The Tor Project is attempting to assure users that the network is still safe after a recent investigative report warned that law enforcement from Germany and other countries are working together to deanonymize users through timing attacks.

The team behind the specialized web browser claims that adequate protections are in place for those using the latest versions of its tools, noting that timing analysis is a known technique for which effective mitigations exist.

Busting “Boystown” through Tor

Tor is a privacy tool and web browser that anonymizes your identity by bouncing your internet traffic through several computers (nodes) worldwide, making it difficult to trace where your traffic came from.

Due to its privacy assurances, it is commonly used by activists and journalists when communicating with sources and to bypass censorship in countries with oppressive governments. While the project has a long list of legitimate uses, due to its anonymity, it is also used by cybercriminals to host illegal marketplaces and to evade law enforcement.

An investigative report by the German portal Panorama, supported by the Chaos Computer Club (CCC), says court documents revealed that law enforcement agencies use timing analysis attacks through a large number of Tor nodes they operated to identify and arrest the operators of the child abuse platform “Boystown.”

A Tor timing attack is a method used to deanonymize users without exploiting any flaws in the software, but rather by observing the timing of data entering and leaving the network. 

If the attacker controls some of the Tor nodes or is monitoring the entry and exit points, they can compare the timing of when data enters and leaves the network, and if they match, they can trace the traffic back to a particular person.

“The documents related to the information provided strongly suggest that law enforcement agencies have repeated and successfully carried out timing analysis attacks against selected gate users for several years to deanonymize them,” stated CCC’s Matthias Marx.

Panorama highlights the ever-worsening problem of large portions of the Tor network’s servers being controlled by a small number of entities, creating an environment that makes these timing attacks more feasible.

The report also mentions that one of the identified users was using an outdated version of Ricochet, an anonymous instant messaging app that relies on the Tor network to create private communication channels.

That older Ricochet version, which does not include Vanguard protections, is vulnerable to ‘guard discovery attacks,’ which allow the unmasking of the user’s entry node (guard).

Tor’s response

The Tor Project expressed frustration for not being provided access to the court documents that would enable them to analyze and validate security-related assumptions.

However, the organization still published a statement to reassure users based on what information they had.

The Tor Project statement highlights that the described attacks occurred between 2019 and 2021, but the network has significantly increased since then, making timing attacks much harder to pull out now.

Additionally, extensive work to flag and remove bad relays has taken place in the past years, and efforts to put a break on centralization yielded tangible results.

Concerning Ricochet, Tor notes that the version used by the deanonymized user was retired in June 2022 and has been replaced by the next-gen Ricochet-Refresh, which features Vanguards-lite protections against timing and guard discovery attacks.

Finally, Tor acknowledges the pressing issue of relays diversity, calling volunteers to help and highlighting various initiatives they launched recently to introduce more bandwidth and variety on the network.