NSA and UK intel agency GCHQ target online anonymity tool Tor, according to leaked Snowden documents

Despite the fact that online anonymity tool Tor was developed with US government funds, the NSA really does not like Tor.

Top-secret documents leaked to the Guardian by former US intelligence contractor Edward Snowden reveal details of repeated attempts by the US and UK governments to crack Tor, the "onion router" that was originally funded in by the US government, and used widely by dissidents and activists around the world. Tor's core network security remains intact, but the NSA has had some success attacking users' computers, according to the report.

Who uses Tor? According to one of the slides in the leaked presentations, "Terrorists!" The NSA is fond of the generous use of exclamation points in these things.

Who uses Tor? According to the NSA, in red, "Terrorists!"


Top-secret NSA documents, disclosed by whistleblower Edward Snowden, reveal that the agency's current successes against Tor rely on identifying users and then attacking vulnerable software on their computers. One technique developed by the agency targeted the Firefox web browser used with Tor, giving the agency full control over targets' computers, including access to files, all keystrokes and all online activity.

But the documents suggest that the fundamental security of the Tor service remains intact. One top-secret presentation, titled 'Tor Stinks', states: "We will never be able to de-anonymize all Tor users all the time." It continues: "With manual analysis we can de-anonymize a very small fraction of Tor users," and says the agency has had "no success de-anonymizing a user in response" to a specific request.

A slide published by the Guardian from a top-secret NSA powerpoint presentation explaining how, and in what kinds of scenarios, agents may work to compromise the online anonymity tool Tor.

Selected extracts from the documents leaked to the Guardian by Snowden illustrate how NSA uses a technique codenamed "EgotisticalGiraffe" to attack Tor users through vulnerable software on their computers.

And another published by the Guardian, titled "Tor Stinks," includes this observation: "We will never be able to de-anonymize all Tor users all the time," but "with manual analysis we can de-anonymize a very small fraction of Tor users."

In another NSA document excerpt published by the Guardian, Tor is described as "The king of high-secure, low-latency anonymity." The NSA acknowledges Tor's fundamental security, and notes that "there are no contenders to the throne in waiting."

A related commentary at the Guardian by Bruce Schneier: "Attacking Tor: how the NSA targets users' online anonymity." The short version: "Tor is a well-designed and robust anonymity tool, and successfully attacking it is difficult." Snip:

The very feature that makes Tor a powerful anonymity service, and the fact that all Tor users look alike on the internet, makes it easy to differentiate Tor users from other web users. On the other hand, the anonymity provided by Tor makes it impossible for the NSA to know who the user is, or whether or not the user is in the US.

After identifying an individual Tor user on the internet, the NSA uses its network of secret internet servers to redirect those users to another set of secret internet servers, with the codename FoxAcid, to infect the user's computer. FoxAcid is an NSA system designed to act as a matchmaker between potential targets and attacks developed by the NSA, giving the agency opportunity to launch prepared attacks against their systems.

Once the computer is successfully attacked, it secretly calls back to a FoxAcid server, which then performs additional attacks on the target computer to ensure that it remains compromised long-term, and continues to provide eavesdropping information back to the NSA.

Update: The Washington Post's Barton Gellman and a team of reporters have published their Tor story from the Snowden documents.