 hour ago

          Wow nice. Still not really friendly to beginners, since this is something they would have to dig into documentation to find, but it’s good to know

      • muhyb
        link
        fedilink
        arrow-up
        1
        ·
        4 hours ago

        Normally there shouldn’t be a problem with packaging but Tor documentation recommends it like that to ensure security and authenticity. Even though it’s self-updating, they also recommend to delete and re-install it time to time, instead of just updating.

  • Vincent@feddit.nl
    link
    fedilink
    arrow-up
    2
    ·
    13 hours ago

    So… How do we do we’re running an outdated version, and what is the fix that requires manual intervention?

      • Vincent@feddit.nl
        link
        fedilink
        arrow-up
        3
        ·
        edit-2
        9 hours ago

        It was collapsed for me at first, and buried under a lot of other comments, but a workaround is mentioned here. Unfortunately, that didn’t seem to work for me, but deleting the Flatpak and deleting all associated data, and then reinstalling it, I think did the trick.

        Although it does now show this warning, which doesn’t sound great.

        Edit: actually, I think that was the reason I concluded the first workaround didn’t work, but looking at that URL, this might just have been introduced in Firefox 128, which is newer than the old version of Tor was based on. So it looks like both worked.

    • nikqwxq550@futurology.todayOP
      link
      fedilink
      English
      arrow-up
      21
      arrow-down
      1
      ·
      10 hours ago

      This was an official Flatpak from Tor Browser, so there’s no reason why it should be less reliable than the packages from distribution maintainers. Not to mention for atomic distros, flatpaks are the official way to install software.