The Darknet Under Siege? Experts Weigh in on Tor Browser’s Anonymity

Amid arrests and the unmasking of darknet administrators, Tor Browser users are questioning its security. Several experts involved in the browser’s development have sought to clarify the situation.

Concerns intensified after German authorities discovered a method to unmask cybercriminals on Tor through timing analysis. Specifically, they identified the owners and an active user of Boystown, the largest darknet site for child pornography.

The timing analysis method does not exploit software vulnerabilities but allows tracking traffic back to an individual through prolonged monitoring.

The Tor team admitted they are unaware of the exact deanonymization technology. However, developers speculated that German authorities might have used the outdated Ricochet messenger, employed by the arrested criminal.

“In addition to adding relays and expanding bandwidth, the Tor network team has also recently implemented new critical features to enhance protection mechanisms, speed, and performance,” Pavel Zoneff, Tor’s Director of Strategic Communications, told Cointelegraph.

MatterFi CEO Michal Pospishalski noted that timing analysis attacks are always possible.

A Cunning Loophole

The publication Panorama reviewed documents related to the case but did not disclose details about the timing analysis. Journalists mentioned that the method targets “entry servers,” also known as guard nodes, and the Ricochet instant messaging service.

“Based on the limited information available to the Tor Project, we believe that a user of the long-closed Ricochet application was fully deanonymized using a Guard Discovery attack,” Zoneff emphasized.

When using Tor to browse websites, traffic passes through three sets of nodes: entry (guard), middle, and exit. Only the guard node in this scheme knows the user’s IP address.

For services like Ricochet, there is no exit node; the connection is made through a “rendezvous point” within the Tor network itself. This means the traffic does not “exit” to the internet.

Experts speculate that in the attack on Ricochet, law enforcement may have seized several middle nodes in the Tor network, increasing the chances of tracking traffic.

“This is a form of Sybil attack,” stated Brute Brother’s CEO Or Weinberger.

He emphasized that such an operation requires significant resources.

To establish a connection with the suspected criminal, authorities likely sent numerous requests or packets to the user’s address in Ricochet, so they would eventually connect through a malicious middle node.

Once the connection is established, law enforcement cannot immediately determine the target’s IP address, but they can conduct timing analysis to match traffic passing through the node. After identification, authorities request the necessary data from the internet provider.

An Outdated Method

Nearly three years have passed since the deanonymization incident. During this time, the Tor team has released numerous changes that have significantly complicated attacks.

“It is not uncommon for certain clients to have their own set of issues or vulnerabilities. However, [they] are always discovered, and responsible teams fix the exploit as quickly as they can,” said Secret Foundation’s Executive Director Lisa Loud.

The old version of Ricochet has also effectively ceased to exist, updated to Ricochet-Refresh with an improved Vanguard protection system.

The Sybil attack vector uses a specific selection of middle nodes, so the new security mechanism applies a set of random nodes for connection, eliminating the possibility of time-based tracking.

“Every security measure has countermeasures,” added Weinberger.

He clarified that there is no complete protection, as state resources allow them to test new methods.

Nodes in Germany

Currently, most Tor relays are located in Germany.

As of October 18, the country hosts 1,852 out of 8,085 relays. Moreover, Germany leads the world in consensus weight (36.7%), which considers other factors like bandwidth and capacity.

“Your Tor client is more likely to choose a high-performance guard node over a low-performance one. Therefore, I assume that nation-states will use long-running, high-bandwidth guard nodes to attract more Tor users,” Weinberger explained.

Tor’s enhanced protection system makes timing analysis more difficult for states or any entities with significant resources, but it does not make it impossible.

Technological progress also provides more opportunities for user deanonymization.

“Ultimately, AI, which has many data monitoring points and great computational power, will become very good at timing analysis. I wouldn’t be surprised if such a project already exists somewhere in secret,” ponders the CEO of MatterFi.

Most experts agree that Tor remains safe for ordinary users, but authorities keep darknet criminals on edge.

“Will anonymous surfing survive? Maybe. It’s a race, and in the next few years, anything could happen to affect the final outcome,” concluded Loud.

Back in the summer of 2023, it was reported that ransomware operators, malware developers, and other criminals began shifting their activities from the darknet to Telegram channels.