Bonum Certa Men Certa

Tor Browser Fails to Disable Dangerous Google Formats

posted by Roy Schestowitz on Oct 07, 2023

Software Update

Reprinted with permission from Ryan Farmer.

Tor Browser Enables WebP and AVIF by Default, In All Safety Modes.

Tor Browser is based on Mozilla Firefox, and as such inherits almost all of the same vulnerabilities, especially in the default Safety Slider mode, where nearly everything from Mozilla Firefox that can be used to attack your computer is enabled by default.

This mode is only appropriate to browse the Web if your safety isn’t really that important, and in which case, the only reason to use Tor Browser at all would be a censorship firewall or something.

When you turn the Safety Slider to Safer or Safest, it starts de-activating active content, such as certain fonts, video codecs, JavaScript, and WASMs.

However, even on the Safest setting, where almost all of this is disabled and you can pretty much only view static sites, such as the ones that people are _supposed_ to put on the deep and dark Web, Google’s WebP and AVIF image formats are still enabled.

As we saw about a month ago where all major browsers had the exact same zero-click-get-pwned bug and it turned out that the libwebp code is overly complex to the point of being nearly impossible to properly debug, and uniformly implements the same defects due to Google’s “throw code over the wall and fail to properly document how you would make a new implementation if you wanted to (a force of habit), and the stupid library being in all sorts of things that will take months or years to get patched, if they ever all do, we saw what a big mess the proliferation of substandard standards can really bring about.

Fortunately, Mozilla-based browsers (Firefox, SeaMonkey, Pale Moon, Waterfox, Floorp, LibreWolf, GNU IceCat, Tor Browser, and maybe others) allow you to disable WebP and AVIF in about:config.

Just search for image.webp.enabled and image.avif.enabled and double-click both of them to “false”.

You may end up with broken images on some sites. It’s up to you whether to do this.

“And now for a really bad lip reading of LKML and some AMD and Microsoft spam, with lotsa ads. Subscribe to PREMIUM Moronix!”

“Microsoft Larabel” at “Moronix” (Phoronix) pushed out WebP for everything except his benchmarks, which are still in SVG format.

Then he also failed to write anything about the WebP disaster. Hmmm. LOL

Possibly just too busy playing with the large shipment of free processors from AMD, and writing more spam and garbage promoting Windows, while he tells you to turn off your ad blocker so he won’t starve? 😉

But I would say that having all of this attack surface around so you can see images on “Moronix” and a couple of other pointless sites is too much, so off it goes, alongside my other browser lockdowns.

Reliable sources have informed this author that WebP and AVIF are “illegal” image formats in Discord, which means that they actually did make a good technical decision there. If you upload them, it rejects them immediately and won’t show them to anyone in the room, even if you use their Electron-based “app”.

WebP and AVIF are basically an outsourcing issue.

Site owners push WebP on you to save 0.1% of some bloated Web App, and then it’s your computer that has to expend extra resources for them to save 3 KB.

Honestly, most Web images are trash, but over 99.8% of them are still JPEG, PNG, and GIF.

At this point, there’s just the occasional nasty site like Reddit or Moronix that pushes some on you, in my observation, and there are ways to provoke Reddit to always hand you a real JPEG instead of Google’s nuisance format.

WebP is an extremely unfortunate situation. You couldn’t design an image format to have zero days that are almost impossible to find better than WebP or AVIF if you tried.

My guess is, the FBI and other agencies who want to unmask Tor users or put malicious software on their machines, are almost certainly looking through these (mainly) Google codecs looking for bugs and sitting on them. That these image codecs are at least part of a chain in a watering hole attack site set up as Tor hidden services.

The browser vendors like Mozilla and Google are working hard, very hard, to make sure that you can never break the chain. (To borrow something from Fleetwood Mac.)

If they put in lousy stinking feature full of bugs “A”, then you, the user, may just flip it back off.

If they put in A, B, C, D, E, F, G, and you don’t turn any of them off, there’s all kinds of potential.

If you turn off A, D, and part of F, they can still attack you.

You need to get this thing down to the rafters and take away as much of their useful attack surface as possible.

