What are your options if you want privacy on the web? Just being careful about where you surf, what you post, and what you download isn’t enough. The NSA, GCHQ and other government spy agencies are rapidly expanding their reach to grab everything they can about everyone they can online, just in case it might prove useful. Many users are turning to virtual private networks (VPNs) as a more permanent way to secure their web activity, but for those looking to tap occasional anonymity, the Tor network is often a go-to connection.
The problem? According to The Daily Dot, it’s now possible for spooks to crack Tor connections, deanonymizing their users. The solution may lie with Astoria, a client that promises users a harder-to-crack anonymous online experience.
The Tor Problem
So how does Tor claim to keep your data safe? It goes like this: When the Tor client starts up, it encrypts and then sends all of a user’s Internet traffic through what’s known as an entry node, then a middle relay, and finally out an exit relay. Data returned follows the same sequence but along a different path so it becomes (in theory) impossible for government agents to know who’s at the browser end of any connection. In large measure, this anonymity relies on location. With 6,000 nodes in the Tor network, finding out where requests are coming from is a formidable task.
According to Slash Gear, however, that’s why the NSA and other agencies don’t bother to try and crack Tor this way. Instead, they’re using what are known as “timing attacks.” By controlling both entry and exit nodes, it’s possible for government actors to use simple statistical analysis to uncover the identity of a user in under 10 minutes. This isn’t a new vulnerability—Tor has known about the problem for years—but until recently, the number of attacks carried out this way formed only a fraction network threats. The problem isn’t small, either. Fifty-eight percent of Tor circuits are vulnerable to timing attacks worldwide. And in certain countries, such as China, the number is much higher: Up to 85 percent of all Tor circuits are at risk.
Welcome to Astoria
Thanks to the work of a joint American-Israeli research team, there will soon be
a new option for anonymity: Astoria. The new client claims to drop the number of vulnerable circuits from almost 60 percent to just under six, and does so by using an algorithm which predicts the most likely path of a timing attack and then selects the circuits which pose the least risk. What’s more, the team says that their new effort also makes best-case node matches when “there are no safe possibilities” and keeps Tor’s overall performance as fast as possible, even when the highest level of algorithmic security is required. Astoria comes with a sliding scale of performance vs. security, allowing users to decide what best suits their needs, although the developers advise that it’s most effective at the highest security setting.
It’s also worth noting that there’s no foolproof method for defeating timing attacks. Astoria simply makes it much, much more difficult in hopes that spy agencies will go looking for lower-hanging fruit.
Of course, government-funded efforts aren’t the only risks faced by Internet users. As noted by Forbes, there’s also PunkSPIDER, a Google-type tool developed to uncover website vulnerabilities. The tool recently took a hard look at Tor and found several websites on the “dark web” wanting, some of which were passed on to law enforcement agencies. Bottom line? It’s dark down there, but not pitch black. In China, meanwhile, a wave of attacks against Tor and VPN users has been uncovered. Many believe government agencies are behind these watering-hole attacks. On top of all that, it was recently discovered that “free” service Hola used its non-paying clients as exit nodes and may have opened up its entire customer based to serious security risk.
Here’s the end game when it comes to being spy-proof: it’s not possible. Astoria is one way to convince government agents they should look elsewhere, but works best only if you’re willing to live with reduced Tor performance. For more consistent protection, try a VPN — but look for reputable, stable, and for-pay providers that offer fully encrypted, worldwide support for your online activities. It’s your computer, your network, and your browser; giving up who you are and what you’re doing online shouldn’t be the cost of connecting.