The agency has been working on breaking Tor protection for years
Given the efforts the NSA has put into breaking online security and encryption, it's no surprise that the spy agency is very, very interested in taking down Tor, the anonymity software used by protesters and drug dealers alike to keep their identity secret.According to a document uncovered by the Guardian, from Edward Snowden's leaks, the NSA has had some success in discovering the identities of people using Tor, though, thankfully, it hasn't been able to compromise the service in mass.
The NSA deals with Tor like it does with encryption in general, by avoiding it altogether and attempting to compromise the machine targets are using. But this means first identifying that target, which is the tricky part. No wonder one top-secret NSA presentation is titled "Tor Stinks."
This came after concerted efforts to break Tor anonymity, with little success. But the NSA and its British counterpart, the GCHQ, have managed to de-anonymize some users, for example by targeting a vulnerability in Firefox, on which the Tor browser is based.
The agencies discussed several ways in which the Tor network could be attacked. For example, controlling a large number of exit nodes could give an organization the possibility of de-anonymizing much of the traffic. But it's unfeasible, even for the NSA, to have that many nodes, it seems.
The agency does control some Tor nodes and collects information from them, but too few to provide meaningful data, the NSA claims in a document.
Another avenue for attack that the two agencies have tried is to influence the future of Tor, by making it less secure from the onset. This is what the NSA has already tried and mostly succeeded with encryption standards. Yet another idea put forward by the NSA is to disrupt and slow down Tor to the point where it's no longer usable.
It's unclear whether the NSA actually implemented any of these measures. Considering that the US funds some 60 percent of Tor's development and that it's used by dissidents all over the world as well as US government agencies, making Tor less secure or unusable doesn't sound like a great idea, but you shouldn't put it past the NSA.
All in all, the documents show that Tor is capable of protecting users, but that it's not perfect. This should come as no surprise to anyone serious about online anonymity. But it should be of some relief that Tor is still mostly safe.