14 DAY TRIAL // Over the weekend, a large number of hidden service addresses, "websites" only accessible via the Tor network, went down after the shutdown of Freedom Hosting, one of the biggest providers of such services.
The host was taken down by the US government who was targeting a child abuse network hosted by the provider and allegedly run by Eric Eoin Marques, the owner and operator of Freedom Hosting.
Operations like these are hardly new, but this particular one had a few interesting and unique characteristics.
The feds apparently used a flaw in Firefox 17, which is the current Extended Support Release and serves as the basis of the TOR Browser Bundle, to access the Tor network.
Law enforcement agents made use of the previously undisclosed vulnerability to take gather information on machines accessing the hidden sites.
This prompted both the Tor Project and Mozilla to respond. Tor was quick to, rightfully, disassociate itself from anything hosted on the network. The organization only provides the technology and has nothing to do with or has any control over what people choose to use it for.
"In the past, adversarial organizations have skipped trying to break Tor hidden services and instead attacked the software running at the server behind the dot onion address. Exploits for PHP, Apache, MySQL, and other software are far more common than exploits for Tor," the organization explained.
"The current news indicates that someone has exploited the software behind Freedom Hosting. From what is known so far, the breach was used to configure the server in a way that it injects some sort of javascript exploit in the web pages delivered to users," it added.
Mozilla only confirmed that it was investigating reports of a vulnerability in Firefox 17. However, in the wake of the bug, Mozilla founder and JavaScript creator Brendan Eich made a very interesting suggestion, arguing that the Tor technology should simply be included in Firefox, making it then possible for anyone to access the Tor network just by using the browser.