Security researchers claimed to have found a way to reveal Tor users' identities
The
co-creator of a system designed to make internet users unidentifiable
says he is tackling a "bug" that threatened to undermine the facility.
The Tor (the onion router) network was built to allow people
to visit webpages without being tracked and to publish sites whose
contents would not show up in search engines.
Earlier this month two researchers announced plans to reveal a way to de-anonymise users of this "dark web".
They were later prevented from talking.
Alexander Volynkin and Michael McCord - two security experts
from Carnegie Mellon University's computer emergency response team
(Cert) - had been scheduled to reveal their findings at the Black Hat
conference in Las Vegas in August.
However, a notice published on the event's website now states
that the organisers had been contacted by the university's lawyers to
say the talk had been called off.
"Unfortunately, Mr Volynkin will not be able to speak at the
conference since the materials that he would be speaking about have not
yet [been] approved by Carnegie Mellon University/Software Engineering
Institute for public release," the message said.
The details of the "flaw" in Tor were due to be revealed at a conference in Las Vegas
Roger Dingledine, one of Tor's creators, subsequently posted a message to a mailing list confirming that he and his colleagues had "no idea the talk would be pulled".
But he added that the Tor Project - the organisation that
provides free software to make use of Tor - had been "informally" shown
some of the materials that would have been presented.
"I think I have a handle on what they did, and how to fix it," he added in a follow-up post.
"We've been trying to find delicate ways to explain that we
think we know what they did, but also it sure would have been smoother
if they'd opted to tell us everything.
"Based on our current plans, we'll be putting out a fix that
relays can apply that should close the particular bug they found. The
bug is a nice bug, but it isn't the end of the world."
Illegal activity link
Tor was originally developed by the US Naval Research
Laboratory and was later funded by the Electronic Frontier Foundation
digital rights group, Google and the US National Science Foundation,
among others.
It attempts to hide a person's location and identity by
sending data across the internet via a very circuitous route. Encryption
applied at each hop along this route makes it very hard to connect a
person to any particular activity.
Its users include the military, law enforcement officers and
journalists - who use it as a way of communicating with whistle-blowers -
as well as members of the public who wish to keep their browser
activity secret.
But it has also been associated with illegal activity.
The description given for the pulled talk itself noted that Tor "has also been used for the distribution of child pornography, illegal drugs, and malware".
The FBI previously made use of a separate flaw in Tor to identify suspects
The researchers had promised to reveal how a piece of kit worth
$3,000 (£1,760) could be used to "exploit fundamental flaws in Tor
design and implementation" to reveal the internet address of its users
and the computer servers used to host their hidden services.
"We know because we tested it in the wild," they added.
Christopher Soghoian, a tech expert at the American Civil Liberties Union, has speculated that
the university might have feared the risk of a criminal prosecution or
being sued by Tor users who felt their privacy had been violated.
"Monitoring Tor exit traffic is potentially a violation of several federal criminal statutes," he tweeted.
However, a spokeswoman for the university told the BBC: "We
don't have anything further to add to the statement that was already
released by the Black Hat conference."
Tackling Tor
While the details of the alleged flaw have yet to be
disclosed, there have been several reports of other efforts by
authorities to overcome its protections.
German broadcaster ARD
reported earlier this month that cyberspies at the US National Security
Agency (NSA) were actively monitoring two Tor directory servers in
Germany to scoop up the net addresses of people using them.
An alleged leaked list of GCHQ's hacking tools indicated that the agency had developed its own Tor browser.
And in 2013, the FBI acknowledged making use of a flaw
in the Firefox browser help it identify Tor users as part of an effort
to tackle child abuse images posted to hidden sites. That exploit has
since been fixed.
info: http://www.bbc.com