Latest in Browser

Image credit:

Tor users' IP addresses can be identified by exploiting routers

Mariella Moon, @mariella_moon
November 18, 2014
Share
Tweet
Share

Sponsored Links

The fact that feds have seized Silk Road 2.0 and a bunch of other shady websites hiding behind Tor's technology proves that the browser doesn't provide the perfect cloak of anonymity. Now, a series of studies conducted between 2008 and 2014 gives us a clearer idea of just how vulnerable the browser is. The researchers involved claim to have de-anonymized the IP addresses of all Tor users in a lab setting -- and over 81 percent of actual users in the wild. According to one of the papers published by Sambuddho Chakravarty, former researcher at Columbia University's Network Security Lab, he and his colleagues managed to get through Tor's defenses by exploiting the default traffic analysis software built into routers. In Cisco routers, for instance, it's a program called Netflow.

Here's how his team did it, in simple terms: they repeatedly injected typical HTML files a Tor user would access into a router's connection. Since Netflow was designed to break down and analyze traffic depending on what you use the internet for (say 25 percent email and 50 percent web browsing), they could check who accessed those HTML files and get their IP addresses. He's convinced that a large organization (like, well, the government) can easily uncover the identities of Tor users if it wanted. In fact, he says one doesn't even need the resources of a powerful organization to do so, as a single autonomous system programmed to de-anonymize Tor clients can monitor up to 39 percent of the browser's traffic.

Jayson Street of Pwnie Express advises people to rely not just on one method if they truly want to be anonymous on the internet. As he told International Business Times:

End users don't know how to properly configure it -- they think it's a silver bullet. They think once they use this tool, they don't have to take other precautions. It's another reminder to users that nothing is 100 percent secure. If you're trying to stay protected online, you have to layer your defenses

If you don't mind sifting through scientific lingo and want to know the details about Chakravarty's methods, you can check out a paper (PDF) he published with colleagues while he was still at Columbia.

In this article: browser, security, Tor
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

Jabra's ANC update for the Elite 75t earbuds is now available

Jabra's ANC update for the Elite 75t earbuds is now available

View
NASA shares first images from OSIRIS-REx's touchdown on Bennu

NASA shares first images from OSIRIS-REx's touchdown on Bennu

View
The Morning After: 2020 iPad Air review, and RIP to Quibi

The Morning After: 2020 iPad Air review, and RIP to Quibi

View
Hummer EV 'supertruck' has a UI built on Unreal Engine and runs Android

Hummer EV 'supertruck' has a UI built on Unreal Engine and runs Android

View
Apple iPad Air (2020) review: Who needs the iPad Pro?

Apple iPad Air (2020) review: Who needs the iPad Pro?

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr