The NSA documents provided by Snowden detail what the Guardian story calls "proof-of-concept attacks" on Tor. One technique is for the agency to look for patterns in the signals entering and leaving the Tor network, then trying to de-anonymize users. The documents also discuss the NSA secretly operating computer nodes in the Tor network, but the success of that effort was "negligible" because the agency has access to few nodes.
The documents also talk about efforts by the NSA and the U.K.'s GCHQ intelligence agency to influence the future development of Tor.
The story details efforts by the NSA to compromise Tor users through Firefox, but the NSA's documents say Mozilla fixed the vulnerability the agency was taking advantage of in Firefox 17, released in November 2012. The NSA had not been able to compromise users of Firefox 17 and later versions between late 2012 and this January, when the NSA documents were written, the Guardian story said.
Mozilla, in an August blog post, said it is investigating a vulnerability in older versions of Firefox. A spokeswoman declined further comment.
Roger Dingledine, director of the Tor project, its "good news" for the project that the NSA attacked with a browser exploit,
That means "there's no indication they can break the Tor protocol or do traffic analysis on the Tor network," he said in an email. "Infecting the laptop, phone, or desktop is still the easiest way to learn about the human behind the keyboard."
Even with the NSA attacks, Tor can still help protect anonymity, he added. "You can target individuals with browser exploits, but if you attack too many users, somebody's going to notice," he said. "So even if the NSA aims to surveil everyone, everywhere, they have to be a lot more selective about which Tor users they spy on."
But Tor won't keep users safe in all cases, he added. "Browser exploits, large-scale surveillance, and general user security are all challenging topics for the average Internet user," he said. "These attacks make it clear that we, the broader internet community, need to keep working on better security for browsers and other Internet-facing applications."
Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's email address is grant_gross@idg.com.
Follow Grant Gross on Google+
