A bug within the advert blocking element of Courageous’s Tor characteristic brought on the browser to leak customers’ DNS queries
Courageous, one of the top-rated browsers for privacy, has mounted a bug in its Non-public Home windows with Tor characteristic that leaked the .onion URLs for web sites visited by the browser’s customers, in accordance with a report by an nameless researcher, the browser’s built-in Tor mode – which takes non-public shopping to a brand new stage by permitting customers to navigate to .onion web sites on the darkish internet with out having to put in Tor – was leaking Area Identify System (DNS) requests for the web sites.
“When you’re utilizing Courageous you most likely use it since you anticipate a sure stage of privateness/anonymity. Piping .onion requests via DNS the place your ISP or DNS supplier can see that you made a request for an .onion website defeats that function,” reads the publish.
RELATED READING: 3 ways to browse the web anonymously
Whereas testing the problem, the researcher discovered that when a request is made for a .onion area whereas utilizing Non-public Window with Tor, the request makes its method to the DNS server and is tagged with the Web Protocol (IP) handle of the requester.
“This shouldn’t occur. There isn’t any purpose for Courageous to aim to resolve a .onion area via conventional means as it could with a daily clearnet website,” unhappy the researcher. Which means whenever you use Tor with Courageous and entry a particular Tor web site, your web service supplier (ISP) or DNS supplier would be capable to inform that the request for that particular web site was produced from your IP handle.
Based on a tweet by Courageous’s Chief Data Safety Officer Yan Zhu, Courageous was already conscious of the problem because it was beforehand reported on HackerOne. It has since pushed out a hotfix to resolve the Tor DNS situation, which was traced to the browser’s adblocking element, which used a separate DNS question.
for safety researchers taking a look at Tor home windows in Courageous, notice this characteristic is introduced to customers as common non-public home windows which use a Tor proxy for improved community privateness, NOT an equal to Tor Browser by way of anonymity or leakproofing. https://t.co/xYUwsFhXbt pic.twitter.com/H6VuRYsArg
— yan (@bcrypt) February 19, 2021
The Chromium-based browser first launched the Beta of Non-public tabs with Tor in June 2018 in a bid to guard the privateness of customers not solely on their units however over the community as nicely. “Non-public Tabs with Tor assist shield Courageous customers from ISPs (Web Service Suppliers), visitor Wi-Fi suppliers, and visited websites that could be watching their Web connection and even monitoring and gathering IP addresses, a tool’s Web identifier,” reads its blog touting the brand new characteristic. In 2020 it additionally launched its own Tor Onion Service.