A chunk of the “deep web” went down over the weekend, and Tor users should be wary

Something big went down in the deep web over the weekend – it appears a bunch of hidden websites vanished, possibly due to the takedown of a hosting operation in Ireland. There’s a lot of speculation flying around here, but it involves the likely compromise of the Tor Browser Bundle, a tool frequently used to escape online surveillance.

Tor is a network of nodes, hosted by volunteers, that is designed to allow private browsing — users’ browsing data gets bounced between random nodes in a way that obscures that user’s identity. Although it has many positive uses, such as helping journalists and dissidents fly under the radar in repressive countries, Tor’s nature also makes it ideal for use on the so-called deep web or darknet, a parallel online world to the one Google(s goog) indexes.

Tor is most easily used through the Tor Browser Bundle, which includes a modified browser based on Firefox – specifically, it is currently based on Firefox 17, the most recent release to enjoy extended support. People visiting a deep web site, perhaps an illicit one that facilitates drug purchases or child pornography, will likely use such a browser to locate the content they want. The content is often held on “.onion” sites (a reference to Tor’s layered approach to security) that can only be found and accessed in such a way.

OK, what happened?

So let’s start with what we know. First off, volunteers at the Tor project started getting reports around midnight on Sunday that “a large number of hidden service addresses have completely disappeared from the Tor Network.” This, Tor’s “phobos” said in a blog post, was the result of a hidden service hosting company getting taken down.

Meanwhile, on Saturday the Irish Independent reported that the U.S. was seeking the extradition from Ireland of a man named Eric Eoin Marques, who is alleged to have been involved in distributing child pornography online. This got posted to Reddit with a subject line beginning “founder of the Freedom Hosting arrested.”

Now, here’s where we exit the world of verifiable information. According to this conflation, Marques ran a hidden service host called Freedom Hosting, which gave server space to anyone who wanted it, including child porn sites. The FBI took him and his service down, knocking out the illegal sites and (some said in the ensuing thread) half the hidden .onion sites out there. Again, it’s really difficult to pin these details down for sure.

However, those at the Tor project are taking what happened very seriously indeed, not because they’re tied up in something nasty – there’s absolutely no affiliation between the project and the Freedom Hosting administrators – but because a widely-used version of Tor Browser Bundle may have a privacy-busting flaw in it.

The vulnerability

Here’s what Tor’s phobos wrote on Sunday:

“In the past, adversarial organizations have skipped trying to break Tor hidden services and instead attacked the software running at the server behind the dot onion address. Exploits for PHP, Apache, MySQL, and other software are far more common than exploits for Tor. The current news indicates that someone has exploited the software behind Freedom Hosting.

“From what is known so far, the breach was used to configure the server in a way that it injects some sort of javascript exploit in the web pages delivered to users. This exploit is used to load a malware payload to infect user’s computers. The malware payload could be trying to exploit potential bugs in Firefox 17 ESR [extended support release], on which our Tor Browser is based. We’re investigating these bugs and will fix them if we can.”

Mozilla also issued a brief blog post saying it had been “notified of a potential security vulnerability in Firefox 17” and was looking into it.

According to security professionals quoted by expert Brian Krebs, the malware that’s sneaking through the Firefox 17 hole doesn’t actually execute any commands. Instead, it simply finds out users’ true IP addresses, probably in order to identify them. This is consistent with the idea that it comes from law enforcement rather than the criminal world, and it certainly tallies with the alleged child porn takedown link. That said, it doesn’t prove the Reddit rumors outright.

Incidentally, it seems the latest versions of Firefox – and even the very latest version of the Tor browser bundle – do not have this vulnerability.

Tor: the good and bad, bound up

This episode highlights a major problem with the drive for online anonymity: that, while some people want privacy for legitimate and positive purposes, others want it to mask illegal and harmful activities. The way in which this tension plays out will, to a large extent, dictate the future of online freedom.

It also serves as a useful reminder that Tor is not necessarily a cure-all for online privacy woes. While the service can do a lot to evade surveillance, flaws do pop up from time to time.

As security expert Alan Woodward wrote in June, Tor volunteers are anonymous and there is therefore a real risk that many nodes are, in effect, stings. That said, Tor’s random routing between nodes makes it unlikely that anyone could target a specific individual in this way, unless they run a large proportion of the Tor nodes that are out there. Encryption of data would also mitigate this risk.

Additionally, Woodward noted, a JavaScript or Flash plug-in flaw on a deep web page can also prove risky. The Tor Browser Bundle disables JavaScript and plug-ins by default, but “anyone who has spent any time browsing the web knows that there is a great temptation to install add-ins or enable JavaScript in order to access content.”

In short, there’s way too little solid information on this past weekend’s takedown to say precisely what happened and who was involved, but – confusion aside – there’s enough to be wary if you rely heavily on Tor as a way of evading prying eyes.