The Tor Project has sought to reassure users that the platform is safe, after details emerged of a German-led international law enforcement operation in 2021 that compromised Tor’s anonymity to unmask and convict an alleged criminal.
In September, German news broadcaster NDR published a report revealing that German authorities had managed to perform an attack that successfully de-anonymised a Tor user. The attack took place in 2021, but is only now coming to light. The target was a man known as “Andres G”, the alleged operator of an illicit CSAM (child sexual abuse material) website known as Boystown. The website was taken offline as a result of Andres’ arrest and remains defunct.
The attack was a so-called ‘timing analysis’ attack – these attacks do not exploit weaknesses in Tor’s software, but instead rely on network analysis to time individual packets of data in the network. According to Bill Budington, senior staff technologist at the digital rights group EFF, this is only possible if authorities control a ‘guard node’, the servers used as entry points to the Tor network.
According to the report, German authorities occasionally “have servers in the Tor network surveilled for months in order to deanonymise Tor users”.
This has led to consternation amongst Tor users and privacy advocates, who fear the Tor network may be largely compromised by law enforcement. There are currently 8,000 nodes on the Tor network, thought to be operated primarily by individual volunteers worldwide.
In a blog post published recently, the Tor Project sought to allay concerns.
Like many of you, we are still left with more questions than answers–but one thing is clear: Tor users can continue to use Tor Browser to access the web securely and anonymously. And the Tor Network is healthy.
The post goes on to describe the attack as a result of the target using an outdated version of Ricochet, a secure messaging application. The outdated software lacked a protection, known as the Vanguards Add-On, which the Tor Project introduced to defend against ‘guard discovery attacks’ of the sort supposedly used by German authorities in this case.
The Tor Project bemoaned the lack of details provided to them by involved parties, stating “We need more details about this case. In the absence of facts, it is hard for us to issue any official guidance or responsible disclosures to the Tor community, relay operators, and users.”
The original report by NDR can be read here in English.
