Has Tor been bugged by the NSA?

Last week I recommended people use Tor to anonymize their Web surfing. Some people think that's a dangerous idea.


Many sites like Google and Facebook allow you to connect using Secure Socket Layer (SSL), which is indicated by the https: in the URL address bar, and millions more have followed suit. The NinjaStik uses HTTPS Everywhere, a free browser extension developed by the Electronic Frontier Foundation that uses secure Web connections by default when available.

But there’s an exception here too. A very clever spook can strip out the SSL encryption but fool you into thinking it’s still there, as has been demonstrated by uber security geek Moxie Marlinspike, who despite that name is not actually a Marvel Comics supervillain.

There’s a 48-minute video of Marlinspike describing the hack here, if you’ve got the time. Frankly, the hair alone is worth it.

So is Tor safe?

Yes, says Andrew (no last name given) of the Tor Project, when I asked him.

Not necessarily, says Ashkan Soltani, independent security researcher of note.

“It ultimately depends on your threat model,” says Soltani. “Tor gives you one level of anonymity -- which is IP anonymity.  It doesn't protect you from rogue exit nodes, transport layer security (sniffing on the entry/exit nodes), or correlation attacks from a very 'all seeing' adversary.”

You can look those up yourself, my brain is starting to throb.

To summarize, using Tor doesn’t protect you against any and all threats. Then again, nothing on this planet does. A determined adversary could theoretically defeat it. (Though if the spooks were that determined to spy on you in particular, they’d probably just secretly install a keylogger on your computer and capture everything you type.) In the overwhelming majority of cases, though, Tor is clearly more secure than going naked into the InterWebs.

Remember, Tor is an onion, which means it is very much like Shrek.

Any more questions?

Join us:






Answers - Powered by ITworld

Ask a Question