Was anybody else just burned by the Tor Browser flatpak?
-
And by burned, I mean "realize they have been burning for over a year". I'm referring to a bug in the Tor Browser flatpak that prevented the launcher from updating the actual browser, despite the launcher itself updating every week or so. The fix requires manual intervention, and this was never communicated to users. The browser itself also doesn't alert the user that it is outdated. The only reason I found out today was because the NoScript extension broke due to the browser being so old.
To make matters worse, the outdated version of the browser that I had, differs from the outdated version reported in the Github thread. In other words, if you were hoping that at least everybody affected by the bug would be stuck at the same version (and thus have the same fingerprint), that doesn't seem to be the case.
This is an extreme fingerprinting vulnerability. In fact I checked my fingerprint on multiple websites, and I had a unique fingerprint even with javascript disabled. So in other words, despite following the best privacy and security advice of:
- using Tor Browser
- disabling javascript
- keeping software updated
My online habits have been tracked for over a year. Even if Duckduckgo or Startpage doesn't fingerprint users, Reddit sure does (to detect ban evasions, etc), and we all know 90% of searches lead to Reddit, and that Reddit sells data to Google. So I have been browsing the web for over a year with a false sense of security, all the while most of my browsing was linked to a single identity, and that much data is more than enough to link it to my real identity.
How was I supposed to catch this? Manually check the About page of my browser to make sure the number keeps incrementing? Browse the Github issue tracker before bed? Is all this privacy and security advice actually good, or does it just give people a false sense of security, when in reality the software isn't maintained enough for those recommendations to make a difference? Sorry for the rant, it's just all so tiring.
Flatpaks have always been really buggy for me. Most of them require at least some amount of tinkering in flatseal to get them running properly, others require some amount of specialized care. I find if you need something running properly and cannot afford hidden bugs then it's best to try to get something made for your distro if possible.
-
Not to mention:
- better isolation between apps, no dependency conflicts
- ability to rollback to previous versions
- easily set environment variables and other launch options persistently
- transactional updates so if something weird happens during an update, the flatpak won't be left in a corrupted state
- ability to rollback to previous versions
I think
apthandles this, as well, no?All the other reasons are very valid, though!
Especially the transactional updates! -
And by burned, I mean "realize they have been burning for over a year". I'm referring to a bug in the Tor Browser flatpak that prevented the launcher from updating the actual browser, despite the launcher itself updating every week or so. The fix requires manual intervention, and this was never communicated to users. The browser itself also doesn't alert the user that it is outdated. The only reason I found out today was because the NoScript extension broke due to the browser being so old.
To make matters worse, the outdated version of the browser that I had, differs from the outdated version reported in the Github thread. In other words, if you were hoping that at least everybody affected by the bug would be stuck at the same version (and thus have the same fingerprint), that doesn't seem to be the case.
This is an extreme fingerprinting vulnerability. In fact I checked my fingerprint on multiple websites, and I had a unique fingerprint even with javascript disabled. So in other words, despite following the best privacy and security advice of:
- using Tor Browser
- disabling javascript
- keeping software updated
My online habits have been tracked for over a year. Even if Duckduckgo or Startpage doesn't fingerprint users, Reddit sure does (to detect ban evasions, etc), and we all know 90% of searches lead to Reddit, and that Reddit sells data to Google. So I have been browsing the web for over a year with a false sense of security, all the while most of my browsing was linked to a single identity, and that much data is more than enough to link it to my real identity.
How was I supposed to catch this? Manually check the About page of my browser to make sure the number keeps incrementing? Browse the Github issue tracker before bed? Is all this privacy and security advice actually good, or does it just give people a false sense of security, when in reality the software isn't maintained enough for those recommendations to make a difference? Sorry for the rant, it's just all so tiring.
On the face of it, that is a massive own goal. TOR project surely has a fediverse account or a blog or something to announce these things. This should be common knowledge.
-
I don't understand the hate for flatpak. I wouldn't even be on Linux if it wasn't for flatpaks. I tried to switch many times over the years and it was such a PITA. With flatpaks I made the switch about a year ago and it finally stuck. Even got my wife to switch.
There are quite a few reasons to avoid flatpaks tbh.
