AfterDawn: Tech news

Tor is not 'cracked'

Written by James Delahunty (Google+) @ 03 Mar 2007 18:18 User comments (6)

Tor is not 'cracked' Regardless of the massive amounts of news sources and blogs that interpreted research on The Onion Router (TOR) as the meaning it was "cracked", it remains a safe (perhaps the safest) way to gain anonymity while browsing and doing many other things online. Security research done by University of Colorado computer science instead tested a previously known vulnerability in the lab.
The developers of TOR responded to the blog response, with one member of the team saying, "Blogstorms can have real world consequences. Please ponder before you write, critically examine what you read, and ask us for updates." Tor anonymizes web traffic basically by routing data from the sender, through several nodes before it gets to the receiver.

A weakness that could be exploited in Tor is how the protocol tends to route traffic to devices which claim to have high amounts of bandwidth available. By modifying the software, a malicious user could attract more traffic through the network, and by setting up several of these servers, the chances that two could be included on the same path are increased.

If two malicious servers are included at the start and end points in a path, it becomes possible to identify the sender and receiver of the communications passing through. The original research team noticed the huge reaction to the news, and so posted an FAQ and claimed, "Tor is the most secure and usable privacy-enhancing system available".

This particular attack has never been seen outside of the lab and the team made suggestions on how to combat it. The suggestions include comparing bandwidth claims made by routers against observed performance and implementing "location diversity". Tor is used for many purposes, including providing Internet users in censored countries with a way to access any information and also sometimes to anonymize activity on P2P networks.

Ars Technica

Previous Next  

6 user comments

13.3.2007 21:39

I've read about TOR. But, have yet to try it out.
Seem like a good bunch. Good looking out.
Anyone know if you can route a client directly through them like a vpn?

23.3.2007 22:22

you can route just about anything over it. For true security it requires TOR + Privoxy (to insure that your DNS search query is not traceable back to you. For example if you type your DNS query will bypass your web browser and then a 'spy' could see the site you looked up and figure out which 'hit' was you and see what you were up to-- so the theory goes.)

With TOR you jusdt point your utilities to it or to privoxy (localhost xxx:xxx) and it does the rest. There are work arounds for using just about anything except I believe most p2p software which uses different transfer protocols.

But with a VPN you can tunnel content and so once the connection is made nobody not even your ISP could decrypt what was being transmitted. Though of course they could still where where you were communicating to, so yeah tor would/could be ideal with VPN as well.

Look at and check it out!

34.3.2007 8:35

Thanks, I will.

44.3.2007 8:38

tor automaticly routs traffic over international boundries. the hacker would have to set up two middle nodes in diferent countries (or spoof it) and even then whos to know that theyll get you, they cant control who get connected to them they can just control how many people get connected to them. they would need MASSIVE amounts of bandwidth for this to actualy work. if you just spoof having bandwith then yeh youll get a whole shit load of people tryng to pass through your middle nodes, but im sure the people would jsut refresh when they saw how increadibly slow it was going. of course they might just get routed to that middle node every time if the hacker is showing enough bandwidth.

i guess a way to avoid this would be to make sure your getting a very high download and upload speed, and to switch paths if you are going realy fucking slow, something i do anyway.

for absolutly true anonymity without even hiding anything gte what i call a "ghost" comp. just buy a beater laptop in an untracable way (with cash, not over the net, at a store without security cameras). dont register anything over it, and only use it on other peoples wifi. there you go, totaly untracable. its called ip surfing.

54.3.2007 16:28

still beung a newbe to tor. couldnt a dictator use this as a hacker was to track his own people or any random government agency?if the nodes were in place on all out bound traffic then wouldnt monitoring of the people be cappable?whats to say governments arnt doing it already?the way the RIAA is starting to mix buzness with governmental ties buy using the USa government to track site and those axcessing them?

66.3.2007 7:14

the us government practices whats called "full pipe recording" wich means they record all trafic, both in and out, on a hub at a time. im asuming a hub is an ISP, not a Central server but who knows. then after that they use software to pull out all things that they want to look at like google queeries for "bomb instructions" or stuff like that. they look at emails and IM convos too. now... the us navy is the one who made tor so im pretty sure the us government has machines that can decrypt tor. you dont have to worry about any of that though because they are looking for terrorism, and if what you are doing doesnt pertain to terrorism then they cant bother you. they cant pass any of the info to anyone else ether. im sure they dont care about people talking about small amounts of drugs or downloading, unless they are some way tied to terrorism.

obviously if you are not in the hub being full pipe recorded then you have nothing to worry about. if you are comunicating with a middle tor jump thats inside a hub thats being recorded then they will be able to see where the origin of the traffic is comming from if there isnt another middle tor server in between you.

bottom line, i seriously wouldnt mind shotting every last zelot in the us government that passed this horrably intrusive and constitutionaly illegal surveilence practice, but i seriously woulndt mind shooting any asshole on american soil whos planning on making a bomb or funding terrorism. so as long as they dont bother normal people im sorta ok with it.

Comments have been disabled for this article.

News archive