Tor anonymity network could be ‘easily compromised,’ researcher says
Following revelations of mass online surveillance and encryption backdoors installed by the National Security Agency, some users have flocked to the Tor router service – although experts warn that it may not be as secure as once thought.
Tor, short for “The Onion Router,” has experienced a major uptick in subscribers since former NSA contractor Edward Snowden leaked details about the US government’s vast internet surveillance programs.
The service - which for years accepted funding from US government entities - has doubled its customer base, thanks to a growing number of people who wish to conceal their online communication, search queries, and home location from the government.
The most recent Snowden leak, which disclosed that the NSA uses backdoors to crack web encryption, may have alarmed Tor users by revealing that US and British intelligence agencies have also targeted the very anonymity services that Tor counts itself among. The NSA has allegedly spent hundreds of millions of dollars annually to “covertly influence” tech companies, and even planted undercover agents within major corporations.
Unfortunately for the thousands of people who rely on Tor, many of the devices they use to connect to its servers could still be infiltrated by the NSA. This is partly due to only 10 percent of Tor servers using its latest iteration which boasts stronger cryptography.
Rob Graham, the CEO of penetration testing firm Errata Security, told Ars Technica that he ran a “hostile” exit node on Tor and found that 76 percent of the nearly 23,000 connections he tracked used a form of the 1024-bit Diffie-Hellman key.
The NSA’s exact capabilities have yet to be made public, but most security experts assume the agency could easily crack the key Graham observed.
“Everyone seems to agree that if anything, the NSA can break 1024 RSA/DH keys,” Graham wrote in a blog post. “Assuming no ‘breakthroughs,’ the NSA can spend $1 billion on custom chips that can break such a key in a few hours. We know the NSA builds custom chips, they’ve got fairly public deals with IBM foundries to build chips.”
He also advised users to take responsibility for themselves by consistently updating their Tor software package and thoroughly reading through NSA documents that have been made public.
“Of course, this is just guessing about the NSA’s capabilities,” Graham continued. “As it turns out, the newer elliptical keys may turn out to be relatively easier to crack than people thought, meaning that older software may in fact be more secure.”
It has been made public that the Department of Defense provided Tor with $876,099 in 2012 – a sum large enough to make up 40 percent of the project’s $2 million budget. Other government donors included the US State Department and the National Science Foundation.
Though the NSA itself is housed under the Department of Defense, Tor’s executive director Andrew Lewman has said that the intelligence agency has not requested a backdoor into the system.
“The parts of the US and Swedish governments that fund us through contracts want to see strong privacy and anonymity exist on the Internet in the future,” Lewman explain in an email to customers, as quoted by The Washington Post. “Don’t assume that ‘the government’ is one coherent entity with one mindset.”