Documents provided by Edward Snowden and The Guardian, especially the NSA’s now famous “Tor Stinks” presentation, offer proof that the Tor project — which was designed to defend against traffic analysis — must be working. However, an excerpt from the second slide in the NSA presentation hints at something else, “With manual analysis we can de-anonymize a very small fraction of Tor users.”

That, plus what Tor (or the onion router project) does and doesn’t do, are areas I’ll explore in this column. First, I’ll look at why some people use Tor.

Who uses Tor and why?

If you ask the people at the Electronic Frontier Foundation (EFF), everyone should be using Tor. “Tor is a network and a software package that helps you anonymously use the Internet,” states EFF staffer Cooper Quintin. “Specifically Tor hides the source and destination of your Internet traffic, this prevents anyone from knowing both who you are and what you are looking at (though they may know one or the other).”

More on the EFF’s interesting qualification in parentheses later.

Some reasons why people use Tor are to:

  • Protect privacy: Prevent ISPs and websites from gathering information about users and selling the data to third parties.
  • Protect communications: Tor is recommended as a way to keep digital communications private.
  • Research sensitive topics: Desired information may not be available due to an individual’s geographical location. Tor eliminates the ability to determine an individual’s location by obfuscating the IP address of the individual’s computer.
  • Skirt surveillance: Using Tor removes the ability to correlate visited sites with the visitor’s identity.
  • Circumvent censorship: Blocking access depends on knowing where the request is coming from — using Tor removes that ability.

How Tor works (the simple version)

The Tor application consists of a user software client and relay servers built and maintained by volunteers. There are three types of relay servers: middle, bridge, and exit.

  • Middle relay: This server accepts traffic from the Tor client, and passes it along to another middle relay (usually a minimum of three relay hops are used).
  • Bridge relay: Identifying information about this type is not listed anywhere data about Tor relay servers is published, because these servers are used as censorship-avoidance tools.
  • Exit relay: Traffic routed through the Tor network will exit to the public internet through this type of Tor server.

An example based on the diagram in Figure A might be helpful. First, the Tor client on Alice’s computer obtains a list of relay servers from Dave’s computer, a directory server. Then, the Tor client on Alice’s computer selects a random path to the destination server ran by Bob. This approach makes it difficult to determine specific information about the source, such as the IP address of Alice’s computer.

Figure A

The route is not secured end-to-end

In Figure A, the server encircled in blue is the exit relay. The dotted red line simulates Alice’s traffic emerging from the Tor exit relay and traveling the public internet to Bob’s server. Any digital traffic (email, web browser, IM, etc.) at this point is clear-text data. The individual (volunteer) in charge of the exit relay or any digital miscreant along the public internet route (the red dotted line) has the ability to capture and read the traffic, unless it has been encrypted prior to passing through the Tor client on Alice’s computer.

I want to reiterate the digital traffic that traverses a Tor relay network is not secure — it may be anonymous, but it is not secure.

How prevalent is exit-relay snooping?

Chloe, an independent security researcher, concocted a clever way to test exit relays. After examining 1,400 exit relays, Chloe found seven that were intercepting traffic, in particular, passwords.

Chloe told Lorenzo Franceschi-Bicchierai in this Motherboard blog post that she was not surprised by the low number, adding “Tor is mostly run by good people.” Chloe added that this should serve as a reminder to Tor users to never trust exit relays and to always use some form of encryption such as HTTPS.

What about remaining anonymous?

Tor’s ability to keep those who use the Tor network anonymous is suspect. The NSA admits that, although it’s difficult, it’s possible to determine the source of traffic being sent through the Tor network.

For several years, academic researchers have been reporting that anonymity offered by Tor is not guaranteed. This US Naval Research Laboratory and Georgetown University paper (PDF) from 2013 mentions, “Our analysis shows that 80% of all types of users may be deanonymized by a relatively moderate Tor-relay adversary within six months.”

Another research team lead by Dr. Sambuddho Chakravarty resulted in this paper (PDF). Chakravarty writes, “Systems like Tor are inherently vulnerable to traffic analysis attacks, wherein a powerful adversary, capable of observing traffic in several networks, can correlate statistics in them to find similarities and thus associate unrelated network connections. Such attacks can lead an adversary to the source of an anonymous connection.”

In the same paper, Chakravarty offers the following suggestion, “Users that solely seek censorship resistance should use either a system such as Obfsproxy, that employ steganographic techniques to obfuscate anonymous communication or rely on new anti-censorship tools, based on Decoy Routing, such as Cirripede.”

Security and anonymity

Tor does not secure the traffic passing through it; those concerned need to encrypt the traffic. As for anonymity, there is more and more research citing that anonymity is not guaranteed by Tor. On a positive note, as the NSA presentation indicates, it is far from simple to deanonymize identities of individuals who are using the Tor network.

Note: TechRepublic and ZDNet are CBS Interactive sites.