Tor Project makes efforts to debug dark web

  • Published
Man and codeImage source, Thinkstock
Image caption,
Security researchers claimed to have found a way to reveal Tor users' identities

The co-creator of a system designed to make internet users unidentifiable says he is tackling a "bug" that threatened to undermine the facility.

The Tor (the onion router) network was built to allow people to visit webpages without being tracked and to publish sites whose contents would not show up in search engines.

Earlier this month two researchers announced plans to reveal a way to de-anonymise users of this "dark web".

They were later prevented from talking.

Alexander Volynkin and Michael McCord - two security experts from Carnegie Mellon University's computer emergency response team (Cert) - had been scheduled to reveal their findings at the Black Hat conference in Las Vegas in August.

However, a notice published on the event's website now states that the organisers had been contacted by the university's lawyers to say the talk had been called off.

"Unfortunately, Mr Volynkin will not be able to speak at the conference since the materials that he would be speaking about have not yet [been] approved by Carnegie Mellon University/Software Engineering Institute for public release," the message said.

Image caption,
The details of the "flaw" in Tor were due to be revealed at a conference in Las Vegas

Roger Dingledine, one of Tor's creators, subsequently posted a message to a mailing list confirming that he and his colleagues had "no idea the talk would be pulled".

But he added that the Tor Project - the organisation that provides free software to make use of Tor - had been "informally" shown some of the materials that would have been presented.

"I think I have a handle on what they did, and how to fix it," he added in a follow-up post.

"We've been trying to find delicate ways to explain that we think we know what they did, but also it sure would have been smoother if they'd opted to tell us everything.

"Based on our current plans, we'll be putting out a fix that relays can apply that should close the particular bug they found. The bug is a nice bug, but it isn't the end of the world."

Tor was originally developed by the US Naval Research Laboratory and was later funded by the Electronic Frontier Foundation digital rights group, Google and the US National Science Foundation, among others.

It attempts to hide a person's location and identity by sending data across the internet via a very circuitous route. Encryption applied at each hop along this route makes it very hard to connect a person to any particular activity.

Its users include the military, law enforcement officers and journalists - who use it as a way of communicating with whistle-blowers - as well as members of the public who wish to keep their browser activity secret.

But it has also been associated with illegal activity.

The description given for the pulled talk itself noted that Tor "has also been used for the distribution of child pornography, illegal drugs, and malware".

Image source, Getty Images
Image caption,
The FBI previously made use of a separate flaw in Tor to identify suspects

The researchers had promised to reveal how a piece of kit worth $3,000 (£1,760) could be used to "exploit fundamental flaws in Tor design and implementation" to reveal the internet address of its users and the computer servers used to host their hidden services.

"We know because we tested it in the wild," they added.

Christopher Soghoian, a tech expert at the American Civil Liberties Union, has speculated that the university might have feared the risk of a criminal prosecution or being sued by Tor users who felt their privacy had been violated.

"Monitoring Tor exit traffic is potentially a violation of several federal criminal statutes," he tweeted.

However, a spokeswoman for the university told the BBC: "We don't have anything further to add to the statement that was already released by the Black Hat conference."

Tackling Tor

While the details of the alleged flaw have yet to be disclosed, there have been several reports of other efforts by authorities to overcome its protections.

German broadcaster ARD reported earlier this month that cyberspies at the US National Security Agency (NSA) were actively monitoring two Tor directory servers in Germany to scoop up the net addresses of people using them.

An alleged leaked list of GCHQ's hacking tools indicated that the agency had developed its own Tor browser.

And in 2013, the FBI acknowledged making use of a flaw in the Firefox browser help it identify Tor users as part of an effort to tackle child abuse images posted to hidden sites. That exploit has since been fixed.

Related Internet Links

The BBC is not responsible for the content of external sites.