About eleven months ago, we devoted a 4cast post to Tor, leading off with a Boing Boing article by Alison Macrina about libraries in Massachusetts using the Tor browser to protect patron privacy. Ms. Macrina is the founder and director of the Library Freedom Project, which last week announced a new initiative to establish Tor exit relays in libraries, “to help libraries protect internet freedom.” The whole point of Tor is to provide online anonymity, so things like browsing habits cannot be tracked. Ironically, however, several articles also published last week reported on findings that Tor browsing currently may not be totally anonymous after all.
- Tor exit relays in libraries: a new LFP project (Library Freedom Project | Alison Macrina and Nima Fatemi) “When a user opens the Tor Browser and navigates to a website, her traffic is bounced over three relays, scrambling her traffic with three layers of encryption, making her original IP address undetectable. The exit relay is the last relay in this circuit, the one that talks to the public internet. Fast, stable exit relays are vital to the strength of the Tor network. Non-exit relays – guards, middle relays, and bridges – are also important to the Tor network, but exit nodes are the most needed, and libraries can afford some of the legal exposure that comes with an exit.”
- Crypto activists announce vision for Tor exit relay in every library (Ars Technica | Cyrus Farivar) “‘Librarians see the value as soon as you say “privacy protecting technology,”’ Alison Macrina of the LFP told Ars via encrypted chat. ‘When we get into the basics of free software and cryptography, they are hooked.’ For now, the LFP has only managed to set up a middle relay—one of the three major types of relays in a library in New Hampshire, but hopes that after further testing it can be upgraded to an exit relay in about a month.”
- Shoring up Tor (MIT News | Larry Hardesty) “During the establishment of a circuit, computers on the Tor network have to pass a lot of data back and forth. The researchers showed that simply by looking for patterns in the number of packets passing in each direction through a guard, machine-learning algorithms could, with 99 percent accuracy, determine whether the circuit was an ordinary Web-browsing circuit, an introduction-point circuit, or a rendezvous-point circuit. Breaking Tor’s encryption wasn’t necessary. Furthermore, by using a Tor-enabled computer to connect to a range of different hidden services, they showed that a similar analysis of traffic patterns could identify those services with 88 percent accuracy. That means that an adversary who lucked into the position of guard for a computer hosting a hidden service, could, with 88 percent certainty, identify it as the service’s host.
- MIT researchers figure out how to break Tor anonymity without cracking encryption (ExtremeTech | Ryan Whitwam) “This is only possible because the attacker is running the entry node the victim is connected to. However, the entry node is selected randomly for each session. The attacker would need to run a lot of guard nodes to identify a significant number of connections and it would be very hard to target a specific user. The fix for this attack is actually pretty simple. The Tor network needs to start sending dummy packets that make all requests look the same.”
Articles from Ohio Web Library:
- Dissent made safer. (Technology Review, May/June 2009, p.60-65 | David Talbot)
- Web search query privacy: Evaluating query obfuscation and anonymizing networks. (Journal of Computer Security, 2014, p.155-199 | Sai Teja Peddinti and Nitesh Saxena)
- The Tor browser and intellectual freedom in the digital age. (Reference & User Services Quarterly, Summer 2015, p.17-20 | Alison Macrina)