The TOR Project thinks it has figured out how the author of a canceled Black Hat talk cracked its software to mask the source of Internet traffic, and it is working on a patch.
In a mailing list post, the cofounder of The Onion Router Project says he believes he knows how researchers at Carnegie Mellon can figure out the origin of traffic routed through TOR. "Based on our current plans, we'll be putting out a fix that relays can apply that should close the particular bug they found," says Roger Dingledine in a post July 21.
TOR encrypts traffic and hides its source by bouncing it among a series of random nodes called relays before moving it along to its destination.
Researcher Alexander Volynkin, a researcher at Carnegie Mellon University's Computer Emergency Response Team, had been slated to give a talk at Black Hat next month called "You Don't Have to be the NSA to Break Tor: Deanonymizing Users on a Budget", that promised to reveal an inexpensive method for unraveling the true source of TOR traffic. The talk was canceled due to intervention from university lawyers because the material wasn't cleared for public release.
Dingledine says he's pretty sure he understands what Volynkin would have revealed and a way to correct the problem. "I think I have a handle on what they did, and how to fix it," he writes.
He says he hopes to convince researchers who discover such flaws to share them with The TOR Project before publicly disclosing them so the project has the chance to close any loopholes. TOR is a tool used by human rights groups, journalists and others to whom it is important to conceal their locations.
"We've been trying to find delicate ways to explain that we think we know what they did," he writes, "but also it sure would have been smoother if they'd opted to tell us everything. The main reason for trying to be delicate is that I don't want to discourage future researchers from telling us about neat things that they find."
Once a vulnerability is flagged it's usually possible to shore it up. "The bug is a nice bug," he writes, "but it isn't the end of the world."
Keeping TOR secure is an ongoing project. "And of course these things are never as simple as 'close that one bug and you're 100% safe,' Dingledine writes.