In a July 30 blog post, Tor confirmed that several entry nodes may have been run by a nefarious party attempting to identify Tor users, and they appear to have been successful.
Tor is an anonymous web browser that, along with several bundled programs, helps users anonymize their internet traffic. It does this by sending the traffic through the Tor network which operates using nodes. Users pass their encrypted data to an entry node, which adds it to a group of other users’ data and passes it along to intermediary nodes until it gets to the exit node. The exit node decrypts the data and sends it out to the regular internet. This way, the entry node will theoretically know who the users are but not what they are looking at, while the exit node could theoretically see the content being looked at but not who looked at it.
- Tor Project's Home Page
According to the blog post, a group of entry relays appeared to be targeting users of Tor hidden services. Tor hidden services are stored within the Tor network and are only accessible with an onion browser like Tor. It is also where the infamous dark markets reside, which Bitcoin users are probably sick of hearing about.
Despite how it is often portrayed in the media, Tor has legitimate uses; other than buying drugs online. There are plenty of reasons why people don't necessarily want to broadcast their browsing habits to private and public entities. There are even legitimate uses for the aforementioned hidden services: dissident journalists in countries like China or corporate and governmental whistle blowers around the world.
Still, identifying the users of Tor hidden services would be seen as a win in the intelligence community, even though as Pando is quick to point out, it was the CIA who created Tor in the first place.
The attack affected around 6 % of Tor's entry nodes from January 31 to July 4. During that time users of Tor may have been affected. Unfortunately, Tor has not been able to determine what exactly that means. They did say that it was unlikely that the attackers were able to see what the users were looking at or what sites they accessed:
“We know the attack looked for users who fetched hidden service descriptors, but the attackers likely were not able to see any application-level traffic.”
But those that run hidden services do have reasons for concern:
“[They] also tried to learn who published hidden service descriptors, which would allow the attackers to learn the location of that hidden service. In theory the attack could also be used to link users to their destinations on normal Tor circuits too, but we found no evidence that the attackers operated any exit relays, making this attack less likely. And finally, we don't know how much data the attackers kept, and due to the way the attack was deployed [. . .] their protocol header modifications might have aided other attackers in deanonymizing users too.”
As you would expect, the attackers remain unknown. There was a university study being conducted that aimed to see if Tor users could be deanonymized over the course of a few months. The publication of those findings was canceled after the university determined that the researcher didn't have permission to present the findings. If that project is to blame, it is unclear why they would have been targeting users of Tor's hidden services specifically.
Tor recommends that users upgrade to the newest version of the Tor browser, which should increase security. If you would rather use an alternative, look into I2P. I2P is another privacy tool that constantly switches nodes in order to decrease the likelihood of a successful attack. It also works within the internet rather than separate from it and doesn't rely on a centralized address database like Tor does, which seems to fit more within the Bitcoin ethos.
Did you enjoy this article? You may also be interested in reading these ones:
Looking for the best applicant for your vacancy? Or trying to find your perfect job? Send your job offers and CVs to email@example.com! We will find the best for the best.