How To: Is Tor Broken? How the NSA Is Working to De-Anonymize You When Browsing the Deep Web

Is Tor Broken? How the NSA Is Working to De-Anonymize You When Browsing the Deep Web

Is Tor Broken? How the NSA Is Working to De-Anonymize You When Browsing the Deep Web

Ever since the FBI took down the Silk Road and Dread Pirate Roberts last month, many questions have been raised about whether Tor still provides anonymity or not, and if it's now broken. I'll try to address that question here today succinctly from multiple angles, keeping it as simple and plain-language as possible.

The Closing of Silk Road

First, let's address the Silk Road takedown. According to published reports, the FBI relied upon good old investigative techniques to track down Dread Pirate Roberts. They gave no indication that they used a flaw in Tor to do this, but if they did and didn't tell us, it would not be the first time the FBI was disingenuous with the American public.

Even if the FBI did not use flaws in Tor to take down Silk Road, there remain questions about whether Tor still delivers the anonymity that so many have assumed it did. Let's take a look at some of the techniques that NSA is employing right now to break your anonymity on the Tor network.

The Snowden Revelations

Edward Snowden, the NSA contractor now in exile in the Russian Federation after leaking information of NSA spying on innocents across the globe, revealed some information on how NSA is cracking Tor.

Tor has always been a thorn in the NSA side as they hate anyone that can do anything without the NSA being able to spy on them. As such, they have focused significant resources to be able to open Tor to their spying.

As you know, Tor relies upon a series of volunteer Tor relays or routers to move data across the globe, similar but separate from the routers that are used on the Internet. These routers are usually individuals who lend some of their bandwidth in the interest of global privacy and anonymity. These routers only track the last IP address the packet came from and is going to and not the original source IP.

It turns out that the NSA has set up some of their own Tor routers to be able to track some of the Tor network traffic. By setting up their own Tor routers, the NSA is able to sniff some of the Tor traffic as it passes their relay/router.

Of course, this doesn't give them a peek at all Tor traffic (they would have to set up thousands of Tor routers and make certain that traffic did not access the other routers to do this), but it does give them a peek of at least some of it.

Anecdotally, this past summer, I was working at a major Department of Defense contractor near NSA headquarters at Ft. Meade and noticed that my Tor browsing speed was much faster than I usually experience in my hometown in the Rocky Mountains of the U.S. The NSA's Tor routers with dedicated bandwidth were likely why.

The Firefox Flaws

It also turns out that the NSA had been taking advantage of a zero-day vulnerability in the Firefox web browser used by Tor. NSA has been embedding cookies that tracked Tor users on the net. That flaw has been closed by the Mozilla Project, but you may still have that cookie in your browser and are being tracked by NSA.

For optimal anonymity, delete your cookies and update your Tor browser.

SSL Is Not as Secure as You Think

NSA has been working on cracking SSL encryption for some time. Tor is dependent upon SSL and its 1024-bit encryption to maintain its anonymity. Each relay only decrypts enough information to be able to send the packet to the next relay. These 1024-bit keys are rapidly becoming outdated as computing horsepower has increased.

Recognizing this, the Tor project has been moving to the far more secure elliptical curve cryptography (ECC). Unfortunately, only about one-quarter of all Tor sites have updated to the more secure elliptical curve cryptography, leaving three-quarters of Tor traffic susceptible to NSA decryption and snooping.

How Google Ads Hurt Us

Apparently, NSA has also been using advertising services like Google AdSense to be able to track Tor users. Here's how it works.

When you're using Tor and click on an ad, it places a cookie in your browser. When you use that same browser—even while not using Tor capabilities and the Tor network—the NSA can look for that cookie to identify you as a Tor user.

They can then correlate that cookie with your actual IP address that appears on every website when you're not using Tor.

Entry & Exit Points

As the NSA has access to ALL traffic on the Internet, and all Tor traffic looks different from regular Internet traffic, they can identify Tor traffic from other Internet traffic.

It has long been known that if an adversary had access to both the entry and exit points on Tor, they can determine both the user and the destination.

It goes without saying, that the NSA has access to all of this information, so if they want, they can identify you and your destination.

Conclusion

It seems clear that the absolute privacy that we assumed Tor provided us has been compromised by the NSA, but this doesn't mean that Tor is useless.

All of these techniques employed by the NSA give them a glimpse at a slice of Tor traffic, but not all of it. What it does mean, though, is that if the NSA wants to track your Tor movements on the web, they can.

It helps that if you are using the Tor browser for anonymity, use a different browser for your regular Internet navigation. Barring the fact that the NSA has targeted you for surveillance, Tor still provides some relative anonymity—but not absolute anonymity on the web—so be careful out there!

NSA image via The Hacker News, sliced onion and moldy onion via Shutterstock

5 Comments

but apart from the NSA...do you think other nations have been able to break up tor? i mean set relays for tor like the NSA did? and do you think the NSA shares information with other countries? like those in the european union..of course with britain for sure ;) but ..tell me what you know ..OTW..

thanks in advance...

Yes, to all of the above.

but with all these nations setting relays for tor to spy into traffic...in another sense too..they are making tor stronger...don't you think so...because is not like they all got a single headquarters where they work together...anyway... ;)

OTW i have a question about tor. Tor is supposed to work on ports 9050 for the tor servece and 9150 for the bundle but, when i use the tor service in the terminal by typing 'tor' and in another terminal 'netstat -tanp , i can see that tor is running on a different port (different each time particularly). Is this the port that the traffic goes through the 1st node of tor and 9050 the port that is used on my system?

Share Your Thoughts

  • Hot
  • Latest