Tor Browser Anonymity Compromised, Maybe by the Feds


Well now what?

The Tor Project allows its users to do things like send emails or surf the web anonymously, without fear of surveillance. In the wake of the NSA surveillance revelations, Reason's Ron Bailey suggested it as a tool to keep the government from spying on you, and Nick Gillespie interviewed the development director of the project.

But over the weekend, discovery of some malware suggests user anonymity may be at risk, and the prime suspect is the federal government. Via Wired:

Security researchers tonight are poring over a piece of malicious software that takes advantage of a Firefox security vulnerability to identify some users of the privacy-protecting Tor anonymity network.

The malware showed up Sunday morning on multiple websites hosted by the anonymous hosting company Freedom Hosting. That would normally be considered a blatantly criminal "drive-by" hack attack, but nobody's calling in the FBI this time. The FBI is the prime suspect.

"It just sends identifying information to some IP in Reston, Virginia," says reverse-engineer Vlad Tsyrklevich. "It's pretty clear that it's FBI or it's some other law enforcement agency that's U.S.-based."

If Tsrklevich and other researchers are right, the code is likely the first sample captured in the wild of the FBI's "computer and internet protocol address verifier," or CIPAV, the law enforcement spyware first reported by WIRED in 2007.

Wired reporter Kevin Poulsen notes that the discovery coincides with the arrest in Ireland of Eric Eoin Marques, believed by the FBI to be the largest facilitator of child porn on the Internet, and the geographic location of child porn sites have been hidden via Tor's anonymity tools.   

Below, watch Reason TV's interview with Tor's Karen Reilly:

Follow this story and more at Reason 24/7.

Spice up your blog or Website with Reason 24/7 news and Reason articles. You can get the widgets here. If you have a story that would be of interest to Reason's readers please let us know by emailing the 24/7 crew at, or tweet us stories at @reason247.

NEXT: Police Seek Man Who Stole 20 Turtles at Gunpoint

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. ruh roh

    1. You think Satan’s story is nice, last yetsterday I sucked Obamasama’s Willie and I got paid $3.69 gabillion!!!! See ?

  2. It’s important to keep in mind that this isn’t a vulnerability in the Tor software; it’s a vulnerability in the version of Firefox (17) that they distribute in the ready-to-go Tor Browser Bundle.

    1. What they don’t say is whether that vulnerability has been patched in the latest firefox, or how the spyware actually infects the computer (javascript I think).

      1. It was fixed in June:

      2. From what I’ve read they’ve already replaced Firefox 17 in the bundle (later versions have been fixed), and yes, it runs javascript in a hidden iframe on the page.

        1. Anyone who bothered to make sure they were running an up to date version of the browser bundle or who installed the latest version as of June 26th was not affected.

          1. Also it’s not advisable to allow Javascript while using TOR if you care about your anonymity anyway…

            1. The argument given against that is that disabling Javascript makes your browser signature more unique.

              1. Never used Tor, but I believe others’ recommendation to use a completely separate browser with javascript disabled when browsing Tor is sound advice. I would even recommend using another computer or at least a virtual machine.

              2. Not disabling javascript makes your browser even more unique than disabling it.

                They both provide some information to fingerprint, but lots of people disable it, and having javascript enabled provides way more specific info available through those scripts.

                If you don’t have noscript or java disabled, your browser is most likely completely unique and possibly identifiable just by using javascript alone.

                If you go to the panopticon site, with java enabled, it will pull every single font you have installed on the machine plus every single plugin on your browser with exact version numbers on all of them.

                Without java, it just says you have java turned off, which is probably something like 20% of all internet users.

                1. What you’re saying is likely correct when talking solely about non-Tor browsing. Yes, I read the same article you did and I know what you’re talking about but it really doesn’t apply here. What you don’t want to do is disable JS entirely on your non-Tor browser. If you regularly connect to facebook(does that even work without JS?) and then connect to a sensitive site then your browser fingerprint may allow the identities to be connected.

                  When browsing Tor you should use an entirely separate browser and never put your personal information out there. If you do, you should never use that same browser to visit sensitive sites. I would disable JS entirely when browsing sites that could be compromised or contain malicious content.

                  1. When browsing Tor you should use an entirely separate browser and never put your personal information out there.

                    It’s irrelevant if you choose to put your shit out there or not; the hops are different every time.

                    Of course, I don’t really try to put my name on the internets to start with.

                    1. It’s irrelevant if you choose to put your shit out there or not; the hops are different every time.

                      Yeah, unless your browser has a unique fingerprint. That’s what we’re talking about….

            2. It’s probably not advisable to allow javascript, period. Unless you have noscript, or unless you like downloading rootkits.

              1. Just a messenger here. It wasn’t my idea.

                That said, disabling Java is an awful lot different from disabling Javascript.

                1. True, I meant noscript or disable javascript, not disable the whole java environment.

                  Although if you aren’t going to use it, I would recommend you may as well go ahead and disable java too.

                  Windows plus IE plus java equals walking through a rape convention in 6″ heels and a thong.

                  But what you said is technically true – disabling javascript can help identify your browser. It’s just that enabling it helps identify your browser even more.

      3. And yes, it is via JavaScript.

  3. The IP address of the command and control server was traced back to a block of IPs associated with SAIC and the NSA. I find it hard to believe that the NSA is incapable of coverings it’s tracks. Others have put forward the notion that this is either designed to scare people away from Tor or to boost the image of the NSA domestic spying operation. Either one seems likely.

    Also isn’t it weird that the NSA-DEA link hasn’t made it to CNN yet?

  4. “We have met the enemy and he is U.S.” –Walt Kelly–

    1. +1 Pogos

  5. Oh, Tor Project. I thought it was Tor Johnson.

    1. And.. I thought it was the god Thor. He would’ve been pissed. And left no survivors.

      1. I used to have a Norwegian Elkhound named Thor Thunder God III.

  6. Fucking Chuck Schumer supports the NSA’s spying, but grandstands that Internet TVs could spy on you.

    What an evil hypocrite.

    1. If our fellow countrymen had any self respect, or clarity of mind left, they’d all rise up and vote every last bum supporting blanket spying out of office.

      1. If they had any of either left, they’d throw every last one of them out of the highest window in the Capitol building.

        1. Is the capitol building high enough to do the job? Somehow I imagine them surviving.

  7. Well, if you used Tor, or any other privacy software for that matter and didnt disable Jave, you deserve what you get lol.

    1. I think you are human. How much are you paid per hour to post comments like this?

    2. Does this kick off the battle royale between anonbot and workbot?

  8. Why the hell any security-minded person is running Windows+JavaScript is beyond me anyway…

  9. If I was ever unsure that Billy Corgan was a douchebag, I just saw him praise Piers Morgan and Morgan’s show on CNN lol

    1. He’s also praised Alex Jones on his show. We’re through the looking glass here, people.

  10. Mom just get me a hattip, please
    All I want is a hattip, and she wouldn’t give it to me
    All I wanted was a hattip, just one hattip, and she wouldn’t give it to me.
    Just a hattip.

    They give you a white shirt with long sleeves
    Tied around you’re back, you’re treated like thieves
    Drug you up because they’re lazy
    It’s too much work to help a crazy

Please to post comments

Comments are closed.