May 16, 2005 | By Annalee Newitz

Academics Analyze TOR Security in Paper at IEEE Symposium

Two computer scientists from Cambridge University, Steven Murdoch and George Danezis, presented a paper on the anonymous communication system Tor earlier this week at the IEEE Symposium on Security and Privacy. Entitled "Low-Cost Traffic Analysis of Tor," the paper describes one possible attack on Tor's security that allows an attacker to learn the nodes in a user's circuit, but not the identity of the user. The attacker must also control the server that users are trying to reach. But no aspect of the attack compromises user anonymity -- Tor users' identities are still secure.

"The paper is useful because it points out problems in some future design directions we were considering," said Tor developer Roger Dingledine. "I'm happy that we're getting serious academic research on Tor, and I'm happy that they didn't discover any attacks that could uncover users' identities. The next research question here is to try to show that their attack becomes weaker as the Tor network grows."

Tor is an open source, anonymous communication tool for the Internet, developed primarily by Dingledine and Nick Mathewson, and is currently supported by EFF.

"The reason Murdoch and Danezis picked Tor for their paper is that Tor is publicly documented, easily accessible, and is the free-route system to research," said Mathewson. "Not only is Tor advancing the state of anonymity research, but it's also getting better each time we learn about a new vulnerability."

Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

Censorship powers, data retention, and vague hacking crimes: Pakistan's terrible cybercrime bill has it all:

Nov 25 @ 5:11pm

While Bangladesh blocks social messaging apps, locals are turning to Tor and Twitter:

Nov 25 @ 3:50pm

You've heard recent news about Securus, the prison phone service. It's also the proud owner of a very stupid patent.

Nov 25 @ 3:09pm
JavaScript license information