Tor was initially established as a means of protecting privacy and helping individuals and organizations defend against network surveillance and traffic analysis. The idea was to form a truly anonymous network, where volunteer node operators would work together to establish a private and trusted environment. Unfortunately, Tor has been compromised many times over the years, often because of its fundamental design philosophy.
Let’s take a look at two recent examples of how Tor node operators can compromise security:
The first involves malevolent Tor node operators leveraging an exit node to automatically modify software patches to include malware. Unfortunately, this one is being seen in the wild already.
How does it work? When a user downloads a software patch while using Tor and happens to get routed through the attacker’s exit relay, the node automatically substitutes the desired software with an infected version that installs malware and ultimately gains control. This attack relies on the fact that many software downloads happen over insecure channels.
The second uses Tor and some quirks in the security model of Bitcoin to allow attackers to create double spending, and it even creates an alternative shadow hash chain visible only to the victims. Fortunately, this example is currently only academic in nature, but it shines a bright light on a potentially serious issue that could impact a lot of people.
The overarching problem, which is evident in each of these examples, is that anyone can set up a Tor node. This means it’s almost impossible to establish a sense of trust with the operators. While most people who operate Tor nodes have only good intentions, many others do so with ulterior motives.
Read more about Tor vulnerabilities.