According to an advisory posted on Wednesday, Tor discovered an attack that had been active for nearly five months, which could have revealed identifying details and other information related to people using the network to access hidden services.
The advisory explains that the attackers were leveraging a vulnerability in Tor to modify protocol headers in order to perform a traffic confirmation attack. Such an attack would inject a signal into the protocol header, which could then be used to compare certain metrics from relays to de-anonymize users. While the identity of the attackers remains unknown, they were clearly targeting people who operate or access Tor hidden services.
Tor officials said that the attacking relays joined the network on January 30, 2014 and remained active until July 4. As a result, users who operated or accessed hidden services during this time should assume they were affected by this incident.
"Unfortunately, it's still unclear what "affected" includes. We know the attack looked for users who fetched hidden service descriptors, but the attackers likely were not able to see any application-level traffic (e.g. what pages were loaded or even whether users visited the hidden service they looked up)," the advisory stated.
Moreover, the advisory speculates that the attack likely attempted to learn who published hidden service descriptors, which would lead the location of that hidden service. Thus, at least in theory, the attack could be used to link users to their destinations on normal Tor circuits too, "but we found no evidence that the attackers operated any exit relays, making this attack less likely," the advisory noted.
"While the Tor network is resilient and very successful at providing online privacy to users, it isn't a perfect solution to online privacy. It's important to remember that Tor protects against traffic analysis, but does not protect against traffic confirmation attacks, or endpoint correlation; the folks at Tor have even stated that traffic confirmation remains an ‘open research problem.’ Tor first released a blog about traffic confirmation attacks in 2009, and it is has been a reoccurring problem since then," commented Josh Cannell, a senior researcher at Malwarebytes Labs.
The identity of the attackers is what's causing the most worry. There is hope that the attacking relays were maintained by the Carnegie Mellon University researchers who recently backed out of a talk at Black Hat on low-cost methods that would identify Tor users. If that isn't the case, then the other possible scenario involves a "large intelligence agency."
"And we might also worry about a global adversary (e.g. a large intelligence agency) that records Internet traffic at the entry guards and then tries to break Tor's link encryption. The way this attack was performed weakens Tor's anonymity against these other potential attackers too — either while it was happening or after the fact if they have traffic logs. So if the attack was a research project (i.e. not intentionally malicious), it was deployed in an irresponsible way because it puts users at risk indefinitely into the future."
Tor says they have removed the attacking relays, and released a software update that prevents relay early cells from being abused.