Why Tor Isn’t Secure

Tor has consistently been known as a safe way to access the internet when privacy is essential. Whistleblower Edward Snowdon famously used Tor aka The Onion Router when collecting top secret documents and leaking them. The project has relied on government grants for many years. In 2015, it was estimated that the U.S. government made up 90% of the financial backing.

Things began to change following allegations that researchers at Carnegie Mellon were paid by the FBI to crack Tor in 2015. Tor is moving on, relying less on government backing and more on individual donors. However, the browser may no longer be the king of privacy it once was, and may no longer be secure.

Tor Browser Is a Popular Choice among Journalists and Cybercriminals

Tor Browser has been a popular choice among journalists and cybercriminals. The browser is used by anyone who wishes to keep their browsing activities to themselves or gain access to the dark web.

Tor is commonly used alongside a virtual private network (VPN), with the two helping to maintain both privacy and security online. However, it has been demonstrated that the browser is not beyond being hacked.

Judge Confirmed DOD Hired CMU Researchers

In 2016, reports came to light that a judge in Washington had given confirmation that the Department of Defense had hired researchers at the Carnegie Mellon University to look into breaking into Tor.

Vulnerabilities Allowed Researcher to Identify Tor Users 100% of the Time

In 2014, researcher Sambuddho Chakravarty from the Columbia University revealed he had come across a vulnerability that enabled him to identify the users of Tor 100% of the time. This was following research conducted in a lab experiment.  Chakravarty went on to talk about how 81.4% of users could be identified in real-world tests. Even more worrying was the fact that the method used by Chakravarty relied on a vulnerability that is found in just about all commercial routers. All that is needed is statistical analysis to reveal who is who.

Chakravarty said anyone with a little knowledge, the FBI or NSA included, could set up a typical honeypot trap and discover identities of users 81% of the time.

The Software Evolved In 2018 Despite Concerns It Is No Longer Safe to Use

In September of 2018, Tor for Android was released along with Tor Browser 8.0. The software keeps evolving despite concerns that it may no longer be safe to use. Around two million individuals around the world currently use the software.

In the same year “Zerodium”, a company who buys unknown software vulnerabilities then goes on to sell them to the government, revealed details on Twitter about vulnerability.

They purchased details about the flaw in the Tor browser, sharing the information with government customers. The company disclosed the exploit and circumvented the critical security aspects of Tor browser.

Those behind Tor were quick to point out that the new browser does not possess this flaw. However, with the revelation of the flaw, some people will always have doubts about the security of the browser.

While the new browser is not affected by the vulnerability, it may be possible that Zerodium has other exploits that will affect the security of the latest browser. In 2017, the company put up a sum of $250,000 for any details about vulnerabilities related to Tor.

Are There Vulnerabilities in Tor Browser 8.0?

Security researcher “x0rz” also spoke out about the vulnerability saying that it was easy to reproduce.

The researcher went on to say that as Zerodium had revealed the vulnerability it was conceivable they knew about others that affected the security of Tor browser 8.0. This is a revelation that is causing panic among users of Tor.

The Tor Project Offer Cash for Information about Security Issues

It seems that even those behind the Tor Project have concerns about security issues with their software. They ask users to report bugs and issues with the browser and offer bounty in return.

They offer up to $4,000 to anyone who finds security bugs that mean users are compromised or deanonymized. Even they are admitting that there is the possibility of Tor Browser not being secure and hackable.

The points above build a picture as to why Tor isn’t secure. If you want to keep your online activities to yourself, you might be better off just using a VPN to hide your IP address.

Additional sources: