So when a talk labeled “You Don’t Have to be the NSA to Break TOR: Deanonymizing Users on a Budget”, given by CERT (Computer Emergency Response Team) researcher Alexander Volynkin, popped up on the list for Black Hat 2014 some people became concerned. This talk had the potential to show anyone how to unmask TOR users. The talk was quickly pulled by CERT and CMU’s (Carnegie Mellon University) Software Engineering Institute.

According to Black Hat the talk was pulled due to legal reasons, but the TOR project is saying that they never asked for the talk to be pulled down. All they wanted to do was work with CERT on the disclosure piece to make sure they are covering the bases. The TOR Project also wants to make sure that they fix the vulnerability that the talk was supposed to cover. As of this writing all they had been shown was a small bit of material in an informal setting they did not have the full talk.

Roger Dingledine wrote in a blog post: “I think I have a handle on what they did, and how to fix it,” You would think that with an exploit of this nature CERT would follow the usual rules of disclosure and give the TOR Project the time to respond before dropping the hammer like this. Dingledine went on to say: “We've been trying to find delicate ways to explain that we think we know what they did, but also it sure would have been smoother if they'd opted to tell us everything.”

For now the TOR Project is working on fixing the bug to protect their users moving forward, but they are not giving out any additional information on what is going on (understandable). The talk is still off the list and there are no plans to put it back up. If you are a TOR user we recommend you are careful in your browsing habits until there is an announcement that the bug has been fixed and an update pushed out.

Tell us what you think in our Forum