The Tor Project has released an official statement confirming rumors about a long standing attack on the browser that may have put the anonymity of users at risk.
According to the released blog post, the attack began in January. As of February and until the discovery on July 4th, users may have been exposed by the perpetrators. That means at least six months of a security breach.
When they were discovered, a thread was followed to find out exactly what had happened, Staff found that someone had applied modifyed Tor protocol headers to do traffic confirmation attacks. It remained on the network, undetected, from January 30th onward.
If you have used Tor during that six month period, the Tor Project says that there is a strong likelihood that you will be impacted by this issue. At the very least, you can assume you will be groups in with those affected.
What does that mean? That’s the problem…they don’t know.
Right now, there is no way for them to confirm how much data has been collected, by who, or why. But they believe there are a couple of possibilities, based on the combination traffic confirmation attack and a Sybil attack:
1) Information on users who fetched hidden service descriptors
2) Who published hidden service descriptors
3) Location of hidden services.
How much of that was actually found it unclear. Though they don’t think it is likely that any actual information on the pages, such as what was searched and used, was collected.
Who could possibly have done this? I don’t think we have to look too far with our speculation. The NSA has been against the very idea of The Tor Project, even though the government helps fund it. Their branch want to know who uses it, and why. It was only a matter of time before one of their efforts was discovered.
Of course, that isn’t a fact, only an estimation. But I would say the guess is an educated one.
There could also be other research groups who decided to slip in through the back door to collect their data on the sly. But that seems far less likely.
In any case, Tor has been compromised but patched. Since most people who use the browser don’t do it for illegal reasons, their outrage might have once been more theoretical/philosophical than direct.