Tor May Not ‘Stink’ as Much as We Thought

According to newly released documents from the Snowden archive published by Der Spiegel Monday morning, it turns out the anonymization mesh network Tor may not be as hard to crack as we were originally led to believe.

You’ll remember that back in July of this year, we went into detail about a PowerPoint presentation lifted from the NSA archives by Snowden called “Tor Stinks”, which covered the many and varied roadblocks that the agency had run into while attempting to track, log, and store data about Tor users and their movements.


Now it seems that Snowden also lifted documents written about two years after Tor Stinks. The later documents imply that many of the challenges proposed in the original slideshow had been surmounted, andGCHQ was closer than ever to fitting the last pieces of the puzzle into place.

We have shown a technique that can deanonymise TOR web-browsing given packet times between the client and guard node and packet times from the exit node filtered to a single circuit. The false positive rate looks low enough to suggest this technique should be carried forward.

The required data is not collected at present. For this technique to work the following additional data feeds will be required:

1.) Second-accurate packet logging at TOR exit nodes we control with packets labelled by a unique circuit identifier.

2.) Second-accurate packet logging of sessions between TOR clients and TOR guard nodes.

This data could be obtained by SIGINT [signals intelligence] or by running guard nodes. The SIGINT solution would require an up-to-date feed of TOR “consensus” documents; TOR IP addresses could then be extracted from the “consensus” documents for filtering by the SIGINT system.

At the time of writing JTRIG [Joint Threat Research Intelligence Group] are investigating the collection of the exit node data and ICTR-FSP are trialling a feed of guard node data from research bearers.”

What’s interesting here is not so much the leaks themselves nor that two separate presentations (given to two separate news organizations) were released at different times. Rather, it is the lengthy time between each story.

The Intercept and Der Spiegel work with lawyers and high ranking officials at the NSA or GCHQ when certain information should be published and what shouldn’t be published in the interest of national security.

Knowing that, one can assume the agency initially gave them the okay to release the data about the Tor Stinks memo. Then, instead of releasing the most recent info right after, they waited, and watched what we would do.

While we may be entering conspiracy tinfoil hat territory here, it’s not unlikely that one of the largest and most advanced spying operations ever undertaken in modern history would have a bit of trade craft to spare in this department. With that possibility in mind, why are we just finding out that Tor was somewhat crackable now? Because – and understand this is just the theory of one journalist working one case – that’s exactly what they wanted us to think.

The more people who saw the Tor Stinks presentation, the more people who thought the underground network was still a safe haven for encrypted communications. The more people who thought Tor was still safe in the eight months that passed between the two posts, the more relays that the government could sweep up and start tracking without the public being any the wiser.

The more Tor users they could track, the wider they could cast their net on the exit nodes required to sniff out encrypted communications. The more nodes under their control, the better their false-positive rate. The better the rate, the less powerful Tor becomes.

And according to their own internal communications, the only way to get solid control of the nodes is if more people started signing up for the service en masse.

So how do you get more people to start connecting through Tor? By using the leaks themselves against us and make everyone think it’s safe to jump on in the first place.

Again, this is speculation but the evidence is still concerning. Both Der Spiegel and Glenn Greenwald were in near daily contact when the leaks started, and lawyers on both sides were sharing content in droves while the original stories were being written and published.

This is not to suggest that either side willingly colluded with the NSA or GCHQ, but one could assume that if both agencies were capable of causing major pillars of the Internet like Google and Yahoo to buckle to their demands, a couple private journalists with a small team attached could be easily pressured into cooperating in a misinformation campaign if the circumstances absolutely required it.


That said, both this presentation and Tor Stinks are two and four years old, respectively, which means enough time has passed since both that the relay and its nodes could have already been compromised ages ago; no help from Greenwald or Spiegel required.

Thankfully, the newly unveiled documents also maintain that many of the more reliable methods of encryption; PGP, AES, and OTR, are still as secure as ever, and that all of them have held up well to the agencies’ most advanced technology and tactics.

Other less bombshell-esque news in this release reiterates much of what we’ve already heard a couple times before, i.e- Skype isn’t safe. PPTP is a broken mess. HTTPS can be scanned and swiped with the stroke of a key, etc etc, so on and so forth.

While in a normal world those types of claims would be horrifying, in a post-Snowden dystopia it’s just more of the same. Another dart on the ‘as usual’ board, tacked up to an unregulated government body gone rogue.