And by burned, I mean “realize they have been burning for over a year”. I’m referring to a bug in the Tor Browser flatpak that prevented the launcher from updating the actual browser, despite the launcher itself updating every week or so. The fix requires manual intervention, and this was never communicated to users. The browser itself also doesn’t alert the user that it is outdated. The only reason I found out today was because the NoScript extension broke due to the browser being so old.

To make matters worse, the outdated version of the browser that I had, differs from the outdated version reported in the Github thread. In other words, if you were hoping that at least everybody affected by the bug would be stuck at the same version (and thus have the same fingerprint), that doesn’t seem to be the case.

This is an extreme fingerprinting vulnerability. In fact I checked my fingerprint on multiple websites, and I had a unique fingerprint even with javascript disabled. So in other words, despite following the best privacy and security advice of:

  1. using Tor Browser
  2. disabling javascript
  3. keeping software updated

My online habits have been tracked for over a year. Even if Duckduckgo or Startpage doesn’t fingerprint users, Reddit sure does (to detect ban evasions, etc), and we all know 90% of searches lead to Reddit, and that Reddit sells data to Google. So I have been browsing the web for over a year with a false sense of security, all the while most of my browsing was linked to a single identity, and that much data is more than enough to link it to my real identity.

How was I supposed to catch this? Manually check the About page of my browser to make sure the number keeps incrementing? Browse the Github issue tracker before bed? Is all this privacy and security advice actually good, or does it just give people a false sense of security, when in reality the software isn’t maintained enough for those recommendations to make a difference? Sorry for the rant, it’s just all so tiring.

Edit: I want to clarify that this is not an attack on the lone dev maintaining the Tor Browser flatpak. They mention in the issue that they were fairly busy last year. I just wanted to know how other people handled this issue.

  • Leraje@lemmy.blahaj.zone
    link
    fedilink
    English
    arrow-up
    15
    ·
    23 hours ago

    On the face of it, that is a massive own goal. TOR project surely has a fediverse account or a blog or something to announce these things. This should be common knowledge.

    • nikqwxq550@futurology.todayOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      18 hours ago

      Are you saying that this bug would have been reported there? I don’t think I ever saw it, and I honestly doubt it was ever posted there. Unless you’re talking about the browser update announcements, but I would still need to check the Help > About page of my browser to notice that it didn’t match the latest version. As mentioned in my post, the Flatpak was updating like usual, the updates just weren’t affecting the browser.

      Really, the main reason I made the post was to see if anybody else was affected, and see how other people avoided the bug. And aside from one other user, it really seems like nobody else was affected, which is surprising to me. The only reasons I can come up with are:

      1. nobody installs Tor Browser using the Flatpak
      2. everybody manually checks their browser versions
      3. everybody installed or re-installed Tor Browser within the last year

      Based on the comments I suspect #1 is the main cause. Which makes me lose trust in Flatpaks quite a bit. After all, if nobody is using them, then maintainers have less incentive to maintain them, and the worse they get.