(Credit: Mehaniq/Shutterstock.com)
The Tor web browser, which has about 2 million users who are anonymized with a combination of encryption and rerouting all traffic multiple times, may not be so anonymous after all.
That's according to a new investigation from German news outlet NDR, which reports that police have been able to de-anonymize several Tor users' traffic using a "timing analyses" method. Police have been surveilling Tor servers in data centers and have used the "Ricochet" chat service to identify Tor users and determine their entry points to the network, according to the report.
A member of the German hacking group Chaos Computer Club verified the method, adding, "Law enforcement authorities have repeatedly and successfully carried out timing analysis attacks against selected Tor users for several years to de-anonymize them."
In response to the German investigation, Tor said in a blog post that it's "still the best solution" for internet privacy. However, it also admits its team is left with "more questions than answers" about what is happening. Tor says it hasn't been able to verify NDR's claims because the news outlet has not shared or publicized its evidence.
"From the limited information The Tor Project has, we believe that one user of the long-retired application Ricochet was fully de-anonymized through a guard discovery attack," the post reads, presumably referring to the police identification of a leader of the dark web pedophilia site "Boystown," which is mentioned in the NDR report but happened years ago.
"This was possible, at the time, because the user was using a version of the software that neither had Vanguards-lite, nor the vanguards add-on, which were introduced to protect users from this type of attack," Tor continued. "This protection exists in Ricochet-Refresh, a maintained fork of the long-retired project Ricochet, since version 3.0.12 released in June of 2022."
Tor's post suggests that those who used the browser prior to 2022 are more at risk of being exposed. "To the best of our knowledge, the attacks happened between 2019-2021," Tor states.
The Tor browser lets users access the "dark web," or websites that aren't indexed by Google or other common search engines (often, dark web sites are affiliated with criminal activity). But Tor can also be used to communicate anonymous tips. And it can circumvent authoritarian government censorship—and access areas of the internet that have been otherwise blocked or hidden in a user's country.
According to Tor's own stats based on "bridge" connection data, nearly 43% of average daily Tor users are believed to be based in Russia, with nearly 16% in Iran and about 9% in the US. German users make up about 3% of Tor users, with France and China making up about another 2% each of the total user base.
Some Tor users are aware of the risk of de-anonymization, and have previously discussed the possibility of their traffic being traced and tied to them as individuals. But as one Tor user speculates, investigators would have to spend money to participate in the network and stick around for an extensive period of time undetected in order to potentially unmask any traffic.
But because Tor typically relays traffic three times including an entry and exit, if an entity owns two out of the three relays, they could determine a user's identity if their traffic happens to hit those two relays.
As MalwareBytes explains, extensive network surveillance can allow authorities to identify Tor users if they can match time patterns and track network entry and exit points. And the fewer active Tor nodes supporting the network, the easier this surveillance becomes. Tor was "designed" to have hundreds of thousands of nodes around the world, MalwareBytes says, but currently only has about 8,000 active relays at time of writing.
The more nodes that exist, the more decentralized the network is, and therefore, the harder it is to monitor the entire network and piece together user identities.