TOR patch coming

TOR oversight group preps a patch for flaw that was the subject of a canceled Black Hat briefing

The TOR Project thinks it has figured out how the author of a canceled Black Hat talk cracked its software to mask the source of Internet traffic, and it is working on a patch.

Roger Dingledine, Onion Router Project Joi Ito, via Flickr

Onion Router Project's Roger Dingledine: The TOR bug is “a nice bug, but it isn't the end of the world.”

In a mailing list post, the cofounder of The Onion Router Project says he believes he knows how researchers at Carnegie Mellon can figure out the origin of traffic routed through TOR. “Based on our current plans, we'll be putting out a fix that relays can apply that should close the particular bug they found,” says Roger Dingledine in a post July 21.

+ Also on Network World: Black Hat presentation on TOR suddenly cancelled; The Black Hat Quiz 2014 +

TOR encrypts traffic and hides its source by bouncing it among a series of random nodes called relays before moving it along to its destination.

Researcher  Alexander Volynkin, a researcher at Carnegie Mellon University’s Computer Emergency Response Team, had been slated to give a talk at Black Hat next month called “You Don’t Have to be the NSA to Break Tor: Deanonymizing Users on a Budget”, that promised to reveal an inexpensive method for unraveling the true source of TOR traffic. The talk was canceled due to intervention from university lawyers because the material wasn’t cleared for public release.

Dingledine says he’s pretty sure he understands what Volynkin would have revealed and a way to correct the problem. “I think I have a handle on what they did, and how to fix it,” he writes.

He says he hopes to convince researchers who discover such flaws to share them with The TOR Project before publicly disclosing them so the project has the chance to close any loopholes. TOR is a tool used by human rights groups, journalists and others to whom it is important to conceal their locations.

“We've been trying to find delicate ways to explain that we think we know what they did,” he writes, “but also it sure would have been smoother if they'd opted to tell us everything. The main reason for trying to be delicate is that I don't want to discourage future researchers from telling us about neat things that they find.”

Once a vulnerability is flagged it’s usually possible to shore it up. “The bug is a nice bug,” he writes, “but it isn't the end of the world.”

Keeping TOR secure is an ongoing project. “And of course these things are never as simple as ‘close that one bug and you're 100% safe,’ Dingledine writes.

Tim Greene covers Microsoft and unified communications for Network World and writes the Mostly Microsoft blog. Reach him at and follow him on Twitter@Tim_Greene.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Take IDG’s 2020 IT Salary Survey: You’ll provide important data and have a chance to win $500.