Cracks in the Onion: How German Law Enforcement is Piercing Tor’s Anonymity

Simone Nogara
5 min readSep 20, 2024

--

The Tor network, which has long been considered a beacon of privacy and anonymity for its users, is now facing serious scrutiny. Recent reports from Germany reveal that the country’s law enforcement agencies successfully deanonymized users involved in illegal activities on the dark web. This revelation has sparked widespread concern about whether Tor is still a safe tool for protecting users’ identities. Despite these claims, the Tor Project has assured the public that the network remains secure, particularly for users who follow the best security practices.

The German Police Breakthrough

From 2019 to 2021, German law enforcement agencies, including the Federal Criminal Police Office (BKA), carried out a comprehensive investigation that led to the deanonymization of certain users on the Tor network. The targets of these investigations were primarily individuals involved in child sexual abuse material (CSAM) distribution on the dark web.

Law enforcement officials were able to pierce through the anonymity of the Tor network using timing analysis and monitoring Tor entry nodes. These methods allowed them to trace users’ activities, leading to significant arrests and prosecutions. While the breakthrough has been heralded as a success in law enforcement circles, it has raised alarms about the vulnerability of Tor users to such deanonymization techniques.

How Timing Attacks Work

At the core of these deanonymization methods is a technique known as timing analysis. This method involves correlating the timing of data as it enters and exits the Tor network. If law enforcement agencies can monitor both the entry node (the point where a user’s traffic enters the network) and the exit node (where the traffic leaves the network), they can match up the timing patterns and link them to a specific user.

  • Entry Node Monitoring: The first node your traffic connects to is the entry node. This is where your IP address is visible, although the data that passes through is encrypted.
  • Middle Relays: Your data is then passed through a series of middle relays, where no single node has the full picture of both the origin and destination.
  • Exit Node: The last relay decrypts the data and sends it to its final destination, ensuring that the exit node cannot know the origin.

By carefully analyzing the size of data packets and timing of network traffic, authorities can make educated guesses about a user’s identity if they control or monitor both the entry and exit points. This timing correlation attack does not reveal the content of the communication, but it can unmask who is communicating and where.

Specifics of the German Investigation

According to the reports, German law enforcement’s attack was highly targeted. Authorities monitored specific onion services, which are sites that are only accessible via the Tor network, and used extended surveillance over months or even years to achieve deanonymization. This lengthy and resource-intensive approach was instrumental in their success.

Importantly, German authorities claimed to have successfully deanonymized multiple users involved in criminal activities, which ultimately led to prosecutions and long prison sentences for the individuals involved. The operation also highlighted the fact that Tor’s anonymity can be compromised under certain conditions, particularly when users fail to follow security best practices or use older software versions.

The Tor Project’s Response

In response to these claims, the Tor Project has acknowledged that while deanonymization is possible, it typically requires extensive resources and highly specific conditions. The organization has worked to improve the security of the network, introducing updates such as the Vanguards-lite add-on, which protects against guard discovery attacks. This type of attack, used in the German investigations, attempts to identify the first node (the guard node) through which a user connects to the network.

The Tor Project emphasized that the attacks carried out by German law enforcement are not a sign of a systemic failure of the network, but rather isolated incidents that took advantage of specific weaknesses. They also stressed that since 2021, additional security features have been introduced to mitigate the risks posed by these types of attacks.

Ongoing Risks and Concerns

While the Tor Project has reassured users, some security experts warn that Tor nodes can still be operated by law enforcement agencies or cybercriminals, which can pose significant risks to users who are not cautious. If an adversary controls multiple nodes, especially the entry and exit nodes, they can potentially deanonymize a user through traffic correlation.

  • Node Surveillance: As mentioned earlier, one of the key risks lies in the fact that anyone can run a Tor node. Both law enforcement and malicious actors could potentially run nodes to monitor user traffic.
  • Small Node Pool: Despite Tor’s popularity, the network is not as expansive as its name suggests. With only about 7,000 to 8,000 active nodes, there are concerns that the relatively small size of the network makes it easier for adversaries to monitor traffic.

Staying Safe on Tor

Despite these risks, the Tor network remains one of the best tools for maintaining privacy online, particularly when users follow security best practices. Here are some recommendations from security experts to stay safe while using Tor:

  • Download from the Official Website: Always download the Tor Browser from the official Tor Project website to avoid malicious versions.
  • Update Regularly: Keep your Tor Browser updated to ensure you have the latest security patches.
  • Use Default Settings: Stick to the default Tor settings, and only make changes if you fully understand the implications.
  • Enable the “Safest” Security Level: This setting disables most features that could potentially compromise your anonymity, such as JavaScript.
  • Avoid Personal Accounts: Refrain from logging into personal accounts, such as email or social media, while using Tor, as this could easily lead to deanonymization.
  • Combine with a VPN: For added protection, use a reputable VPN alongside Tor to create an extra layer of encryption.

Conclusion: Is Tor Still Safe?

In conclusion, while the German law enforcement breakthrough has raised concerns, Tor remains a valuable tool for maintaining anonymity. However, users need to be vigilant and follow best practices to protect their privacy. The Tor Project continues to introduce updates to improve the security of the network and mitigate risks like timing attacks. For the vast majority of users, Tor remains a reliable option for anonymous browsing, especially when used properly.

The world of online privacy is always evolving, and so must our understanding of the tools we use to protect ourselves. As long as users remain cautious and follow recommended safety guidelines, Tor will continue to be a crucial ally in the fight for online privacy.

Sources:

--

--

Simone Nogara

I’m Simone Nogara, a Cloud Security Architect for Gov agencies