The National Security Agency tried to crack the encryption protecting the Tor network — known as a bulletproof vehicle for anonymous communication — but was unable to do so, according to news reports based on revelations provided by former NSA systems administrator Edward Snowden.
Undaunted, the agency and its British counterpart, GCHQ, then reportedly used a flaw in older versions of Firefox to circumvent Tor and gain access to a small number of communications.
Overall, though, the majority of communications sent via Tor appear to be safe from government eyes, according to documents disclosed Friday by The Guardian.
“We will never be able to de-anonymize all Tor users all the time,” states one top-secret presentation, titled “Tor Stinks.” “With manual analysis we can de-anonymize a very small fraction of Tor users.”
An Inevitable Clash
It was almost inevitable that the NSA would try to penetrate Tor — at least based on what has been revealed about the NSA’s online spy activities by Snowden over the past several months.
Tor, short for “the Onion Router,” is an open-source public project devoted to keeping communications anonymous and safe from government eyes. It achieves this by bouncing its Internet traffic through several other computers.
NSA, according to the documents released by Snowden, has been avidly scouring Internet communications by both U.S. citizens and people around the world on behalf of U.S. national security. Tor would have been a natural target in its mission.
Tor was the browser of choice for users of Silk Road, the illicit website recently shut down by the FBI.
Tor Wins
That Tor was able to keep its users’ identities secret, at least for the most part, is a testament to the technology’s strength, Craig Young, security researcher at Tripwire, told TechNewsWorld.
“The fact that the NSA and GCHQ are using browser vulnerabilities to expose users, in spite of having control of many ISPs and many Tor exit nodes, indicates that attempts to exploit Tor at a network level have failed,” he said.
Still, users have to be on top of all aspects of security if they expect Tor to protect their communications, he continued.
Experienced Tor users understand that in spite of the software’s “onion routing,” their identities can still be compromised by client side content running within a browser, Young said. Experienced users also certainly know enough to disable browser plug-ins and JavaScript processing to protect themselves.
Not everyone using Tor has advanced security and privacy knowledge, he noted, but even in such scenarios the network tries to protect users.
The NSA’s attempts to leverage Firefox against Tor was not a first — earlier this year, according to Young, the FBI used a Firefox exploit to expose users and shut down a hidden Tor service called Freedom Hosting.
“The TOR project responded by reminding users how to use the service securely as well as by updating the Firefox Tor bundle to disable JavaScript by default,” Young said.
Who Are They Targeting?
Tor’s success in thwarting the NSA and FBI should not be overemphasized to the point where the original point — that the government was trying to hack Tor — is lost, said Ken Westin, founder of mobileprivacy.org.
“Governments are behaving like hackers and essentially weaponizing software vulnerabilities,” Westin told TechNewsWorld.
“The real question here concerns who the exploit was targeting,” he explained. “Was is it people law enforcement had probable cause to monitor, or was it a blanket exploit that targeted all users of Tor?”
It’s pretty reasonable to assume the latter, Westin opined.
“That raises some thorny legal and ethical questions about the reach and the use of exploits and other tools used by hackers with malicious intent, against a country’s people by its government,” he said.
A Common Phenomenon
Such tactics are actually quite common in governments around the world, Philip Lieberman, president of Lieberman Software, told TechNewsWorld.
“I can say that this and other undisclosed weaknesses in technology are regularly used by both sides in cyberwarfare,” Lieberman explained. “Nation state inventories of exploits vary by country, and their usage is generally unknown to the general public.”