In fact, in the case of these newer Google image formats I would say if you are using Tor and something wouldn’t load because it was a WebP, you’ve most likely stumbled into a watering hole. They can bait you in, feed this thing garbage, and as soon as the page loads, it’s too late.

To infect iPhones and Androids with Pegasus malware, all you had to do was look at an incoming text message.

“When I look at this, what the Pegasus Project has revealed is a sector where the only product are infection vectors, right? They don’t—they’re not security products. They’re not providing any kind of protection, any kind of prophylactic.”

“They don’t make vaccines. The only thing they sell is the virus.”

-Edward Snowden

Almost nobody is going to legitimately upload a WebP because nothing shoots to WebP, and almost no user has any idea what they are, unless they come across some bullshit Reddit transcode job that looks like smudgy crap. Then they’re usually posting to forums trying to figure out how to “trick” the server into sending a real JPEG, or resort to converting it back themselves.

As far as I’m concerned, probably the only reason Google threw these things on the Web is for agencies to write more attack code, as these agencies and their contractors are always hoarding more “Nobody But Us” vulnerabilities to weaponize, instead of turning them over to be fixed.

They only ever stand to benefit from complexity and bloat, even if the aim of a vendor was not malicious.

In the past, the agencies have relied on social engineering, like telling people to install Flash or Java, or to download malicious executables and run them, or malformed video files. They’ve also lured away Tor developers and paid them as consultants to tell them how to attack it.

Who needs that anymore? If Google shits something out, Mozilla gobbles it up, and the next time Tor swallows a Firefox ESR, you’ve got another “mole” in Tor Browser.

That’s really the big bonus in making these huge browsers full of redundant and ill-advised garbage and making them impossible to fix. The agencies can attack pretty much anyone at-will now, on the Web or otherwise.

This problem gets worse all the time, while security posers, like a carnival barker, tell us the issue is not bloated coding horrors, but that we need locked down computers that attack the user. It’s a misdirection.

Other Recent Techrights' Posts

WebProNews is a Slopfarm
Please avoid linking to WebProNews
Another "Told You So!": XBox Mass Layoffs at Microsoft (Many Recent Reports Were Chaff and Spin), Many Other Divisions Affected
With mass layoffs at Microsoft the world would be much better
When the Microsoft Aggressors Rely on Several Law Firms ('Attack Dogs', 'Guns for Hire'), Not Just One, Lawyering Up Against Techrights (Acting on Behalf of Americans Against UK Publishers)
From serving customers at some restaurant he has moved on to bullying people with demand letters
Polygamy, from Catholic Synod on Synodality to Social Control Media & Debian CyberPolygamy
Reprinted with permission from Daniel Pocock
 
