Two computer scientists from Cambridge University, Steven Murdoch and George Danezis, presented a paper on the anonymous communication system Tor earlier this week at the IEEE Symposium on Security and Privacy. Entitled "Low-Cost Traffic Analysis of Tor," the paper describes one possible attack on Tor's security that allows an attacker to learn the nodes in a user's circuit, but not the identity of the user. The attacker must also control the server that users are trying to reach. But no aspect of the attack compromises user anonymity -- Tor users' identities are still secure.
"The paper is useful because it points out problems in some future design directions we were considering," said Tor developer Roger Dingledine. "I'm happy that we're getting serious academic research on Tor, and I'm happy that they didn't discover any attacks that could uncover users' identities. The next research question here is to try to show that their attack becomes weaker as the Tor network grows."
Tor is an open source, anonymous communication tool for the Internet, developed primarily by Dingledine and Nick Mathewson, and is currently supported by EFF.
"The reason Murdoch and Danezis picked Tor for their paper is that Tor is publicly documented, easily accessible, and is the free-route system to research," said Mathewson. "Not only is Tor advancing the state of anonymity research, but it's also getting better each time we learn about a new vulnerability."