Tor was supposed to be an anonymous means of browsing the Internet, but a study by computer science professor Sambuddho Chakravarty reveals that 81 percent of those using Tor can be de-anonymized by exploiting a technology in Cisco routers called Netflow. The ploy reveals a user's originating IP address, which is analogous to identifying someone's home address even if he or she uses a P.O. box.
By facilitating anonymity online, Tor enables people around the world to communicate securely and get around firewalls that might block certain sites in their countries. It's also the technology that facilitated the notorious Silk Road (and subsequent iterations), seeing people trade bitcoins for assorted black market paraphernalia through the mail. The nonprofit project enables freedom of the press around the world and, for at least a time, presented a means to mail-order drugs.
The Tor browser works by way of decentralization. Your Web traffic doesn't come directly to you, but instead arrives by way of a number of relays. Each relay makes it increasingly difficult to identify the traffic's ultimate destination, shielding you from being associated with it. The trade-off is one of speed for purported anonymity, but this Netflow exploit is only the latest among a few incidents that seem to be punching holes in the browser's popular conception as a bulletproof security fiend.
"That general understanding is wrong," Kevin Johnson, CEO of independent security consulting firm SecureIdeas, said. "Tor runs on top of a complex series of interconnections between apps and the underlying network. To expect that everything in that system is going to understand and respect it, it becomes very complex."
Consider Web traffic as though it were automobile traffic flowing down a highway. To assume that all Web traffic will follow Tor's anonymizing "rules" is akin to assuming that every car on the highway follows all the traffic regulations, but "as we know by looking at any news report, a number of people have accidents every day," Johnson said. "The exact same thing happens with Tor. It’s a highway system with an application that says 'go this way,' and we expect all of our apps to follow those signs."
Johnson says that Cisco's Netflow, which sits at the heart of the exploit that can de-anonymize these Tor users, is comparable to the Department of Transportation's analytics on a given stretch of road. Instead of identifying the types of traffic -- 15 percent motorcycles, 25 percent sedans, 40 percent semi trucks, and so on --Netflow can break down Internet traffic into its various types, say 50 percent email, 35 percent Web traffic, and the remainder being Tor. Chakravarty's technique for exploiting Netflow works by injecting a repeating traffic pattern, such as the common HTML files that most Tor users are likely to be accessing, into the connection and then checking the router’s flow records to check for a match. If it finds a match, then the user is no longer anonymous.
"When you’re looking at those kind of attacks, they're done by government state agencies, usually foreign governments suppressing protesters or tracking dissidents. It's harder to do in America because there's so much other traffic," said Jayson Street, who bears the job title of Infosec Ranger at security assessment firm Pwnie Express.
The takeaway is clear: Tor used by itself is hardly some one-stop shop to ensure anonymity online. "End users don’t know how to properly configure it -- they think it’s a silver bullet," Street said. "They think once they use this tool, they don’t have to take other precautions. It's another reminder to users that nothing is 100 percent secure. If you're trying to stay protected online, you have to layer your defenses."