-
You have no control over the dependencies. A flatpack can include a very old dependency and there is nothing you can do about it. You are at the mercy of the developer.
-
Many Flatpak applications available on flathub. Do not rely on the provided process isolation without first reviewing the related flatpak permission manifest for common sandbox escape issues.
-
Running untrusted code is never safe; sandboxing cannot change this. It can be a false sense of security.
-
It is generally not a good idea to run unattended updates via systemd, as the applications can get new permissions without the user aware of the changes. See this blogpost for examples
-
Flatpak does not run on the linux-hardened kernel unless you do additional kernel modifications that could have negative security implications.
-
-
On the face of it, that is a massive own goal. TOR project surely has a fediverse account or a blog or something to announce these things. This should be common knowledge.
Are you saying that this bug would have been reported there? I don't think I ever saw it, and I honestly doubt it was ever posted there. Unless you're talking about the browser update announcements, but I would still need to check the Help > About page of my browser to notice that it didn't match the latest version. As mentioned in my post, the Flatpak was updating like usual, the updates just weren't affecting the browser.
Really, the main reason I made the post was to see if anybody else was affected, and see how other people avoided the bug. And aside from one other user, it really seems like nobody else was affected, which is surprising to me. The only reasons I can come up with are:
- nobody installs Tor Browser using the Flatpak
- everybody manually checks their browser versions
- everybody installed or re-installed Tor Browser within the last year
Based on the comments I suspect #1 is the main cause. Which makes me lose trust in Flatpaks quite a bit. After all, if nobody is using them, then maintainers have less incentive to maintain them, and the worse they get.
-
- ability to rollback to previous versions
I think
apthandles this, as well, no?All the other reasons are very valid, though!
Especially the transactional updates!Technically rollbacks are possible using regular packages, but in practice multiple packages will share dependencies and prevent you from downgrading just one of them. This is why it's important that Flatpaks isolate dependencies between apps.
-
It has been fixed for a while for new installs, bit I agree, there should have been some kind of notification, that manual intervention is required. It was even mentioned in the bug report, so I don’t know why the dev neglected to implement the notification
It sounds as though you were aware of this bug already. How did you find out? Did you notice it yourself or was there a notification somewhere?
-
Flatpaks have always been really buggy for me. Most of them require at least some amount of tinkering in flatseal to get them running properly, others require some amount of specialized care. I find if you need something running properly and cannot afford hidden bugs then it's best to try to get something made for your distro if possible.
I've had the opposite experience, and started using Flatpaks after running into dependency conflicts once or twice when updating my system. Though I admit I've run into bugs with Flatpaks as well, just nothing as painful as a dependency conflict.
-
I've had the opposite experience, and started using Flatpaks after running into dependency conflicts once or twice when updating my system. Though I admit I've run into bugs with Flatpaks as well, just nothing as painful as a dependency conflict.
Probably depends on distro i guess. I use manjaro and all the official packages are really clean on my system, but as soon as an aur package fails to build then the pain begins.
-
Are you saying that this bug would have been reported there? I don't think I ever saw it, and I honestly doubt it was ever posted there. Unless you're talking about the browser update announcements, but I would still need to check the Help > About page of my browser to notice that it didn't match the latest version. As mentioned in my post, the Flatpak was updating like usual, the updates just weren't affecting the browser.
Really, the main reason I made the post was to see if anybody else was affected, and see how other people avoided the bug. And aside from one other user, it really seems like nobody else was affected, which is surprising to me. The only reasons I can come up with are:
- nobody installs Tor Browser using the Flatpak
- everybody manually checks their browser versions
- everybody installed or re-installed Tor Browser within the last year
Based on the comments I suspect #1 is the main cause. Which makes me lose trust in Flatpaks quite a bit. After all, if nobody is using them, then maintainers have less incentive to maintain them, and the worse they get.
No, no, I'm saying it should have been reported there and I don't get why they didn't share it.
-
No, no, I'm saying it should have been reported there and I don't get why they didn't share it.
Ah my mistake, yes a social media post or blog post from them would have been nice
-
There are quite a few reasons to avoid flatpaks tbh.
