Recently, an exploit in TOR helped the FBI take down the largest known child porn site that resulted in at least 1,500 arrests. Mozilla, the company who the majority of TOR’s code is based on, requested that the FBI release the exploit that allowed them to install tracking software on the computers that were used by the offenders. Mozilla had good cause – they wanted to patch the exploit that leaves TOR users vulnerable to spying eyes, which is the majority of the use for TOR.
Washington US District Judge Robert Bryan accepted the request, but since the exploit was used in taking down child porn, the Justice Department quickly convinced the judge that it was a matter of national security and the decision was quickly reversed.
A government lawyer wrote a response to the filing that makes an attempt at explaining their reasoning.
“The FBI has derivatively classified portions of the tool, the exploits used in connection with the tool, and some of the operational aspects of the tool in accordance with the FBI’s National Security Information Classification Guide.”
Motherboard notes that the FBI originally wanted to classify their reasons for not releasing the exploit instead of classifying the exploit itself. The FBI has since changed this and the amended filing is awaiting a signature from the FBI Original Classification Authority where the exploit will likely be hidden for good. Some individuals with experience in this field believe there is a chance that the classifying of the exploits as a national security concern is not a very good excuse, but it’s a gamble. Engadget notes that the Department of Justice has a habit of incorrectly classifying documents that don’t need to be classified. Even the DOJ’s Inspector General reported in 2013 where several documents where “unclassified information was inappropriately identified as being classified.”
If the exploit disappears for good, this poses a serious security concern for both Mozilla and users of TOR. Without knowing what the exploit is, Mozilla has no way to patch it, and we have no way of knowing if are safe or not.