There is no absolute security, how secure is the Tor anonymization service?

The Tor browser is used to buy and sell drugs on the dark web, but there are also people whose freedom and even lives depend on the operation of the software. This is why a particularly critical look at the promise of anonymity is necessary.

Work on this fraught technology began in the mid-1990s at the U.S. Military Research Laboratory. Today, Tor is an unusual joint project of global digital civil society and the U.S. government. Civil society provides the infrastructure: Tor's nodes of obfuscation. For them, Tor is the most important counter to authoritarian intervention on the Internet.

The Tor browser allows people to browse the Internet anonymously and undermine censorship; in Tor's dark web, addresses can neither be deleted nor located. The technology was developed by The Tor Project, an organization traditionally funded by the U.S. government. Strictly speaking, the technology is vulnerable to attackers with vast resources. how solid is the protection of the Tor browser, and can the anonymity technology be broken?

Human Vulnerability

Careless behavior can cause problems: You use the Tor browser, but log in to a social network or email service with a profile you also use in other contexts. Or you install wild browser extensions. tor is based on Firefox, which has hundreds of useful extensions that can be used, for example, to take screenshots or block ads.

Some of these plugins have been checked by Firefox and found to be safe. However, it is possible to bring malware into the Tor browser through commercial extensions, and plugins log browser usage and sell the information collected, as has been done in the past.

Security Vulnerabilities and Backdoors

Tor software may contain security vulnerabilities. Because the Tor browser is a modified version of the Firefox browser, vulnerabilities in Firefox can also affect Tor's security. Every once in a while, the Tor Browser prompts you to install an update. In most cases, the update is to fix a security vulnerability that has been discovered. Such vulnerabilities may have been placed intentionally or may have entered the software inadvertently. A common answer is that this cannot happen with Tor because the software is open source: the code is publicly available and can be checked for flaws or even backdoors. However, in practice, this does not provide absolute protection.

Only a small percentage of people are able to program or evaluate complex program code. Due to the specificity of the Tor community, program code is very secure: "With Tor, many people actually look at the code regularly and check it independently of the Tor project. tor was and still is strongly university-based. This is why Tor is different from many other free software projects, where it is not clear that there is actually independent review of the code base".

Indeed, Tor is the darling of the academic community. In scientific research, every conceivable attack possibility against Tor is played out and openly discussed.

Tor is a "honeypot"

For all "digital self-defense" technologies - including email encryption in addition to Tor - there is a debate as to whether they involuntarily act as "honeypots": as As a social filter, people can inadvertently draw attention to themselves. By using the Tor browser, people show that they care more than others about protecting their communications - and they may be particularly interested in surveillance. This conundrum exists, and it cannot be solved. It will exist as long as only a few people use encryption and anonymity.

The browser and its "fingerprint"

The Tor browser does a good job of preventing surveillance by IP address. It also protects against another typical browser data source: cookies; most websites leave small pieces of data in your browser when you visit them, containing information about your respective site visit. The next time you visit the site, this information can be read out again and used, for example, to establish protocols about the user's surfing behavior. Web sites can place cookies in Tor, but their effect fades away. When the Tor browser is closed, it deletes all cookies.

However, the Tor browser offers little protection against another technology, a sophisticated and particularly cunning one: browser fingerprinting. With this method, the visited website calculates a technical fingerprint from various software and hardware characteristics of the PC or smartphone. By combining these characteristics, the device has the potential to be identified and tracked through the web with a degree of accuracy that depends on the fingerprint.

When surfing the web, each browser sends some basic information to the website by default, for example, the browser's language settings. In addition, websites can read out other attributes, such as which fonts are installed in the browser, or how tall and wide the screen used is. In the case of particularly brazen browser fingerprinting, specific components of the device are also tested. Without anyone noticing, an invisible graphic or an inaudible sound was generated in the browser. Since each device's graphics and audio cards have minimal deviations, each graphic and each sound also has device-typical deviations - just as each typewriter's font is unique. With this approach, it is possible to accurately identify the device and thus the user - even if the browser disguises the IP address and deletes cookies by default.

