A new court filing made by Mozilla asks the FBI to responsibly disclose the Tor vulnerability used in a criminal...
The FBI had originally refused to disclose the Tor vulnerability it used to de-anonymize Tor users when investigating a child pornography site on the Deep Web. The court ruled that the FBI must give the details of the exploit to the defense team of a man caught up in the investigation under a protective order, which would keep the details secret. Jay Michaud of Vancouver, Wash., was charged with possession of child pornography, but his attorneys successfully argued that they should be allowed to examine the malware used by the FBI. Rather than complying, the FBI has asked the judge to reconsider the order.
Meanwhile, a new Mozilla filing asks that the FBI follow best practices for responsible disclosure and detail the Tor vulnerability at least 14 days before submitting the details to Michaud's defense team.
Denelle Dixon-Thayer, chief legal and business officer at Mozilla, said in a blog post that the aim of requesting responsible disclosure is to protect "the hundreds of millions of users who could benefit from timely disclosure" because the Tor browser is partially based on Mozilla's Firefox browser and " the vulnerability might exist in the portion of the Firefox browser code relied on by the Tor browser."
"Court ordered disclosure of vulnerabilities should follow the best practice of advance disclosure that is standard in the security research community," Dixon-Thayer wrote. "In this instance, the judge should require the government to disclose the vulnerability to the affected technology companies first, so it can be patched quickly."
The FBI went so far last month as to ask a judge to reconsider the order to disclose the Tor vulnerability used in the case. If the order to disclose is allowed to stand, the government may have to choose between dropping the case or revealing the technique.
Günter Ollmann, chief security officer at Vectra Networks, noted that while Mozilla would like advanced disclosure, "precedents exist in this community, which means the FBI has no legal or ethical commitment to do so."
"The [responsible disclosure] guidelines do not cover when a discoverer of a vulnerability should inform a vendor -- or whether they need to," Ollmann told SearchSecurity. "In general, the community assumes that the discoverer of the vulnerability 'owns' that knowledge and is free to do with it what they wish -- as many commercial bug hunting companies provide valuable services to law enforcement agencies around the world, weaponizing exploits for the vulnerabilities they researched and uncovered, and sell them as a core part of their services. Purchasers of the exploits are generally legally bound to not disclose the vulnerability to any other third-party or software vendor."
Dan Mathews, director of sales engineering at Lastline, said this precedent in this case could be dangerous to the public.
"The problem is that the tools and skills required to discover vulnerabilities in commonly used applications are no longer only in the hands of well-funded nation-states," Mathews said. "For this reason, it is in the public interest for 'responsible governments' to responsibly disclose all software vulnerabilities they find."
Ollmann said there is a danger that the Tor vulnerability used by the FBI in this case could be exploited by criminals "to install malware and botnet agents on the victim's machine to steal data and launch other attacks around the world."
"Often times, law enforcement agencies are using exploits supplied by third-party vendors -- and therefore have no ownership or legal rights to disclose the licensed intellectual property," Ollmann said. "In addition, the longer the bug remains unfixed, the longer the FBI can exploit the flaw for conducting legal interception activities against other targeted groups."
Site editor Peter Loshin contributed to this article.
Find out if Tor usage poses a security risk for enterprise.
Learn how to stop employees from surfing the Deep Web.