IE 11 is not supported. For an optimal experience visit our site on another browser.

Tor trouble: Anonymizing service faces vulnerability claims

Tor, a service that helps cautious Internet users stay anonymous online, is facing increased scrutiny and potentially new attacks as the global debate on surveillance and privacy escalates. A recent paper raises new concerns: Is Tor vulnerable to the likes of the National Security Agency?

A highly publicized NSA-level hack aimed at Tor users turned out, in the end, to not breach the service at all but rather the browser its users employed. Tor, which obscures Internet traffic by bouncing it between several nodes before letting it into the open, was not implicated in that hack, but that doesn't mean it's invulnerable.

Earlier this year, a paper describing a potential vulnerability in the service (PDF) was posted quietly to the Internet by its author, Aaron Johnson. He explained how a combination of secretly controlled Tor nodes and access to Internet service provider infrastructure could potentially reveal the identity of many users of the service. The FBI and NSA are always looking for a way to break Tor, and have the weight to lean on ISPs, so the threat is not necessarily just hypothetical.

The specifics of the hack are quite technical, but essentially, while it's not enough to eavesdrop either from within Tor or via the Internet infrastructure, putting them together could let an "adversary" identify users or at least draw connections between IP addresses of interest.

A post at the official Tor blog earlier in October acknowledged the threat in theory, but also pointed out a few things overlooked or wrongly assumed in the paper — for instance, it uses mainly German Internet infrastructure to illustrate the threat, which may or may not be applicable in the U.S. or elsewhere. Nevertheless, several potential fixes were also offered, though none will be made hastily or without due consideration for the many users of Tor.

Johnson and the other authors will be presenting the paper next week at the ACS Computer and Communications Security conference in Berlin; no doubt there will be further debate among the experts then as to how much of a threat this particular issue poses. Should any serious changes be proposed to Tor or any serious vulnerabilities disclosed, we will update this story.

Devin Coldewey is a contributing writer for NBC News Digital. His personal website is coldewey.cc.