Tor Anonymizer Project co-creator agrees that there is a bug in Tor and is working on rectifying it
Earlier this month two security researchers, Alexander Volynkin and Michael McCord had announced plans to reveal a way to de-anonymize users of Tor. The two security experts from Carnegie Mellon University’s computer emergency response team (Cert) were to reveal their findings at the Black Hat conference in Las Vegas in August 2014. Basically Tor is build around the concept of anonymizing users so that the end landing page doesnt know where the request for that particular page has been initiated from. If Volynkin and McCord had been proved right, it would have meant the death of anonymity for Tor users. Both Volynkin and McCord were barred from further divulging the information about the research they had undertaken.
Now in a surprising twist, the co-creator of a system today agreed that there was indeed a bug in the Tor Anonymizer Network and he is tackling the “bug” that threatened to undermine the facility. Roger Dingledine, one of Tor’s creators, subsequently posted a message to a mailing list confirming about the bug. He added that the Tor Project had been informally shown what the two researchers were to divulge at the conference and he was taking action to tackle it.
“I think I have a handle on what they did, and how to fix it,” he added in a follow-up post. “We’ve been trying to find delicate ways to explain that we think we know what they did, but also it sure would have been smoother if they’d opted to tell us everything. Based on our current plans, we’ll be putting out a fix that relays can apply that should close the particular bug they found. The bug is a nice bug, but it isn’t the end of the world.”
For the uninitiated the Tor (the onion router) network was built to allow people to visit webpages without being tracked and to publish sites whose contents would not show up in search engines. It works on a simple principle of adding multiple layers of anonymizers in between the request and the landing page so that both dont know which had done what.
Regarding the research papers to be published at the August Black Hat conference, a notice has been put up on the event’s website now states that the organisers had been contacted by the university’s lawyers to say the talk had been called off.
“Unfortunately, Mr Volynkin will not be able to speak at the conference since the materials that he would be speaking about have not yet [been] approved by Carnegie Mellon University/Software Engineering Institute for public release,” the message said.