Tor's Privacy Problems

Technology developed to protect privacy may actually threaten it

4:15 PM -- People have an innate need to feel secure in their privacy. Our founding fathers built the United States on the understanding that people should be able to revolt and overthrow any government that oppresses them. Over time, Americans have lost more and more privacy rights as new laws have crept in. Fear of government, however, has never been lost.

The Internet has evolved in a similar fashion. For years it was unregulated, and largely unwatched. That all changed with the introduction of Echelon, the super-secret global Internet eavesdropping infrastructure purported to be operated by a number of countries. Still, people latched onto the idea that the Internet should be an anonymous network. Then along came Peek-a-booty.

In an effort to rebel against corporate culture -- and even against government's prying eyes -- a small band of hacktivists invented a tool called Peek-a-booty to allow semi-anonymous, point-to-point relay of information, evading IP blocks. This led to the concept of onion routing, now better known as Tor.

Tor is one of the most widely used privacy tools today, because it obfuscates the origins of packets. However, there are many problems with it.

Not only can Tor be de-anonymized, but browsers use cookies that attackers can leverage to identify users who switch back and forth between Tor sessions; for example, users often forget they are sending the same cookies to sites like Google Analytics. Worse yet, there are rumors that a man-in-the-middle attack on the Tor exit nodes caused the recent loss of 100 embassy usernames and passwords. You can bet there are a lot more losses where that came from.

There's also evidence that many free, open proxies found commonly on are simply logging infrastructures designed to steal personal information from users.

All of these issues suggest a great irony: In an effort to attempt to secure ourselves, we have created "funnels" by which we are easily surveyed and logged. Perhaps it's time to re-think our privacy strategies.

— RSnake is a red-blooded lumberjack whose rants can also be found at Ha.ckers and F* Special to Dark Reading

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5