Tor Project says it can quickly catch spying code

The organization has worked for three years to improve its ability to catch fraudulent software

The Tor Project is fortifying its software so that it can quickly detect if its network is tampered with for surveillance purposes, a top developer for the volunteer project wrote on Monday.

There are worries that Tor could either be technically subverted or subject to court orders, which could force the project to turn over critical information that would undermine its security, similar to the standoff between Apple and the U.S. Department of Justice.

Tor developers are now designing the system in such a way that many people can verify if code has been changed and "eliminate single points of failure," wrote Mike Perry, lead developer of the Tor Browser, on Monday.

Over the last few years, Tor has concentrated on enabling users to take its source code and create their "deterministic builds" of Tor that can be verified using the organization's public cryptographic keys and other public copies of the application.

"Even if a government or a criminal obtains our cryptographic keys, our distributed network and its users would be able to detect this fact and report it to us as a security issue," Perry wrote. "From an engineering perspective, our code review and open source development processes make it likely that such a backdoor would be quickly discovered."

Two cryptographic keys would be required for a tampered version of the Tor Browser to be distributed without at least initially tripping security checks: the SSL/TLS key that secures the connection between a user and Tor Project servers plus the key used to sign a software update.

"Right now, two keys are required, and those keys are not accessible by the same people," Perry wrote in a Q&A near the end of the post. "They are also secured in different ways."

Even if an attacker obtained the keys, in theory people would be able to check the software's hash and figure out if it may have been tampered with.

Apple is fighting a federal court's order to create a special version of iOS 9 that would remove security protections on an iPhone 5c used by Syed Rizwan Farook, one of the San Bernardino mass shooters.

A ruling against Apple is widely feared by technology companies, as it could give the government wider leverage to order companies to undermine encryption systems in their products.

On Monday, the Justice Department indicated it is investigating an alternative method to crack Farook's iPhone, which if successful would not require Apple's assistance.

Perry wrote that the Tor Project stands "with Apple to defend strong encryption and to oppose government pressure to weaken it. We will never backdoor our software."

Tor, short for The Onion Router, is a network that provides more anonymous browsing across the Internet using a customized Firefox Web browser. The project was started by the U.S. Naval Research Laboratory but is now maintained by the nonprofit Tor Project.

Web browsing traffic is encrypted and routed through random proxy servers, making it harder to figure out the true IP address of a computer. Tor is a critical tool for activists and dissidents, as it provides a stronger layer of privacy and anonymity.

But some functions of Tor have also been embraced by cybercriminals, which has prompted interest from law enforcement. Thousands of websites run as Tor "hidden" services, which have a special ".onion" URL and are only accessible using the customized browser.

The Silk Road, the underground market shut down by the FBI in October 2013, is one of the most famous sites to use the hidden services feature.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags Torinternetdark webhacking

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Father’s Day Gift Guide

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?