The Tor Anonymity Network Has Been Compromised. Here Are the Details
An online anonymity software and network, Tor is arguably one of the most effective and popularly used solutions to maintain privacy and security online. It is used by web surfers from various locations worldwide. Basically, what it does is to conceal the identity of someone who accesses the internet by not revealing details on location and patterns of usage. It is a solution against network surveillance or traffic analysis. Tor directs online traffic through a free global volunteer network with over 5,000 relays.
The use of Tor makes it difficult to track online activities. These activities include the visiting of a website of page, posting of messages, exchange of instant messages, and other forms of web-based communication. Tor was even described by the National Security Agency (NSA) in a confidential appraisal as the “king of high secure, low latency Internet anonymity.”
Attack on Tor
However, just recently, the team behind the anonymity software and network discovered that Tor has been breached. They said the attack aimed at de-anonymizing the IP addresses of people operating or visiting hidden sites. They are uncertain about the extent of the possible damage on users although the Tor Project announced that they have already stopped the attack as of the 4th of July (don’t give too much meaning on the timing).
Details of the attack have been posted on the Tor Project’s official website. You can find a summary of the security advisory on this link. The attack was mainly through a group of relays that were trying to reveal Tor users. It sought to modify protocol headers to do traffic confirmation attacks.
There were actually two classes of attacks undertaken, according the Tor Project. These are traffic confirmation and a Sybil attack. A traffic confirmation attack involves an attacker controlling or observing the relays on both ends of a Tor circuit, and comparing traffic timing, volume, and other characteristics to “confirm” that the two relays are indeed on the same circuit. A Sybil attack, on the other hand, targets a reputation system. It subverts the reputation system by forging identities in peer-to-peer networks. In Tor’s specific case, the Sybil attack involved around 115 fast non-exit relays running on the IP addresses 188.8.131.52/16 or 184.108.40.206/16.
Who Attacked Tor?
Folks at the Tor Project think that the attack was undertaken by a duo of university researchers from Carnegie Mellon University who claimed early last month that they have exploited “fundamental flaws” in the web anonymizer’s design. This flaws are said to have enabled the unmasking of “dark net users.” The Tor Project did not hesitate naming these researcher “attackers” – Alexander Volynkin and Michael McCord.
Volynkin and McCord are supposed to be among the speakers at the Black Hat Conference in Las Vegas next week. Their attendance, however, was suspiciously cancelled. They are expected to divulge details about the attack or the Tor vulnerabilities they exploited. Unfortunately, they won’t be able to publicize the information at the insistence of the lawyers of Carnegie Mellon University.
The Tor Project denies any hand in cancelling Volynkin and McCord’s appearance at the Black Hat Conference. In a blog post, The Tor Project wrote that they did not ask Black or CERT for the cancellation. Rather, they are claiming that they are more interested in having the researchers appear at the conference to answer more questions. The post adds that the Tor Project is encouraging research on the Tor network but these research (the attacks in particular) should come with responsible disclosure to help in plugging holes or vulnerabilities in the Tor system and network.
The Tor Project has been asking the researchers about the attacks they previously claimed (before the July revelations). The researchers did provide some hints that allowed the Tor Project to start looking for attacks in the wild. According to Roger Dingledine, one of the Tor Project’s creators, the researchers were no longer responding to their emails lately. Dingledine feels that they have answers to their questions but are being asked or compelled to not reveal them.
The attack on Tor revealed recently is perceived to be part of the NSA’s efforts in overcoming the challenges posed by the popular anonymity network. Those who maintain high levels of anonymity online, in particular, are being actively sought. Naturally, people who try their best not to reveal their identities online could be easily suspected of doing something not so usual.