For legitimate users, the findings mean a malicious hacker could potentially invade their privacy. For those who use Tor to mask fraudulent activity, however, it means investigators could develop the means to uncover their tracks.
The report (.pdf) explains how hackers could compromise the system's anonymity by interfering with traffic passing through Tor's exit server.
Andrew Christensen, a FortConsult researcher and lead author of the report, said his firm started researching the issue after Tor was used in some high-profile hacking cases.
"After one of these cases, the Danish police agency that had jurisdiction stated that because Tor was used, it was pretty impossible to track the people behind the attacks," Christensen said in an email interview. "We didn't think this was the case, so we wanted to demonstrate exactly how tracking criminals that are using Tor can be accomplished."
He said his team started by setting up a Tor node, analyzing the traffic going through it by protocol, destination and software used; and studying how the Tor network is designed.
"To accomplish what we wanted, we needed to do a lot of research into browser-side security, since we are actually leveraging several weaknesses in browser design to unmask Tor users," he said. It's ultimately the flaws in browser-based applications that make it possible to expose IP addresses, not weaknesses within Tor itself, the researchers concluded.
"We believe we have demonstrated that it's entirely possible -- even practical and easy -- to unmask a good portion of the traffic transiting Tor, since it is being viewed using Firefox and Internet Explorer and is transmitted in cleartext," Christensen said.
Arrigo Triulzi, a handler for the Bethesda, Md.-based SANS Internet Storm Center (ISC), wrote on the organization's Web site that the report is worrisome.
He noted that the Tor network, also known as the Onion Router, is a perfect example of dual-use technology: "It can be used to avoid government-imposed Internet censorship or to protect the identity of a corporate whistleblower, but at the same time it is sadly ideal for various nefarious uses," Triulzi wrote.
While the techniques his team used to unmask users is reliable, Christensen said it's not foolproof. He said Tor users can blunt these techniques by:
- Ensuring that Tor resolves name addresses.
- Using SSL, as it makes the traffic harder to manipulate.
- Using Lynx or other text-based browsers when possible.