Brave browsers Tor feature found to leak .onion queries to ISPs – The Daily Swig

Posted: February 21, 2021 at 12:30 am

Jessica Haworth19 February 2021 at 14:27 UTC Updated: 19 February 2021 at 21:33 UTC

Developers are issuing hotfix

UPDATED Brave, the privacy-focused web browser, is exposing users activity on Tors hidden servers aka the dark web to their internet service providers, it has been confirmed.

Brave is shipped with a built-in feature that integrates the Tor anonymity network into the browser, providing both security and privacy features that can help obscure a users activity on the web.

Tor is also used to access .onion websites, which are hosted on the dark net.

Earlier today (February 19), a blog post from Rambler claimed that Brave was leaking DNS requests made in the Brave browser to a users ISP.

Read more of the latest privacy news

DNS requests are unencrypted, meaning that any requests to access .onion sites using the Tor feature in Brave can be tracked a direct contradiction to its purpose in the first place.

The blog post reads: Your ISP or DNS provider will know that a request made to a specific Tor site was made by your IP. With Brave, your ISP would know that you accessed somesketchyonionsite.onion.

Following the disclosure, well-known security researchers including PortSwigger Web Securitys James Kettle independently verified the issue using the Wireshark packet analysis tool.

I just confirmed that yes, Brave browsers Tor mode appear to leak all the .onion addresses you visit to your DNS provider, Kettle tweeted, providing a screenshot for evidence.

Security researcher James Kettle independently verified the Brave browser privacy issue

Considering that the Tor Browser was specifically built to hide a users internet browsing from their ISP, the news has provoked a vociferous response online.

Privacy my ass, wrote Twitter user @s_y_m_f_m, while other called the findings appalling.

The issue has been present in the stable release since November 2020, and was reported in mid January, a Brave developer told The Daily Swig.

INSIGHT Tor security: Everything you need to know about the anonymity network

Since the time of publication, a Brave developer has confirmed that the browser will be releasing a hotfix for the issue.

The issue is already fixed in nightly, the development build of the browser. The developer, @bcrypt on Twitter, wrote: Since its now public were uplifting the fix to a stable hotfix.

Root cause is regression from cname-based adblocking which used a separate DNS query.

The Daily Swig has reached out to Brave for comment, and will update this article accordingly.

This article has been updated to include the information that a hotfix is being issued. An earlier version stated that the issue has been present since 2019, this has been corrected to 2020.

YOU MAY ALSO LIKE BIND implements DNS-over-HTTPS to offer enhanced privacy

Link:
Brave browsers Tor feature found to leak .onion queries to ISPs - The Daily Swig

Related Posts