Tor, an acronym for The Onion Router, is free software for anonymous online communication that masks a user’s identity by hiding the originating and destination IP addresses of messages sent through it. It is also — at least in the eyes of the public — used by cybercriminals and illicit sites such as the infamous Silk Road. But how many know that the initial development was really done by the U.S. government?

No, that’s not a joke. Not only did it get the project off the ground, but the government continues to fund it to this day.

The Push and the Pull

Tor started as an effort by the Office of Naval Research (ONR) and Defense Advanced Research Projects Agency (DARPA) to cloak the online identity of government agents and informants while in the field by obscuring their IP addresses. But the sponsors realized that if only these agents were using the system, their traffic would be functionally identified rather simply. In other words, they needed to have other traffic on Tor to mask the government activity, according to SecurityWeek.

Thus, the State Department began a push and pull with itself over Tor. One side touted its humanistic use for the anonymity of dissidents in repressed countries, and the other side worked on figuring out how to break that anonymity.

What Is Tor?

The project uses three programs packaged into one bundle. Tor, which accesses the network, is the first. Then there’s Vidalia (at least on Windows), which is a proxy that links the network to a port on your computer. Lastly, a browser, typically Firefox, is used. However, it is modified to only access the Internet through the Vidalia port.

The bundle includes other security features such as private browsing mode, disabled plugins, HTTPS, the Adblock Plus plugin and other patches in the browser’s settings. Most users will go for the bundle since it includes the most common options already set up, though most any browser could be configured to run on the network.

Change of Image

Though the project is mainly staffed by volunteers that maintain the code, it became obvious after being faced with both increased demand and more government scrutiny that an image change was necessary.

So Roger Dingledine, the director of the project, stepped aside for a new leader: Shari Steele, previously the executive director of the Electronic Frontier Foundation (EFF) for 15 years. She had the qualities to attract new donors to augment government grants and polish an image that had lost some luster.

A Known Vulnerability

If enough of the network nodes are controlled by one entity, then the Tor network is vulnerable to that entity. “We’ve always been watching that,” Steele told Ars Technica of this vulnerability. “But we now have some serious things in place to pay attention to when a bunch of new nodes are all showing up from the same location or from something similar. It could be disguised if we didn’t identify when all the new nodes are coming from the same place, but there are alarms now that go off.”

That kind of watching makes it harder — though still not impossible — for a state actor to gain network control or execute attacks on a network.

Cybercriminals have discovered this ability, as well. The “IBM X-Force Threat Intelligence Quarterly, 3Q 2015” revealed that the Tor network is increasingly leveraged for malicious purposes, such as completing payments for ransomware.

Does It Really Work?

The Onion Router can enhance privacy but by no means guarantee it. Repeated use of the tool allows adversaries to analyze and possibly decrypt the traffic because of the increased attack surface and surplus of data.

What the threat model is for the individual becomes rather important here. As an example, the simple use of Tor may call attention to a message for no other reason than that it was sent from an anonymous IP address. If a state actor wants to monitor the network, he or she probably can.

Tor is not the privacy end-all that some want it to be. But limited use of it may help boost privacy to all but the most determined adversary.

More from Cloud Security

The Importance of Modern-Day Data Security Platforms

Data is the backbone of businesses and companies everywhere. Data can range from intellectual property to critical business plans to personal health information or even money itself. At the end of the day, businesses are looking to grow revenue, innovate, and operationalize but to do that, they must ensure that they leverage their data first because of how important and valuable it is to their organization. No matter the industry, the need to protect sensitive and personal data should be…

Cybersecurity in the Next-Generation Space Age, Pt. 4: New Space Future Development and Challenges

View Part 1, Introduction to New Space, Part 2, Cybersecurity Threats in New Space, and Part 3, Securing the New Space, in this series. After the previous three parts of this series, we ascertain that the technological evolution of New Space ventures expanded the threats that targeted the space system components. These threats could be countered by various cybersecurity measures. However, the New Space has brought about a significant shift in the industry. This wave of innovation is reshaping the future…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

How Posture Management Prevents Catastrophic Cloud Breaches

We've all heard about catastrophic cloud breaches. But for every cyberattack reported in the news, many more may never reach the public eye. Perhaps worst of all, a large number of the offending vulnerabilities might have been avoided entirely through proper cloud configuration. Many big cloud security catastrophes often result from what appear to be tiny lapses. For example, the famous 2019 Capital One breach was traced to a misconfigured application firewall. Could a proper configuration have prevented that breach?…