When many people reach for an anonymity tool, they reach for Tor, and that is understandable because it is well known and the price of FREE is very attractive. It was created by a bunch of smart and talented folks. Unfortunately, some fundamental problems exist — problems you cannot simply patch because they are fundamental to the architecture and philosophy of the system.
The core foundational concept for Tor is that a user should never have to place all of their trust in any one entity. User traffic typically is sent through three “relays” run (in principle) by three different people. Tor assumes that your connection is encrypted end-to-end, so there are no worries about interception of data in transit.
Unfortunately, this breaks down in the face of reality. Many “bad actors,” from criminals to nation states, run Tor nodes for the purposes of tracking or otherwise harming users. For a fairly modest investment, attackers can acquire and operate enough relays to make the probability that they will control the first and last hoops in a chain fairly good, at least over a period of time. Just 5 percent of relays transport 50 percent of the traffic. If an attacker runs both, they can fairly easily identify users with their activities.
The Lizard Squad attack on Tor following their MSN and XBox DDOS attacks is a good example. This attack involved attackers setting up a large number of Tor nodes to quickly compromise the security and anonymity of the network. It only failed because they were completely unsophisticated. They set up the nodes quickly, which made them easy to identify and block, and they told the world that they were doing it, which tells everyone to look in the first place. However, other attackers could do the same slowly and quietly with great effect.
Further, the idea that all of the activity will be encrypted end-to-end (a core assumption of the Tor security model) is completely unrealistic. After all, many websites don’t support secure HTTPS connections. Email is often sent in the clear, and many other services have no way of supporting encryption. Attackers can fairly easily see, intercept, and even modify the un-encrypted traffic if they control the exit relay. The modifications can include inserting malware or other trackers. Controlling the exit relay for a given user is statistically vastly more likely than controlling both the first and last, while still giving access to all of that unprotected traffic.
Being the first relay also has its advantages. It clearly shows which people in the world are using Tor. If the attacker has a set of people it is monitoring, it can see when they use Tor. It could then also look for timing correlations with visits or posts to websites of interest.
All of these problems stem from the fact that you don’t know and can’t trust the relay operators. The alternative is to know and trust specific people or organizations, based on their reputations and track records. Our 19-year track record appears to support the contention that this is the best way to go.