The National Security Agency and its UK counterpart have made repeated and determined attempts to identify people using the Tor anonymity service, but the fundamental security remains intact, as top-secret documents published on Friday revealed.

The classified memos and training manuals—which were leaked by former NSA contractor Edward Snowden and reported by The Guardian, show that the NSA and the UK-based Government Communications Headquarters (GCHQ) are able to bypass Tor protections, but only against select targets and often with considerable effort. Indeed, one presentation slide grudgingly hailed Tor as "the king of high-secure, low-latency Internet anonymity." Another, titled "Tor Stinks," lamented: "We will never be able to de-anonymize all Tor users all the time."

An article published separately by The Washington Post also based on documents provided by Snowden concurred.

"There is no evidence that the NSA is capable of unmasking Tor traffic routinely on a global scale," the report said. "But for almost seven years, it has been trying."

Enter EgotisticalGiraffe

The documents go on to reveal a panoply of covert technologies with names like FoxAcid, Quantum, Stormbrew, Fairview, and Turbulence. The goal of some is to exploit software bugs in the Firefox browser and other software applications used by individual Tor users. Another program uses Tor servers operated by the NSA to redirect user requests or spot patterns in Internet traffic that enters or exits the Tor network. NSA and GCHQ agents also discussed efforts to "shape" or influence future developments of the Tor software and network.

One prominent technique for monitoring terrorists and other people using Tor was dubbed EgotisticalGiraffe. It involves exploiting vulnerabilities contained in the software bundle that Tor makes available to users. One attack targeted a serious bug in a Firefox component known as the ECMAScript for XML (E4X), according to cryptographer Bruce Schneier, who authored this technical analysis for The Guardian. The vulnerability was "inadvertently" fixed when Firefox developers updated the E4X library. Tor users who don't update their software, of course, remained susceptible.

The EgotisticalGiraffe technique "succeeded in unmasking 24 Tor users in a single weekend," The Washington Post reported. "The same operation allowed the NSA to discover the identity of a key propagandist for al-Qaeda in the Arabian Peninsula, as the group's offshoot in Yemen is known, after he posted information and instructions on the group's Web site."

A "less complex exploit" in the NSA's arsenal was the same one used in July to decloak a man suspected of using Tor to run a child porn service. The attack relied on malicious JavaScript that's embedded in a website the Tor user is visiting. The vulnerability has also been fixed in recent versions of Firefox.

According to Schneier, NSA agents were able to use secret servers located on the Internet backbone to redirect some users to another set of secret servers that were codenamed FoxAcid to infect users' computers. Because some of the servers were located on the high-speed links that connect end users to websites, NSA nodes dubbed Quantum were able to respond to requests faster than the server the end user intended to visit. Schneier cited this top-secret diagram as evidence of a Quantum server impersonating Google in such an attack.

Schneier provided additional technical details:

According to various top-secret documents provided by Snowden, FoxAcid is the NSA codename for what the NSA calls an "exploit orchestrator," an internet-enabled system capable of attacking target computers in a variety of different ways. It is a Windows 2003 computer configured with custom software and a series of Perl scripts. These servers are run by the NSA's tailored access operations, or TAO, group. TAO is another subgroup of the systems intelligence directorate. The servers are on the public internet. They have normal-looking domain names, and can be visited by any browser from anywhere; ownership of those domains cannot be traced back to the NSA. However, if a browser tries to visit a FoxAcid server with a special URL, called a FoxAcid tag, the server attempts to infect that browser, and then the computer, in an effort to take control of it. The NSA can trick browsers into using that URL using a variety of methods, including the race-condition attack mentioned above and frame injection attacks. FoxAcid tags are designed to look innocuous, so that anyone who sees them would not be suspicious. An example of one such tag [Link removed by the Guardian several hours after publication] is given in another top-secret training presentation provided by Snowden. There is no currently registered domain name by that name; it is just an example for internal NSA training purposes.

Schneier said FoxAcid was a general system operated under the NSA's computer network exploitation program and is used for many types of attacks other than the Tor attacks described in his analysis. It has a modular design, so it can be used with a variety of exploits and in a variety of settings.

Yet another tool dubbed Mjolnir has been able to "monitor and control the paths of communications that are supposed to be chosen randomly as they pass through Tor," The Washington Post reported. "Another operation, called Mullenize, can 'stain' anonymous traffic as it enters the Tor network, enabling the NSA to identify users as it exits."

What's encouraging in Friday's reports is the absence of any reported vulnerability in Tor itself. That may be reassuring to journalists, political dissidents and, yes, Internet criminals and terrorists—who all rely on the service to keep their location and identities secret. The recent takedown of Silk Road—a Tor-protected website that arranged $1.2 billion in sales of heroin, cocaine, and other illicit goods and services—has only ramped up concern that there might be obscure flaws that allowed the government or anyone who discovered them to unmask users. Of course, no proof of crippling vulnerabilities isn't the same thing as proof that none exist, but it's better than some of the scenarios users have drawn in recent months.

"The good news is they went for a browser exploit, meaning there's no indication they can break the Tor protocol or do traffic analysis on the Tor network," Roger Dingledine, the president of the Tor Project, told The Guardian. "Infecting the laptop, phone, or desktop is still the easiest way to learn about the human behind the keyboard. Tor still helps here: you can target individuals with browser exploits, but if you attack too many users, somebody's going to notice. So even if the NSA aims to surveil everyone, everywhere, they have to be a lot more selective about which Tor users they spy on."

This article was updated throughout to add details from The Washington Post story.