I’ve heard a lot of people on the left argue that Tor is likely backdoored because it was created by the U.S. Navy for spies to communicate and is still funded by the government. Yasha Levine has written a lot about this:
- https://surveillancevalley.com/blog/tor-files
- https://thebaffler.com/salvos/the-crypto-keepers-levine
He also appeared in TrueAnon episode 50 to talk about this.
On the other hand, a lot of people in the crypto and tech community disagree with this. They believe that Tor is not backdoored for one or both of the following reasons:
- Tor is open-source and has been audited.
- The U.S. Government would never do such a thing.
They also point to a leaked NSA presentation from 2007 that admits the NSA can’t deanonymize Tor users.
What are your thoughts?
To my knowledge they have their techniques to deanonymize people, in a targeted manner, but at its core I don’t believe the protocol is backdoored.
Yeah, if I remember correctly, when the feds took down the Silk Road dude they basically had to hack a server inside the TOR network to serve exploit code that forced the browser to bypass the TOR network. There was a couple of months where everyone was freaking out because there was a sudden influx of people complaining that they were unexpectedly making unsecured requests to some server in langley or something like that.
I’m not even sure if it was a hacked server… I seem to remember them busting a hosting provider popular for TOR servers on the claim of child pornography and then suddenly all the servers owned by that provider began serving up dodgy code.
javascript exploits
To expand upon this, interested parties should look up “canvas fingerprinting.” JS HTML5 contains within it certain functions that a server can use to query information about your system, setup, and display (such as resolution of the window loading the resources, custom fonts being displayed by the system, etc.), and if your setup is weird/unique enough, it can form a “fingerprint” of your oddities which can be used to track you across the web. This is why TOR’s instructions tell you not to resize the window. If everyone runs the TOR browser at the default resolution, that is one less oddity that can be used to track individuals.
It’s not so much that they have to get into “a server inside the tor network” but they can go after users of tor hidden services if they somehow track down the server hosting that particular hidden service, but the whole system is built around making that very difficult.
Yes! Hidden services was what I was talking about. It’s been a while. :grinning face with sweat:
Those links you posted were what I was talking about. I know they claimed to have gotten the Silk Road dude over him using the same username, but I remember at the time (along with the timeline of the hack) that it all stank of parallel construction so they wouldn’t have to admit to the hack.
The U.S. Government would never do such a thing.
Hahahahahahahahahaha
I think it’s not backdoored precisely because it was created by the US Navy for spy communications. The US government knows full well that any backdoor they put in for themselves could (and, eventually, would) be found and exploited by other intelligence agencies, rendering the whole project useless for its original purpose. I’m not saying the US government has some ethical objection to lying and spying, but it’s in their best interest here to make tor as secure as they say it is.
That’s not to say it’s flawless, but I doubt the flaws are deliberate.
The encryption is probably not broken but the government can, and probably has:
The ability to detect tor traffic at the customer facing interface of an ISP, which would deanonymize tor traffic
The ability to buy thousands of tor nodes at under $100 a piece, including entry/exit nodes, and use aggregate data to determine the location and identity of webservers
The control of a lot of VPNs, which will log your usage of tor traffic
And don’t forget the cooperation of every american ISP and probably a bunch of other NATO ISPs too. Long story short, if the US gov ever has a reason to target you specifically, maybe just don’t use the internet anymore
Long story short, if the US gov ever has a reason to target you specifically,
maybe just don’t use the internet anymoreyou’re probably screwed unless you are ready and able to physically defend yourself or just leave the country.
But if you want to avoid giving them a reason to target you, tor is very useful.
This isn’t really true. All they can tell is that there is tor traffic, and tor works to make it as indistinguishable from normal ssl traffic as possible, iirc.
They can tell that a specific household is using tor, which makes it not anonymous, I said that it doesn’t mean decryption. TOR traffic does not behave like SSL traffic.
If you are referring to this, it relies on being able to fingerprint the hidden service traffic by size and frequency of packets, which is easy for the hidden service to thwart, on top of needing to operate a large quantity of not only nodes, but specifically entry guard nodes, and the algorithm for choosing has been changed over the years to limit the impact of attacks like this.
I’m not referring to that, the whole point of security at the transportation (edit meant network layer) layer is pretty much pointless when the ends are compromised, and it is very cheap to do so.
If you’re doing VPN to Proxy to TOR or whatever then TOR isn’t what’s providing you security, you’re just using it to access TOR content.
Any recommendations for VPNs? I’ve seen recommendations to make your own but that reduces to the problem of an anonymous host for it.
I don’t do anything fun over the Internet anymore so I don’t really use one. If the CIA starts guantanamoing chapo.chat users I guess I’m just fucked.
Tor is not backdoored [because] the U.S. Government would never do such a thing.
I’ve never met a cryptologist who isn’t convinced everything needs to be perfect and impenetrable because the US government could go rogue at any second. Including several who work at the NSA lol.
