Computer scientists from MIT and the Qatar Computing Research Institute (QCRI) have demonstrated a security vulnerability affecting the Tor anonymity network that makes it possible to identify hidden servers with up to 88% accuracy.

Tor (from The Onion Router project) is the name for software that anonymises and redirects internet traffic through a worldwide network of relays comprised of volunteers who set up their computers as Tor nodes.

Because the data travelling between two nodes only contains the details of those nodes, the source and final destination are effectively anonymised and protected from interception.

In July 2014, the Russian government announced that it would pay its citizens to obtain technical information about users and the equipment used on the Tor anonymous network — undoubtedly they would find this most interesting.

What is Tor?

Tor enables hosting of websites that are not discoverable by conventional means such as through a Google or Bing search, or through directly entering a website URL.

These hidden sites form part of the Dark Web, which is perfect for cybercriminals, who put thousands of goods and services for sale on secret underground marketplaces, which include illegal drugs, chemicals, firearms and counterfeit goods, as well as adverts for services such as hacking, gambling and sports betting.

There are currently about 5,000 Tor servers worldwide operated by volunteers, and Tor is used by a wide range of people – from regular citizens concerned about their online privacy, to journalists, lawyers, human rights activists and hackers.

To access these sites and the Tor network a user will need a specialised Tor browser, or Tor plug-ins for their standard browser. The user will also often need to know the dark website address they wish to reach, which themselves can be searched for on traditional websites maintaining lists of dark web sites.

Using traffic fingerprinting to crack anonymity

A computer that has been set up as a Tor node is known as a "guard", and when it receives a web request wrapped in several layers of encryption, its job is to peel off the first layer of encryption and forward the request to another computer on the network that has been randomly selected.

The Tor nodes have a lot of data passing back and forth between them in a circuit for each request, and the researchers found that by looking for patterns in the number of packets passing in each direction through a guard, the computer algorithms they designed could determine what sort of traffic was passing through with 99% accuracy.

The researchers found that even without breaking Tor's encryption, they could tell whether a circuit was for a regular web browsing request, an introduction point (which gives a user access to a hidden website) or a rendezvous point, which is used when another user wants to connect to the same hidden website at the same time as the first user.

Detecting a server's location through analysing traffic

And if someone, like the FBI, for example, wanted to find the location of a server hosting a hidden site and they set up their computer as a Tor node, if that computer happened to be picked as the guard for a web request to access a hidden website like an underground marketplace, then it would be possible to identify the service's host with an 88% accuracy.

The researchers intend to present a paper on their results at the 24th Usenix Security Symposium in Washington DC on 12-14 August.

"We recommend that [Tor's creators] mask the sequences so that all the sequences look the same. You send dummy packets to make all five types of circuits look similar," said Mashael Al-Sabah, an assistant professor of computer science at Qatar University and co-author of the paper.

"For a while, we've been aware that circuit fingerprinting is a big issue for hidden services. This paper showed that it's possible to do it passively — but it still requires an attacker to have a foot in the network and to gather data for a certain period of time," said says David Goulet, a developer with the Tor project.

"We are considering their countermeasures as a potential improvement to the hidden service, but I think we need more concrete proof that it definitely fixes the issue."