The Torrid State of the Onion
Keir Little on the shutdown of the web’s biggest drug dealership
It was something like a 90s cyberpunk’s dream: an anonymous, hidden marketplace on the “deep web” where everything from research psychedelics to stolen credit card details could be bought. The Silk Road, considered by some a bold experiment in libertarianism, by others the biggest online hotbed of illegal trade, was finally shut down by the FBI last week after over two years of successful operation. Tor, The Onion Router, sends connections through several relays around the world, hiding users’ ip addresses from websites they visit. It also allows websites like The Silk Road, known as hidden services, which are only accessible via Tor and have a .onion domain name. Tor is widely used by journalists and activists to hide their identities and circumvent censorship in oppressive countries, but its hidden services are infamous for piracy and criminal activity. The Silk Road takedown is the latest in a recent spate of developments on the Tor network: two weeks earlier, another marketplace called Atlantis shut down, seemingly voluntarily. In August, the hidden webhost service Freedom Hosting, which served child pornography, was seized by the FBI. Later that month, millions of new clients connected to the Tor network, far more than natural growth in the service’s popularity can account for, most likely a criminal botnet. These events have raised concerns for Tor’s users, especially in light of the recent NSA leaks: is the network as anonymous as it claims, or has it been compromised by law enforcement agencies? The Silk Road’s operator is known to its users as Dread Pirate Roberts. In real life, he is 29 year old physicist Ross Ulbricht, who lives in San Francisco, and who had earned around $80 million from the site. He was arrested last Thursday and charged with narcotics trafficking, computer hacking and money laundering, but it was human error, rather than any flaw in Tor’s anonymity, which led to his arrest: at the time of Silk Road’s launch in January 2011, a user called Altoid appeared on several forums advertising the site. One post contained Ulbricht’s personal email address, which led to his being investigated. In the Freedom Hosting case, the owner attempted to set up a bitcoin-dealing company using his real identity, which the FBI linked to the hidden services. The FBI took control of the servers after his arrest. Both of these show that Tor hasn’t been compromised; however, Tor doesn’t protect from old fashioned cracking, an unsecured hidden service, while anonymous, is just as susceptible to attack as something accessible from the internet. Tor’s software is open source and extensively vetted, and the Tor Project say, “nothing about this case makes us think that there are new ways to compromise Tor (the software or the network)”. A recent leaked presentation from the NSA claims that, “we will never be able to de-anonymize all Tor users all the time”, going on to say that with manual analysis they can reveal a very small fraction of users, but not on demand. Still, the confidence of Tor’s users, many of whom are attempting to evade snooping by the NSA, has been shaken. When the FBI seized Freedom Hosting, they installed javascript code exploiting older versions of the Tor Browser Bundle which revealed many users’ IP addresses ,not so much a chip in Tor’s armour, but a complete sidestep around it. The exploit was quickly fixed, but raises deep concerns that similar vulnerabilities could arise in the future. While Tor is certainly still safe for its intended purpose, hiding your ip from websites, these recent events show that Tor alone isn’t enough to protect you when hosting criminal activity. Paranoid users are looking towards alternatives such as i2p and Project Meshnet, but for most, the onion router’s anonymity hasn’t yet been peeled away.