During the course of this week there have been numerous reports floating around, mainly online and mainly pretty devoid of any real substance, claiming that the popular anonymous browsing solution Tor has been cracked. In fact, what these reports should have been reporting is the fact that researchers from the University of Colorado in Boulder have demonstrated that it is possible, under certain laboratory conditions, to peel away the layers of the onion and reveal the ultimate identity of the secret surfer.
Those same reporters might also have mentioned that this is nothing new, and exactly the same basic principle has been documented and publicized before, a number of years ago in fact, and yet Tor remains as secure as ever. Now don’t get me wrong, as secure as ever is not the same thing as 100% secure, but then Tor actually state right up front on the website that “it's not a good idea to rely on the current Tor network if you really need strong anonymity” and “using Tor can help you anonymize web browsing and publishing, instant messaging, IRC, SSH, and other applications that use the TCP protocol” so it’s not like they are claiming otherwise.
But that’s no reason to claim that all of a sudden Tor is less secure than it ever was, that it has been cracked, that if you use then your online experience is owned. Yet that is exactly what seems to have been happening this past week. If those same news reporters and security analysts making the crack claims had looked beyond the headline, thought past the opportunity to push a few more AdSense viewers through their site courtesy of a controversial Slashdot or Digg posting, and actually dug (no pun intended) a little deeper before the jerking of collective knees, then they might just have discovered something rather interesting.
The Tor development team not only knew about the research and the results, but had been actively consulted by the University of Colorado researchers during the process. The research team itself was not in it for the publicity, it was updating a pretty well known attack vector from some years back, looking at where that attack was now and documenting the whole process in more detail. Funnily enough, this is the way that security applications evolve, mature and improve. The headline hunters most likely had neither the inclination nor the capability to actually read the entire paper and properly absorb the findings. Instead, all they read was Tor is owned. You can decide by reading the Low-Resource Routing Attacks Against Anonymous Systems paper for yourself.
As the Tor development team have stated “using Tor is relatively safe, if there were a published way to attack the network that we thought made it less safe to use, we’d tell you first.” What’s more, the same team assures me that while there is always a potential for this kind of combined bandwidth overstatement and correlation attack, none has been seen in the wild. Indeed, to be successful it would leave a fingerprint trail across the Tor directories, and those prints have just not been apparent.
Even the authors of the research paper agree that Tor is the most secure and usable privacy enhancing system generally available and have gone so far as to state that people should absolutely not stop using it. In a statement they say that they believe “the system is safe for end-users, however, the system is experimental and the developers make no guarantees about the degree of privacy that it can provide. Let us re-iterate: concerned users should NOT stop using Tor.”
Not that the Tor development team is sitting on its laurels and being complacent about vulnerabilities, experimental, potential, low risk or otherwise. “We are currently seeking funding that should help us close these vulnerabilities in Tor. We have plans to close the bandwidth overstatement vulnerability in the coming months. In the meantime, we watch for attacks on the network, and work to be transparent in our operations.”
So how did the University of Colorado conduct its research? Well an isolated Tor network was constructed using a total of 66 servers within which a number of malicious servers were located. These were designed specifically to misrepresent bandwidth capacity and so draw a high proportion of routing requests which were then linked to the path of the request using an algorithm. The researchers claim to have been able to successfully calculate the real traffic source 46% of the time using this methodology.
Tor gets its very name from the concept of The Onion Router network, where several servers process traffic across multiple routes, so cloaking the original source. So while some anonymity services rely on routing all your traffic through a single proxy router, and it is this IP address that is visible to the destination web server rather than your real one, Tor effectively adds layers of IP address skin to the onion and all of them would have to be peeled back in order to reveal your real identity.
What this new paper does confirm is the potential remains for the most determined of agencies to uncover your online activity if they really, really wanted to. If all you are doing is trying to keep the noses of The Powers That Be out of your mundane online affairs, preventing websites that require registration from knowing who you really are (in conjunction with disposable webmail accounts) and the like then, to be honest, you have nothing to worry about beyond any moral or ethical issues involved with your actions.
Terrorists, pedophiles and pirates, on the other hand, should remain as scared of being caught as ever. Law enforcement agencies do not have to rely on sophisticated techniques such as these to track your movements, to reveal your identity. Good old fashioned legal muscle usually does the trick, and Tor servers have already been seized in Germany last year when it was suspected kiddie fiddling users were distributing their wares this way.