Pando

Tor founder warns attack on network could be "really bad," allowing traffic to be hijacked

By Yasha Levine and Paul Carr , written on December 19, 2014

From The News Desk

Oh boy. For weeks, Pando has been covering the cosy relationship between the Tor network and the US government. Tonight that relationship appears to be on the rocks.

Earlier today, Tor cofounder Roger Dingledine (above) published a blog post warning that Tor had received a tip that forces unknown (or undisclosed) may be about to seize one or more of the nine “directory authority” servers which tell Tor traffic where to go. If that happened, Dingledine explained, the Tor network would be incapacitated.

As we wrote earlier, the wording of the post appeared to suggest that the threatened attack came not from hackers but from some kind of official agency, perhaps even Tor’s friends in the US government. Commenters on Dingledine’s post were quick to speculate over possible FBI involvement, maybe in response to the North Korea Sony hacks.

The source of the possible attack is still unknown, but Dingledine has since added comments to his post which suggest that the risk to Tor may be more dire than previously stated.

The risk has to do with Tor’s “directory authorities” — which are hardcoded into Tor clients and serve as the network’s centralized addressing system.

Screen Shot 2014-12-19 at 11.14.01 PM

Yes, we said “centralized.” For all the talk about Tor being a totally independent ad-hoc system that operates outside the realm of anyone’s control, it does in fact have a highly centralized network architecture that’s run by key Tor developers and insiders. There are currently nine directory authorities — one is run by Tor developer Jacob Appelbaum, while another is run by Tor cofounder Dingledine himself.

The administrators of these directory authorities have a lot of power over the way information is routed through Tor — including the ability to prevent certain Tor nodes from taking an active part in the network. Which is interesting considering that several of the people in charge of managing the routing system are drawing their salaries from Pentagon and State Department grants. But that’s a different story

What’s important to understand now is that the directory authorities communicate with each other every hour to reach a consensus as to the state of the network. If enough of the directory authorities (more than four out of nine) could be compromised -- and their signing keys obtained -- then, Dingledine writes, it would theoretically be possible to hijack Tor and redirect its traffic to rogue relays — relays that could be under the control of the FBI, the NSA, the CIA or, well, pretty much anyone else.

“If they nonetheless can extract five unexpired signing keys, then they can make up their own consensus and point people to their own relays. That would indeed be really bad.”
That would indeed be really bad.

Dingledine tries to reassure Tor users, however, that a domestic or foreign government is unlikely to do such a thing as… uh… it would be illegal and make the Electronic Frontier Foundation mad.

“For a bit of consolation, it would be super highly illegal and places like EFF would be happy to mess them up for it. But let's hope that doesn't happen, especially now that we've made clear to them all the collateral damage involved.”
Dingledine’s faith that the US government wouldn’t behave in highly illegal ways or that it fears a call from the EFF is certainly charming. The question is will enough Tor users share that faith and continue trusting their lives to a network that it now appears can be hijacked by the government any time it pleases.

We’ve asked Tor for comment on the nature of the feared attack but they haven’t responded. We’ll update this post if they do.

[Illustration by Brad Jonas for Pando]