Tor's USP is that it allows users to access sites (like Silk Road) untracked and unmonitored by prying eyes – but it seems like it may be less secure than originally thought. Developers at the Tor Project have revealed that an attack on the network may have revealed the identities of users for a period of up to five months.
According to a blog post on the site, the attacking relays joined the network on 30th January and were eventually removed by July 4. Tor says that "any users who operated or accessed hidden services from early February through July 4 should assume they were affected." However, it remains unclear what that attack actually constituted and how much information was exposed.
The Tor Project believe that the culprits were most likely two Carnegie Mellon researchers who were set to give a talk entitled "You Don't Have to be the NSA to Break Tor: Deanonymizing Users on a Budget" at the Black Hat USA 2014 security conference. Alexander Volynkin and Michael McCord, the security experts behind the talk, claimed that they would show how to crack Tor on a budget of $3,000 or less.
Unfortunately, Volynkin and McCord's talk was pulled from the line-up less than a week before the conference opened. According to a statement issued by the conference organisers, this was because "the materials that (Volynkin) would be speaking about have not yet been approved by CMU/SEI for public release".
The Tor Project said that it had been trying to extract information from Volynkin and McCord for months without much luck, but said it would be relieved if the researchers were behind the security breach "since otherwise it means somebody else was".
Earlier, this week it was revealed that the US government had increased Tor's annual funding to $1.8 million in 2013, despite reports that the NSA was trying to shut down the network. Federal funding for Tor reportedly increases annually. Could there be a government interest in shutting down a talk revealing how to deanonymise Tor users?
Follow Thomas Gorton on Twitter here @angstromhoot
Have some news? Let us know on email@example.com