Tor (http://www.torproject.org/) is a service and application to enable anonymous access to the Internet. It works by relaying network requests through a number of peers before ultimately accessing the resources requested. In this way, those listening on your connection will find it extremely difficult to follow the sites you visit or your physical location.
Assets/Security Goals
Tor’s main asset is to make a particular user’s Internet traffic anonymous. This could be strictly for privacy, or it may enable activist activities who may otherwise be reprimanded for their actions.
The security goal is to assure that this asset is in place. We must be certain that Tor’s methods/algorithms do not allow tracing back through the relay and ultimately find the source of the connection.
Potential Threats/Adversaries
The adversaries are those who want access to user’s identities and web activities. These could be government officials, identity thieves, or law enforcement to name a few. The potential threat is simply the discovery of identity and web traffic through manipulation of the system.
Weaknesses
There are two main weaknesses to Tor. One lies in the client software side, and the second lies in trust of Tor itself. If the Tor client is manipulated by an adversary, it could be made to ignore the Tor system itself and simply send traffic across the Web as usual. On the side of the Tor’s servers, we might be wary of Tor storing information that could later be used to compromise one’s identity.
Potential Defenses
Protection of the client is difficult, and ultimately we rely on the OS’s security to prevent such manipulation of the client. On the server side of defenses, while I’m not familiar with the specifics of the relaying methods, I believe that the relaying is in a distributed manner such that the information to trace a particular user is spread out across the network, and only a bizarre coordination of directory servers could gather the information needed to identify users on the network.
Risk Analysis
The risk is huge for many using this service. Criminals want their identity’s concealed. Others want to voice their opinions without repression. Assuming the system works, those using it have very little to worry about. Of course, anyone who doesn’t use it right or reveals information about themselves carelessly will get caught and can face severe consequences.
Conclusions
I think that over the past several years Tor has proven itself to be a very effective tool. It’s track record, AFAIK, is very good — frankly, it’s a model that works.
While Tor protects anonymity, Tor does not provide end-to-end confidentiality for the contents of the data. In particular, while the data sent within the Tor network is encrypted, the data sent from a Tor exit node to a destination server is clear-text. In what is called the 2007 “hack of the year,” security consultant Dan Egerstad intercepted and publish high-level email logins in many governments and embassies around the world simply by setting up and monitoring a set of Tor exit nodes. It is believed that Dan interrupted some unknown entity’s intelligence gathering operation that used Tor to anonymously transfer collected data. Details here:
http://www.theage.com.au/news/security/the-hack-of-the-year/2007/11/12/1194766589522.html?page=fullpage
One quote I found particularly interesting was the justification for opening Tor to the public: “The problem is, if you make Tor a tool that’s only used by the military… by using Tor you’re advertising that you’re military.” Given that Tor is considered useful for ‘military’ purposes and has been found to transfer data as sensitive as email accounts for inter-governmental communications, does that not make the Tor network a blatant target for intelligence gathering? Would it not make sense for intelligence services to have, like Dan, setup exit nodes to sniff the potentially sensitive data transfered through Tor? Perhaps by using Tor in the first place, users are drawing more attention to the very activities they are trying to protect.