The developers of the Tor online privacy service are fixing a weakness which could have exposed the identities of hundreds of thousands of users of sites around the world – potentially putting lives at risk, as political activists in oppressive regime rely on the online privacy service to make communications hard to trace.
The hack was due to be exposed at the Black Hat security conference in Las Vegas – but the talk was abruptly cancelled due to legal concerns.
The talk, entitled “You Don’t Have to be the NSA to Break Tor” aimed to showcase a technique which could “uncloak” users of the anonymizing web service for less than $3,000 .
The details of the method have not been disclosed, and the Tor Project has moved rapidly to fix the bug.
Black Hat said via a post on its official website, “One of our selected talks, ‘You Don’t Have to be the NSA to Break Tor: Deanonymizing Users on a Budget’ by CERT/Carnegie Mellon researcher Alexander Volynkin was scheduled for a Briefing at Black Hat USA this August in Las Vegas.”
“Late last week, we were informed by the legal counsel for the Software Engineering Institute (SEI) and Carnegie Mellon University that: “Unfortunately, Mr. Volynkin will not be able to speak at the conference since the materials that he would be speaking about have not yet approved by CMU/SEI for public release.” As a result, we have removed the Briefing from our schedule.”
The Tor Project said that it had not forced the cancellation of the talk – but that it had “some questions” for the researchers.
Roger Dingledine said via a post on the Tor forums that, “I think I have a handle on what they did,” reassuring users that a fix for the bug was imminent.
Using the free Tor browser, you can access special .onion sites – only accessible using the browser – which are used by political activists worldwide to post information untraceably.
Other Tor sites openly host highly illegal content including pirated IP, drug markets, child pornography and sites where credit card details are bought and sold.
Tor Project leader Roger Dingledine said, “Based on our current plans, we’ll be putting out a fix that relays can apply that should close the particular bug they found. The bug is a nicebug, but it isn’t the end of the world. And of course these things arenever as simple as “close that one bug and you’re 100% safe”.
Author Rob Waugh, We Live Security