Wednesday, 23 July 2014 11:20

TOR Vulnerability Talk at Black HAT 2014 Canceld

Written by

Reading time is around minutes.

The TOR Project has been the go-to group when it comes to anonymity. This group and their TOR browser bundle are used by millions of people daily and not just to surf for illegal items or porn. In many cases the use of TOR allows dissidents in countries with oppressive governments to maintain connections to the outside world and also communicate. In areas like China TOR and their obfuscator project allow free access to the internet despite the great firewall of China.

So when a talk labeled “You Don’t Have to be the NSA to Break TOR: Deanonymizing Users on a Budget”, given by CERT (Computer Emergency Response Team) researcher Alexander Volynkin, popped up on the list for Black Hat 2014 some people became concerned. This talk had the potential to show anyone how to unmask TOR users. The talk was quickly pulled by CERT and CMU’s (Carnegie Mellon University) Software Engineering Institute.

According to Black Hat the talk was pulled due to legal reasons, but the TOR project is saying that they never asked for the talk to be pulled down. All they wanted to do was work with CERT on the disclosure piece to make sure they are covering the bases. The TOR Project also wants to make sure that they fix the vulnerability that the talk was supposed to cover. As of this writing all they had been shown was a small bit of material in an informal setting they did not have the full talk.

Roger Dingledine wrote in a blog post: “I think I have a handle on what they did, and how to fix it,” You would think that with an exploit of this nature CERT would follow the usual rules of disclosure and give the TOR Project the time to respond before dropping the hammer like this. Dingledine went on to say: “We've been trying to find delicate ways to explain that we think we know what they did, but also it sure would have been smoother if they'd opted to tell us everything.”

For now the TOR Project is working on fixing the bug to protect their users moving forward, but they are not giving out any additional information on what is going on (understandable). The talk is still off the list and there are no plans to put it back up. If you are a TOR user we recommend you are careful in your browsing habits until there is an announcement that the bug has been fixed and an update pushed out.

Tell us what you think in our Forum

Read 2502 times Last modified on Wednesday, 23 July 2014 13:43

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.