CVE-2023-33982

Vulnerability

The Bramble Handshake Protocol (BHP) in Briar before version 1.5.3 does not provide forward secrecy [1]. This means that if an attacker later compromises both communicating accounts (i.e., obtains their long-term private keys), they can decrypt previously recorded network traffic between those two accounts. The vulnerability affects all versions prior to 1.5.3. BHP runs over an encrypted session that uses the Tor hidden service protocol, making practical eavesdropping difficult [1].

Exploitation

To exploit, an attacker must first record the encrypted network traffic between two Briar users during a BHP session. Later, the attacker must compromise both accounts (obtain their long-term private keys), for example by physically accessing devices or exploiting other vulnerabilities. With both private keys, the attacker can derive the session keys and decrypt the previously captured traffic [1]. The attack does not require active interference during the original session, only passive eavesdropping and subsequent key compromise.

Impact

Successful exploitation leads to a loss of confidentiality: an attacker can recover the plaintext content of past communications between two compromised Briar users. There is no impact on integrity or availability. The disclosed information could include private messages, blog posts, forum posts, and group conversations. However, the practical impact is limited because the traffic is already encrypted under Tor, and decryption requires compromising both accounts after the session [1].

Mitigation

Users must upgrade to Briar version 1.5.3, released in May 2023, which fixes the issue [1]. No workaround is available because the flaw is in the protocol design. All users are encouraged to update as soon as possible [1]. The vulnerability is not listed on CISA KEV. Briar developers have requested an independent security audit of the protocol stack to prevent future issues [1].