Tor is having a bit of a crisis, as it's become increasingly clear that the wildly popular network isn't the internet invisibility cloak it was once thought to be. Don't panic. It's not perfect, but it's still the best we've got.

The Tor network is the most popular way to get online anonymously, and that's not going to change in time in the short term. But the service has been rollicked in recent months. A wave of busts that brought down 17 illegal enterprises hidden behind the Tor network last month illustrated that though Tor is largely safe, it's more vulnerable than the average user wants to admit.

The service has also been attacked by reporters who feel the system is compromised because it was originally developed by the U.S. Navy, and because some of the developers behind it have worked with the government before. In a post on Pando, Quinn Norton does a nice job dispelling the myths surrounding Tor's federal ties, which basically comes down to: No level of government interaction can undermine the basic math of encryption.

And Tor's encryption is solid. For those unfamiliar, Tor is software that conceals the location of users and web servers by firing traffic through a global network of relays. It's an ingenious system that for years facilitated basically untraceable internet activity, both illegal and otherwise. It's been used to traffic weapons and drugs, circumvent censorship, and conceal the identity of whistleblowers like Edward Snowden. If you're not using Tor, your location and activity is constantly being tracked. With Tor, the pitch goes, you're basically invisible.

That sense of security was undermined when an international coalition of agencies including the FBI, Immigration and Customs Enforcement, and Department of Homeland Security (in the U.S.) and Europol and Eurojust (in Europe, duh), laid the smack down. The highest profile bust brought down the drug marketplace Silk Road 2.0 and its alleged proprietor Blake Benthall, but it included a total of 17 people and 27 sites, all of whom had put misguided faith in Tor's ability to mask their online dealings.

But how did it happen? Did the agencies crack the anonymous network? A blog post on the Tor Project's website a few days after the attack was quite frank about the organization's ignorance:

So we are left asking "How did they locate the hidden services?". We don't know. In liberal democracies, we should expect that when the time comes to prosecute some of the seventeen people who have been arrested, the police would have to explain to the judge how the suspects came to be suspects, and that as a side benefit of the operation of justice, Tor could learn if there are security flaws in hidden services or other critical internet-facing services.

The post went on to outline myriad ways that law enforcement might have tracked down the operators of illegal websites and the location of their servers. One-by-one, Tor listed vulnerabilities that might have been exploited. They range from technical ways to exploit the code base to unmask users to capturing relays and analyzing their traffic, or even infiltrating the organizations that were running the sites.

What's most striking about Tor's reaction is that the people in charge are completely aware of its vulnerability. The Tor Project operates much like other open source efforts you're probably more familiar with, like Mozilla's Firefox browser or Google's Android operating system. This is admittedly an oversimplification that will horrify developers, but the point is that like those projects Tor evolves thanks to the contributions of an open community. (In fact, the Tor browser is based on Firefoxand it's where it gets one of its known bugs.)

Original post:

Tor Is Still Safe