Is Tor Still Secure? Timing Attacks on the Anonymization Network
Hosted by Manfred Kläuber. With reporter Michael Gessert.
English translation of the Tor segment from the 12 October 2024 edition of Computer und Kommunikation. Matthias Fassl appears as a technical expert. Translation lightly edited for readability.
"If you want anonymization on the internet, the Tor Browser is still the first option. There are practically not many sensible alternatives." — Matthias Fassl, CISPA Helmholtz Center for Information Security, Saarbrücken
That assessment is not entirely uncontroversial at the moment. Serious doubts have recently arisen about whether the Tor anonymization network — the acronym stands for The Onion Router — is still secure and trustworthy. On 18 September, colleagues at NDR reported that the anonymization service Tor was vulnerable, describing successful timing attacks by law enforcement agencies on the Tor network.
Reporter Michael Gessert explains: what the NDR colleagues reported were investigation details that only became known after the fact — relating to a case from 2021. At the time, German law enforcement had managed to identify the operator of the child abuse platform Boys Town on the so-called darknet. The technical details that led to that breakthrough only came to light recently, through a Reddit post at the start of the year. The NDR colleagues and experts from the Chaos Computer Club (CCC) who were consulted had access to further information — and this is where a certain confusion arose among everyone interested in Tor. Was there — or is there — some fundamentally unknown weakness in the technical design of the anonymization network?
To understand the issue, it helps to briefly explain how Tor works. When I want to visit a website using the Tor Browser, I enter the Tor network via an entry server — the entry node. From there, my communications and browsing data are encrypted and forwarded to a middle node, and from there encrypted again to an exit node, which then retrieves the website. The trick: the requested website doesn't know who the request is coming from. And my ISP, the entry node, and any authorities who might be monitoring me don't know what I'm accessing. That is the concept.
Former US intelligence employee and whistleblower Edward Snowden had already pointed to the worst-case scenario for this concept back in 2013: if one actor — an intelligence agency — has the technical resources to comprehensively monitor both the entry and exit points of the Tor network, they can simply observe that a download is starting at an entry node in Germany at the same moment as an upload is beginning at an exit node in the US. This is, so to speak, the mother of all correlation attacks on the Tor network. If you can correlate encrypted and obfuscated activities with each other in time, you can thereby undermine anonymity.
Such correlation or timing attacks work not only on traffic passing through the Tor network, but also on connections from outside into Tor — to the so-called hidden services, i.e., the darknet.
The operator of the Boys Town platform apparently communicated using a supposedly secure Tor-internal messenger called Ricochet. This messenger runs within the Tor network as a hidden service. To communicate with it, a kind of rendezvous point is arranged within the Tor network.
"And then I tell this hidden service: please also connect there, so we can communicate. That means an authority can, in principle, tell this hidden service as often as it wants: 'hey, why don't you build a new connection' — and then check whether the hidden service used a node that the authority controls, i.e., one it operates or can monitor." — Matthias Fassl, CISPA Helmholtz Center for Information Security
That is apparently how the Boys Town case unfolded. The investigating authorities were able to communicate in real time with the suspect via a server they controlled. When they sent a message, they could immediately cross-reference which entry node into the Tor network the messenger response came through.
Against such real-time timing and correlation analyses, there is in principle a countermeasure, as Fassl explains:
"The Tor network could introduce a kind of data noise, or a random delay in the transmitted data. But if you were to change that and introduce additional time delays, it would also reduce popularity, because it would become less useful — even more cumbersome to use the Tor network. And it would also shrink my anonymity set, because there would be fewer people in the Tor network. And a Tor network used by only three people is not particularly anonymous anymore." — Matthias Fassl, CISPA Helmholtz Center for Information Security
Joachim Selzer of the CCC — the Chaos Computer Club — sees exactly this same dilemma. In his assessment, law enforcement agencies and intelligence services will continue to try to infiltrate compromised servers — i.e., nodes — into the Tor network:
"If I were a state attacker, I would put compromised servers into the network, maybe not make them too attractive so they don't arouse suspicion. And then I'd simply wait — maybe half a year or a year. And it would be worth it, because after a year I could say: okay, now I've fed enough servers into this network. And then I'd start unmasking people." — Joachim Selzer, Chaos Computer Club
The Tor Project responded immediately to the Boys Town news with a blog post, stating that Tor remains technically secure. The investigation's success and the de-anonymization of the platform operator were likely attributable to the use of the outdated Ricochet messenger or other outdated software. Tor has since introduced a new protection called Vanguard, designed to guard against precisely the kind of timing analyses used in the investigation.
Pavel Tsonev of the Tor Project therefore gives the all-clear, but at the same time concedes that the Tor team is not yet entirely certain whether there might be further, previously unknown design weaknesses.
Michael Gessert sums up: based on his conversations with Matthias Fassl from CISPA, Joachim Selzer from the CCC, and the Cologne Cybercrime Prosecution Unit, his overall impression is that there is probably no new unknown weakness in the Tor design that would give investigators a kind of master key. The research community is constantly working to develop new correlation analyses — but to make Tor more secure, not to exploit it. As for the CCC, it is fundamentally on the side of privacy, and Gessert suspects that if there were a dramatic, unresolved security problem with Tor, they would likely signal it somehow. And as for law enforcement: if there were such a fundamental gap, criminal darknet platforms would be taken down not just sporadically, but continuously.