Research on browser fingerprinting is still scarce. This method is often used not by actual websites, but by built-in third parties, such as ad networks or analytics services. tor Browser tries to defend against this, for example by masking the actual screen size.

However, in standard mode, it cannot counter most fingerprinting elements. Targeted reading of device properties, such as test components, is run via JavaScript - but this also provides a gateway for surveillance. The only effective protection against aggressive fingerprinting is to deactivate this technology. Tor Browser offers three levels of security. In "standard" mode, JavaScript works everywhere. In "Safer" mode, the browser will ask you when a site is generating images or sounds. In "Most Secure" mode, JavaScript is completely deactivated.

The Art of Association

Tor redirects data traffic, but does not change it. As a result, the data flow for each Tor obfuscation route looks the same on all subroutes - from the Tor browser to the first node, from node to node, and from the last node to the website or dark web page.

This makes possible a form of attack known as "end-to-end confirmation". De-anonymization of Tor is possible if the attacker observes the first segment (between the user and the entry node) and the last segment (between the last node and the website or dark page) and can find that both elements belong to the same obfuscated route. This requires two steps. First, the attacker looks at all the data streams entering and leaving the Tor network within a time window of a few milliseconds. Then he tries to match these streams to each other.

Just like in a card game called "memory," the attacker looks for pairs that belong together. To find them, one compares technical patterns. When a website is visited, the required information is sent in a series of small packets. Web pages and their sub-pages have different sizes and contain different elements. As a result, they generate different patterns during transmission. If two identical patterns are detected, it is obvious: data stream one and data stream two are part of the same Tor obfuscation route. De-anonymization has worked.

In principle, Tor cannot protect itself from such attacks. a list of frequently asked questions on Torproject.org states: "It is possible for an observer who can see you and the target site or your Tor exit node to link your traffic into and out of the Tor network. tor does not provide protection against this threat pattern ".

Site Fingerprinting

In an end-to-end confirmation attack, one matches incoming and outgoing Tor data streams. This correlation requires an intelligence agency with very large resources. For another type of attack, called "site fingerprinting," all that is needed is a local attacker who sees only the connection between the user and the first Tor node. This could be, for example, an Internet service provider or a security agency with access to their data.

Through site fingerprinting, the incoming data stream is matched to an entry in the database. The attacker uses the Tor browser to call thousands of websites that he wants to monitor in advance. He calculates their technical fingerprints during the data transfer and stores them in the database. If the "real" user's data stream is then interpreted, a comparison with the database is sufficient. If the pattern of the data flow is contained in the database, then it is obvious: the website is currently being accessed with the Tor browser.

The study on the effectiveness of website fingerprinting concluded that up to 90% of the websites and their individual sub-pages could be clearly identified. However, they only looked at a "small world" of a few sites. However, in the real Internet, billions of users visit millions of websites with billions of subpages.

Nonetheless, website fingerprinting is not just a pipe dream. A large portion of Internet usage is concentrated on a few very popular sites. An attacker can already get good results by analyzing a few hundred particularly popular websites and their subpages. In the Dark Web, the fingerprinting of websites is even better than the fingerprinting of the "big" World Wide Web. The dark web is indeed a small world, and the politically interesting dark web is even smaller.

The success rate of website fingerprinting is also diminished by the fact that websites are often dynamic. The content is slightly different, depending on where you are accessing it from. In addition, different ads are shown. The more dynamic a website is, the more difficult it is to match it with previously created fingerprints. The dark web is also more vulnerable in this regard. Dark Web sites are usually not very technically demanding. They try to include as little redundant software as possible to reduce the attack surface for surveillance or police investigations. Since they are more often static than sites on the clear web, they are easier to detect by site fingerprinting.

Summing up

Let's conclude that Tor can do many things, but it is also vulnerable to different types of attacks. The more resources an attacker has, the more likely he is to crack Tor. however, this is expensive, so permanent de-anonymization of all users is not possible. On the other hand, a targeted attack on individuals is conceivable.