Wayland is Perfect, Nobody Can Escape Its Perfection! (Or Not)
Do not form on opinion on Wayland based on politics
What is "MATA"?
Think of it as GAFAM or "Meta"
Moral Duty for "Linux Sites" to Speak Out Against LLM Slop
My wife has long complained about "Linux bloggers" keeping quiet and thus passive about a growing problem: slop
In Recent Hours Google News Promoted at Least 3 Slopfarms That Relayed Linux Foundation Propaganda Made by Bots or LLM "Bullshit Generators" (as Dr. Stallman Dubbed Them)
Google is circling down the drain and Google News too is hopeless
Linux Journal is a Slopfarm, It's Experimenting With LLM 'Authors'
Is Slashdot next?
Microsoft LinkedIn is Dying and Many More Layoffs Are on the Way
LinkedIn is just a failed acquisition of Microsoft. It causes losses and debt.
Gemini Links 25/06/2025: Combinatorial Music and Self Hosting
Links for the day
Richard Stallman Coming Back to Europe This Autumn to Give More Talks
His last talk in Europe attracted about 400-450 people
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, June 24, 2025
IRC logs for Tuesday, June 24, 2025
Social Control Media, Technology & Catholicism: Synod on Synodality review and feedback
Reprinted with permission from Daniel Pocock
How Many More Women Will Managers at Microsoft Strangle and Tell to Kill Themselves (or Try to Kill)?
The world needs to know what happened
The New BetaNews: 7 New 'Articles', All of Them LLM Slop
BetaNews is basically defunct. Nobody writes there anymore.
statCounter Estimates Only 1 in 300 Iranians Would Use Microsoft for Search
Iranians don't quite trust Microsoft
Gemini Links 24/06/2025: ftpd on FreeBSD and Online Small Web Magazine
Links for the day
Google News Does Great Harm by Promoting Slopfarms as Legitimate News Sites
Slopfarms are sites which are 100% LLM slop
Links 24/06/2025: Trouble at "Open" "AI" and ‘Siarhei is Free’
Links for the day
Gemini Links 24/06/2025: Stimulants and Subscription Costs for DRM
Links for the day
Links 24/06/2025: OpenAI [sic] May Soon Die (Too Much Debt) and Social Control Media Accused of Being Misinformation/Disinformation/Propaganda Amplifier
Links for the day
Nirbheek Chauhan in Planet GNOME Explains Why Wayland Pushers Are Losing
"A strange game. The only winning move is not to play."
Only a Third of or 1 in 3 Web-Connected Devices is a Desktop or Laptop, According to statCounter
we can expect Android to widen its lead
The Days Are Getting Shorter, the First Half of 2025 is Almost Over
We're gratified to see significant increase in traffic and also positive feedback on the work we do
Turning GNU/Linux Into a Political Football
X (not the site) is Free software
X Server Still Works for Many People
A lot of people will grow suspicious of Wayland boosters/pushers if they persist and insist on using these tactics
Exactly a Week Ago "BetaNews Staff" Said "Betanews Is Growing Alongside You". Since Then Every Article (All by "Camila Nogueira") Has Been LLM Slop.
BetaNews is basically a slopfarm
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Monday, June 23, 2025
IRC logs for Monday, June 23, 2025
The "Tarzan Effect" in Compilers and Software
What happens when you forcibly make things 'work', either by hacks or by disregarding warnings (like those that compilers tend to issue)?
Gemini Links 23/06/2025: Mass Tourism, Hair Love, and Google Gemini as a Googlebomb
Links for the day
Law Firm Burgess Mee Does Not Fully Deny Participating in Abusive Litigation for Serial Strangler From Microsoft
I am not unfamiliar with these tactics
The Modus Operandi of Wayland Pushers: Make It Political
do what I say or you're a nazi...
Links 23/06/2025: RFE/RL Contributor Vladyslav Yesypenko Released, Recording Industry Cutbacks
Links for the day
Brett Wilson LLP Solicitors (M): Over 99.9% of Our E-mail is Self-Marketing, We Send You 3.5MB E-mails for Less Than 1KB of Text
Why would tech people entrust legal matters to such people?
Peter Moon's (Computerworld) Interview With Richard Stallman
Stallman: If you want freedom don't follow Linus Torvalds
At What Point Does Outsourcing Constitute Malpractice?
Brett Wilson LLP's new staff page is misleading
United Arab Emirates (UAE) Sailing to GNU/Linux, According to statCounter
countries in that region will quickly learn the price of neglecting digital sovereignty
From Do Your Own Research to Do Your Own Search
The Web is full of garbage; search engines amplify this garbage
More People Moving to Geminispace?
at age 6+ Gemini Protocol seems to have gained some maturity and it seems like more people use it
Permutation in LLMs Does, Inevitably, Change Meanings and Therefore LLMs Cannot Properly Rephrase or Summarise Texts
LLMs lack actual grasp or comprehension of what they spew out
Links 23/06/2025: Many Security Breaches, Population Declines
Links for the day
Gemini Links 23/06/2025: "America at the Crossroads" and OpenWRT Surgery
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Sunday, June 22, 2025
IRC logs for Sunday, June 22, 2025
Pure Dove
Different means different, and sometimes those who "deviate" from "the norm" have a point
Censorship is a Sign of Weakness Which Invites More Censorship Attempts
revolutionaries don't succumb to pressure from bullies
Why It's Unlikely That LLM Slop Will Dominate the Web in the Long Run
Slopfarms will eventually perish (they have no actual value) and "survivors" on the Web will be sites that never depended on search engines and social control media
GNU/Linux in Argentina Now Measured Near 5%
Like in central Europe, they must be seeing an increasingly hostile US
BetaNews is Fake News, Composed by LLM Slop
nothing in BetaNews is written by humans anymore