The Tor Project says an attack on the network earlier this year may have left user identities exposed for up to five months.
At the moment those behind Tor say they are uncertain exactly what the consequences of the attack, which ran from January 30 to July 4, are for users.
The Tor Project says it believes the attack was the work of a pair of security researchers who’d been scheduled to give a talk at the Black Hat hacking conference but cancelled on legal advice.
Tor, short for the Onion Router, works by routing traffic through a chain of connections of participants computers and servers, with fresh encryption at each stage. The idea is that even if one “hop” is compromised, there’ll still be many anonymous layers between the end user and the destination.
The service lets users browse sites anonymously, including many that are part of the so-called “dark web” and can’t be accessed through links on ordinary websites and search engines. It’s used by people who want to communicate anonymously for both legal and illegal purposes.
Exactly how the attack worked is still uncertain, but the principle appears to be comparing traffic logs of entry relays (the original user’s connection) and exit relays (the final connection between an encryption point and the destination) and looking at both the size of the data and the timings to find a match.
In theory such an attack could allow an attacker to link the destination with the IP address of the original user. Because every connection takes a random route, it would be down to luck whether such an attack would identify a specific visitor to a specific site. However, it also appears the attackers took control of around six percent of entry guards, a set of points in the process designed to further randomize connections and make tracking harder.