In association with heise online

08 November 2012, 21:14

Security issue discovered in TOR client - Update

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

TOR logo

In an analysis of the TOR source code, software developer Andrey Karpov found that the anonymisation software uses a function called memset() to delete cache data, which is not supported by all compilers. In some cases, that can cause the TOR client to leave confidential data like passwords in the system memory when it is closed.

The memset() function is problematic because it is automatically deleted when TOR is optimised for speed with a compiler like the one in Microsoft Visual Studio 2010. Once that happens, the data remains in system memory, where it can be read by malicious programs.

The TOR Project allows users to anonymise their identity by sending their traffic over a distributed network that aggregates and mixes data from many different sources, thereby preventing third parties from finding and decoding data packets.

Update (9/11/2012): The error has now been corrected by the developers. The code now uses OPENSSL_cleanse() function rather than the eliminatable memset(), though the developers are looking for faster alternatives. Since the -O2 flag was used in the Tor project's configuration files, it is possible that the issue exists in Tor binaries for Windows, Mac OS X and Linux in binaries earlier than version 2.2.39-5.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit