Tor, an acronym for The Onion Router, is free software for anonymous online communication that masks a user’s identity by hiding the originating and destination IP addresses of messages sent through it. It is also — at least in the eyes of the public — used by cybercriminals and illicit sites such as the infamous Silk Road. But how many know that the initial development was really done by the U.S. government?

No, that’s not a joke. Not only did it get the project off the ground, but the government continues to fund it to this day.

The Push and the Pull

Tor started as an effort by the Office of Naval Research (ONR) and Defense Advanced Research Projects Agency (DARPA) to cloak the online identity of government agents and informants while in the field by obscuring their IP addresses. But the sponsors realized that if only these agents were using the system, their traffic would be functionally identified rather simply. In other words, they needed to have other traffic on Tor to mask the government activity, according to SecurityWeek.

Thus, the State Department began a push and pull with itself over Tor. One side touted its humanistic use for the anonymity of dissidents in repressed countries, and the other side worked on figuring out how to break that anonymity.

What Is Tor?

The project uses three programs packaged into one bundle. Tor, which accesses the network, is the first. Then there’s Vidalia (at least on Windows), which is a proxy that links the network to a port on your computer. Lastly, a browser, typically Firefox, is used. However, it is modified to only access the Internet through the Vidalia port.

The bundle includes other security features such as private browsing mode, disabled plugins, HTTPS, the Adblock Plus plugin and other patches in the browser’s settings. Most users will go for the bundle since it includes the most common options already set up, though most any browser could be configured to run on the network.

Change of Image

Though the project is mainly staffed by volunteers that maintain the code, it became obvious after being faced with both increased demand and more government scrutiny that an image change was necessary.

So Roger Dingledine, the director of the project, stepped aside for a new leader: Shari Steele, previously the executive director of the Electronic Frontier Foundation (EFF) for 15 years. She had the qualities to attract new donors to augment government grants and polish an image that had lost some luster.

A Known Vulnerability

If enough of the network nodes are controlled by one entity, then the Tor network is vulnerable to that entity. “We’ve always been watching that,” Steele told Ars Technica of this vulnerability. “But we now have some serious things in place to pay attention to when a bunch of new nodes are all showing up from the same location or from something similar. It could be disguised if we didn’t identify when all the new nodes are coming from the same place, but there are alarms now that go off.”

That kind of watching makes it harder — though still not impossible — for a state actor to gain network control or execute attacks on a network.

Cybercriminals have discovered this ability, as well. The “IBM X-Force Threat Intelligence Quarterly, 3Q 2015” revealed that the Tor network is increasingly leveraged for malicious purposes, such as completing payments for ransomware.

Does It Really Work?

The Onion Router can enhance privacy but by no means guarantee it. Repeated use of the tool allows adversaries to analyze and possibly decrypt the traffic because of the increased attack surface and surplus of data.

What the threat model is for the individual becomes rather important here. As an example, the simple use of Tor may call attention to a message for no other reason than that it was sent from an anonymous IP address. If a state actor wants to monitor the network, he or she probably can.

Tor is not the privacy end-all that some want it to be. But limited use of it may help boost privacy to all but the most determined adversary.

more from Cloud Security

Old Habits Die Hard: New Report Finds Businesses Still Introducing Security Risk into Cloud Environments

While cloud computing and its many forms (private, public, hybrid cloud or multi-cloud environments) have become ubiquitous with innovation and growth over the past decade, cybercriminals have closely watched the migration and introduced innovations of their own to exploit the platforms. Most of these exploits are based on poor configurations and human error. New IBM Security X-Force data reveals that…