Summary of "The Tor Project is Ignoring These Issues"

The video critically analyzes several ongoing security and privacy issues within the Tor Project, focusing on both the Tor Browser and the Tor network. Key points include:

Main Technological Issues and Product Features

Security Slider Bug in Tor Browser
- The Tor Browser’s security slider, designed to increase user security by disabling JavaScript at higher settings, has a long-standing bug: users must restart the browser after changing the slider to fully disable JavaScript.
- Although recent versions have partially mitigated this by prompting an automatic restart, users as recently as version 14.0.8 remained vulnerable while believing they were fully protected.
BGP Hijacking Vulnerability in Tor network
- The route selection algorithm in the Tor network does not account for Border Gateway Protocol (BGP) hijacking risks, exposing users to potential IP address deanonymization.
- BGP, an old internet routing protocol without built-in authentication, can be exploited by attackers who announce false IP ownership, redirecting traffic to themselves.
- The Tor network currently prioritizes speed, favoring nodes in data centers (tier 3 providers) that are more vulnerable to BGP hijacking.
- Research papers from Princeton (RAPTOR and Counter-RAPTOR) published in 2015 and 2017 proposed fixes and source code to mitigate this risk, but the Tor Project has not implemented these solutions, instead relying on slow adoption of external route verification protocols like RPKI.
Removal of HTTP Header User-Agent Spoofing
- The Tor Browser previously allowed spoofing the HTTP user-agent header to mask the operating system (OS) from websites, enhancing anonymity. This feature has been completely removed in recent versions.
- This removal was motivated by compatibility issues with some websites that break if the HTTP header user-agent mismatches the JavaScript navigator user-agent.
- Without spoofing, Linux users (who are a minority among Tor users but often require the highest privacy, e.g., Tails OS, Qubes OS users) are more easily fingerprinted and could be singled out in server logs, increasing risk of identification by adversaries.
- The video demonstrates how older versions spoofed Windows OS by default, while newer versions reveal the real OS, harming privacy for Linux users.
- Tor Project’s May 2025 update claims OS spoofing is “here to stay” in a harmonized form across JavaScript and HTTP headers, but this effectively means no spoofing for the safest settings, fragmenting user anonymity.

Analysis and Recommendations

The video criticizes the Tor Project for ignoring known, serious security vulnerabilities and removing privacy-enhancing features without providing user choice.
It suggests that user-agent spoofing should be reinstated as an optional feature, toggled via about:config, allowing advanced users to protect their anonymity without breaking website compatibility for others.
It also recommends adopting the Counter-RAPTOR circuit building algorithm as an advanced option to mitigate BGP hijacking risks immediately rather than waiting for slow external protocol adoption.

Summary of Guides or Tutorials

Demonstration of how user-agent spoofing worked in older Tor Browser versions versus the current versions.
Explanation of how to check user-agent strings and operating system fingerprinting via websites like deviceinfo.me.
Walkthrough of how the security slider bug affects JavaScript disabling and browser restarts.

Main Speakers / Sources

The primary speaker is an independent security/privacy analyst or reviewer providing a detailed technical critique of the Tor Project’s recent decisions and long-standing issues.
References to academic research by Princeton University researchers on RAPTOR and Counter-RAPTOR attacks and mitigations.
Mentions of official Tor Project communications, including the May 2025 news release.

In essence, the video argues that the Tor Project is neglecting critical security flaws and removing important privacy features, diminishing protections for its most security-conscious users, especially Linux users and those vulnerable to network-level attacks.