-
You have no control over the dependencies. A flatpack can include a very old dependency and there is nothing you can do about it. You are at the mercy of the developer.
-
Many Flatpak applications available on flathub. Do not rely on the provided process isolation without first reviewing the related flatpak permission manifest for common sandbox escape issues.
-
Running untrusted code is never safe; sandboxing cannot change this. It can be a false sense of security.
-
It is generally not a good idea to run unattended updates via systemd, as the applications can get new permissions without the user aware of the changes. See this blogpost for examples
-
Flatpak does not run on the linux-hardened kernel unless you do additional kernel modifications that could have negative security implications.
Sure, but I came from Windows. Is the security situation better over there? Flatpaks just work. I only install verified flatpaks, and I remove most permissions with flatseal before even launching it.
-
-
Sure, but I came from Windows. Is the security situation better over there? Flatpaks just work. I only install verified flatpaks, and I remove most permissions with flatseal before even launching it.
If your distro doesn't work unless you use Flatpaks, then stick to flatpaks ig
-
It sounds as though you were aware of this bug already. How did you find out? Did you notice it yourself or was there a notification somewhere?
Ah sry, i just read through the bug report to get a grasp of the timeline.
-
Technically rollbacks are possible using regular packages, but in practice multiple packages will share dependencies and prevent you from downgrading just one of them. This is why it's important that Flatpaks isolate dependencies between apps.
Thanks for the clear explanation!
-
There are quite a few reasons to avoid flatpaks tbh.
-
You have no control over the dependencies. A flatpack can include a very old dependency and there is nothing you can do about it. You are at the mercy of the developer.
-
Many Flatpak applications available on flathub. Do not rely on the provided process isolation without first reviewing the related flatpak permission manifest for common sandbox escape issues.
-
Running untrusted code is never safe; sandboxing cannot change this. It can be a false sense of security.
-
It is generally not a good idea to run unattended updates via systemd, as the applications can get new permissions without the user aware of the changes. See this blogpost for examples
-
Flatpak does not run on the linux-hardened kernel unless you do additional kernel modifications that could have negative security implications.
Most of those points are true for non flatpak things as well though.
-
-
Most of those points are true for non flatpak things as well though.
Care to explain?
-
Care to explain?
Non flatpak things aren't sandboxed either.
-
And by burned, I mean "realize they have been burning for over a year". I'm referring to a bug in the Tor Browser flatpak that prevented the launcher from updating the actual browser, despite the launcher itself updating every week or so. The fix requires manual intervention, and this was never communicated to users. The browser itself also doesn't alert the user that it is outdated. The only reason I found out today was because the NoScript extension broke due to the browser being so old.
To make matters worse, the outdated version of the browser that I had, differs from the outdated version reported in the Github thread. In other words, if you were hoping that at least everybody affected by the bug would be stuck at the same version (and thus have the same fingerprint), that doesn't seem to be the case.
This is an extreme fingerprinting vulnerability. In fact I checked my fingerprint on multiple websites, and I had a unique fingerprint even with javascript disabled. So in other words, despite following the best privacy and security advice of:
- using Tor Browser
- disabling javascript
- keeping software updated
My online habits have been tracked for over a year. Even if Duckduckgo or Startpage doesn't fingerprint users, Reddit sure does (to detect ban evasions, etc), and we all know 90% of searches lead to Reddit, and that Reddit sells data to Google. So I have been browsing the web for over a year with a false sense of security, all the while most of my browsing was linked to a single identity, and that much data is more than enough to link it to my real identity.
How was I supposed to catch this? Manually check the About page of my browser to make sure the number keeps incrementing? Browse the Github issue tracker before bed? Is all this privacy and security advice actually good, or does it just give people a false sense of security, when in reality the software isn't maintained enough for those recommendations to make a difference? Sorry for the rant, it's just all so tiring.
I downloaded the tor browser binary which runs standalone. Why does it need to be a flatpak?
-
Non flatpak things aren't sandboxed either.
Not entirely true. There is other sandbox software out there (such as firejail, distrobox, docker, bubblejail, any VM products, etc) although they should also be cautious about claiming to be more secure. Flatpak, however, is not considered a sandbox by some.
