Is Tor really safe? Law enforcement surveilling and unmasking users on the dark web


Law enforcement in Germany has repeatedly and successfully deanonymized selected Tor users on the dark net using a so-called “timing analysis,” according to a new investigation.

While the Tor project has tried to assure users that the network is safe, the team is calling for more information. Doubts are spreading about who really controls the network's servers.

The Tor network, used for communications and accessing the dark web, is a gold standard for online anonymity, as it bounces encrypted data through a labyrinth of servers worldwide. However, according to a new investigation by public broadcasters in Germany, its users might not be so anonymous after all.

ADVERTISEMENT

Law enforcement agencies themselves operate servers on Tor and have developed a “timing analysis” technique to cancel out anonymity provided by the network, research conducted by the ARD political magazine Panorama and STRG_F (funk/NDR) reveals. This was once thought to be impossible.

The Tor project responded by saying that previous Onion service deanonymization attempts were possible because they relied on an old version of the long-retired application Ricochet. However, the organization does not have the documents related to the case and is calling for more information from its users.

“Like many of you, we are still left with more questions than answers – but one thing is clear: Tor users can continue to use Tor Browser to access the web securely and anonymously. And the Tor Network is healthy,” the Tor project team said in a blog post.

“For the great majority of users worldwide that need to protect their privacy while browsing the internet, Tor is still the best solution for them.”

How does Tor work?

The Tor network routes user traffic through at least three randomly selected servers, a process also known as “hopping.”

The entry node is accessed first, and it knows the user’s IP address unless a VPN is used to hide it. Then, the data is sent to one or more middle nodes, which can only obtain the IP address of nodes before and after them in the chain. The final hop is the exit node, which sends the data to its destination on an open internet.

Currently, less than 8,000 servers act as relays and bridges in the network. According to Tor Metrics, more than 2,000,000 users rely on them to anonymize their connections.

ADVERTISEMENT

Tor is a tool for circumventing censorship and protecting privacy and freedom of speech. It’s widely used by journalists, whistleblowers, political dissidents, and other activists who may face persecution for their views. However, it is also exploited for criminal purposes, such as drug trafficking, illicit content distribution, cybercrime, terrorism, and others.

What does the report claim?

According to German media, law enforcement agencies have begun collaborating and infiltrating the network in order to expose criminals.

They’ve been surveilling individual Tor nodes for years and applying so-called “timing analysis” to time individual data packets and trace them back to the particular Tor user.

Panorama and STRG-F's research claims that German police successfully identified Tor nodes used by the pedo-criminal darknet platform Boystown. This led to the arrest of administrator Andreas G, who used the chat service 'Ricochet.'

The police identified the entry servers, and the district court obliged the telecom company to identify the customers who connected to them.

Reporters spoke to sources who informed them about the widespread monitoring of Tor servers for “timing analyses.” The more nodes the authorities can access, the more likely the Tor users are to connect to the internet via monitored ones.

So far, there are no suggestions that the Tor browser was compromised, and the Ricochet software has also been improved.

Tor node operators are also not safe from the investigators.

In August, German police raided a Tor-linked group called Article 5 eV in a bid to uncover Tor network users. The non-profit operates some of the Tor network’s exit nodes.

ADVERTISEMENT

“There are obviously still people working in German law enforcement today who think that harassing a node-operator NGO would somehow lead to the de-anonymization of individual Tor users. At least that is what they claim in the paperwork,” Gero Kühn, the leader of the group, then said.

The distrust spreads on who runs Tor servers

The 8000 servers comprising the Tor network suddenly looks less than impresssive to users on the Hacker News forum.

“Let's say I, as a private individual, fund 1000 Tor nodes (guard and exit nodes included) and have them all log everything. This could cost less than $5000 for a month, with some time needed to get guard node status,” one member posted.

Others even argued that this could cost even less.

“Easily within the budget of the US, Russia, China, Israel, etc. I wouldn't be surprised if a majority of nodes are run by intelligence agencies,” another user posted.

Tor project asks its users for more information

For now, the Tor project encourages users to keep the software up to date.

“From the limited information The Tor Project has, we believe that one user of the long-retired application Ricochet was fully de-anonymized through a guard discovery attack. This was possible, at the time, because the user was using a version of the software that neither had Vanguards-lite, nor the Vanguards add-on, which were introduced to protect users from this type of attack,” the organization explains.

On September 16th, the Tor project informed the users about the upcoming news story concerning a potential deanonymization attack on Onion Services.

ADVERTISEMENT

The reporters claimed to have “evidence that shows that in several cases German law enforcement authorities were able to locate the Tor entry node of onion services and thus successfully deanonymise Tor users. V2 and V3 onion addresses were affected at least between Q3/2019 and Q2/2021.”

The Tor project team is seeking more information about the alleged deanonymization attacks.

“Given the potential risk to our users, we decided to go public. We requested that anyone with additional information about the case share it with us,” the organization said.

The Tor network noted that it has over 2,000 exit nodes available and encourages volunteers to contribute bandwidth and relays.

“While it is fair to question the concentration of these nodes in certain countries or operations, this has very little to do with the described attack from what we learned in the articles published so far,” the blog post reads.

“The Tor Project knows that diversity of relays is a pressing issue for the Tor community.”

We don’t know what new tools law enforcement might have

According to the Cybernews research team, only the officers working on de-anonymization operations can fully understand the capabilities of their tools, as crucial details weren't shared publicly.

“It seems they used old, known attacks and vulnerabilities for timing analysis and attempted to host a lot of nodes themselves. Both of these tactics were known in the Tor community for a while and, in some cases, prompted additional technical and operational security solutions,” our researchers noted.

“The deanonymization method used appears to rely on vulnerable and outdated clients and long connections to Tor services. According to the Tor Project, a fix for this type of attack was implemented two years ago at a similar time when the described deanonymization operations took place. The vulnerable chat client used by the deanonymized user is no longer supported.”

ADVERTISEMENT

However, we’re also in the dark about the state-of-the-art capabilities law enforcement might use now.

“If they released this information, maybe they now rely on some other, new method,” researchers said.