The TOR Network (originally called The Onion Router) was developed by the Naval Research Labs and used primarily as a means of communication by people living in places with very restrictive governments. The tool relies on a network of servers that redirect, encrypt (internally) and anonymize traffic between end points. It is a brilliant system that has become very popular with people interested in privacy. However, the system is far from perfect and there are many ways to force a user to give up their identity. Some of these are flaws in the most common browser used for the TOR Network (FireFox) while others are much more protocol or API based.
One of the most common methods to get a system to give up its identity is actually through the use of local DNS servers. If you are using the TOR Network with internal DNS servers then the DNS requests will go through those and they will be tagged with the IP address for your internet connection. This makes it easy to find out where you are talking from and once that is known finding you can also be a fairly simple task. Outside of the use of local DNS servers there are flaws in Flash, Java Script, Silverlight, and other APIs that send out information about your machine when they make requests for content. You can also setup honeypot servers that operate as entry or exit points for traffic and catalog the information as it goes through them (although that is not very accurate).
So there have always been away to get information on people that are not educated on the proper use of the TOR network, but that accounts for a small percentage and certainly would not cover the people using the network that do know the flaws and how to get around them. The NSA has taken this a little farther and have been using some old exploits as well as new ones that they have created including the use of poisoned servers that inject malware into the systems that visit them. One of the most common methods the NSA used for identifying people using TOR is to look at the BuildID on the browser. If the ID was reset to 0 then that system was most likely using TOR for communication.
The NSA is also trying to identify nodes on the TOR network so they can isolate and perhaps compromise those systems. According to information released by Edward Snowden they have identified hundreds of systems that are suspected nodes or servers. The NSA even had a conversation with Roger Dingledine (principal designer of the TOR Network) through the use of a hosted talk in November of 2007. The talk was more of an intelligence gathering session and could have been used for further their efforts into penetrating the privacy centric service. The NSA’s efforts have been successful in unmasking TOR users as we saw with the operation that unmasked Freedom Host during a child pornography investigation and just recently to bring down the Silk Road illegal drug trade network. This makes supporters of what the NSA is doing claim that the extra surveillance is both needed and warranted. The problem is; where do they draw the line?
In the end the NSA is going to keep up their efforts to break into and compromise the TOR Network. They know that their current methods are much more of a broadcast effect and are not effective for the type of request they get (individual target requests). To them blanket access is what they need and what they are going to work toward. On the other side the guys at the TOR Project are pretty smart themselves and will continue to update and improve their network with the intent of stopping the NSA or any other agency looking to pry… to be honest I think unless the NSA gets some sort of leverage on the TOR Project the safe money is on the TOR Project.
Tell us what you think in our Forum