this post was submitted on 15 Mar 2025
89 points (94.9% liked)

Linux

51821 readers
871 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

cross-posted from: https://futurology.today/post/4000823

And by burned, I mean "realize they have been burning for over a year". I'm referring to a bug in the Tor Browser flatpak that prevented the launcher from updating the actual browser, despite the launcher itself updating every week or so. The fix requires manual intervention, and this was never communicated to users. The browser itself also doesn't alert the user that it is outdated. The only reason I found out today was because the NoScript extension broke due to the browser being so old.

To make matters worse, the outdated version of the browser that I had, differs from the outdated version reported in the Github thread. In other words, if you were hoping that at least everybody affected by the bug would be stuck at the same version (and thus have the same fingerprint), that doesn't seem to be the case.

This is an extreme fingerprinting vulnerability. In fact I checked my fingerprint on multiple websites, and I had a unique fingerprint even with javascript disabled. So in other words, despite following the best privacy and security advice of:

  1. using Tor Browser
  2. disabling javascript
  3. keeping software updated

My online habits have been tracked for over a year. Even if Duckduckgo or Startpage doesn't fingerprint users, Reddit sure does (to detect ban evasions, etc), and we all know 90% of searches lead to Reddit, and that Reddit sells data to Google. So I have been browsing the web for over a year with a false sense of security, all the while most of my browsing was linked to a single identity, and that much data is more than enough to link it to my real identity.

How was I supposed to catch this? Manually check the About page of my browser to make sure the number keeps incrementing? Browse the Github issue tracker before bed? Is all this privacy and security advice actually good, or does it just give people a false sense of security, when in reality the software isn't maintained enough for those recommendations to make a difference? Sorry for the rant, it's just all so tiring.

Edit: I want to clarify that this is not an attack on the lone dev maintaining the Tor Browser flatpak. They mention in the issue that they were fairly busy last year. I just wanted to know how other people handled this issue.

you are viewing a single comment's thread
view the rest of the comments
[–] Vincent@feddit.nl 2 points 23 hours ago (4 children)

So... How do we do we're running an outdated version, and what is the fix that requires manual intervention?

[–] nikqwxq550@futurology.today 7 points 20 hours ago* (last edited 20 hours ago) (1 children)

You can check the Tor Project blog to figure out the latest release, and go to your Tor Browser's menu > Help > About Tor Browser to see if it matches. It should be version 14.0.7. If it is not, the fix is detailed in the Github issue I linked in the post

[–] Vincent@feddit.nl 3 points 19 hours ago* (last edited 18 hours ago) (1 children)

It was collapsed for me at first, and buried under a lot of other comments, but a workaround is mentioned here. Unfortunately, that didn't seem to work for me, but deleting the Flatpak and deleting all associated data, and then reinstalling it, I think did the trick.

Although it does now show this warning, which doesn't sound great.

Edit: actually, I think that was the reason I concluded the first workaround didn't work, but looking at that URL, this might just have been introduced in Firefox 128, which is newer than the old version of Tor was based on. So it looks like both worked.

[–] nikqwxq550@futurology.today 1 points 10 hours ago (1 children)

You are right I should have linked directly to the workaround, sorry. Glad you got it sorted out though.

[–] Vincent@feddit.nl 1 points 29 minutes ago

No worries, thanks again!

load more comments (2 replies)