For the past few months, all the NSA leaks have been nothing but bad news. The latest though, about the NSA and GCHQ's attempts at breaking Tor, may be the opposite. The two spy agencies have tried and thought about various ways of de-anonymizing Tor users, but so far they haven't made much progress.
At least, that's according to documents uncovered by the Guardian from the Edward Snowden pile. In fact, the NSA is quite frustrated with how good Tor is at keeping people anonymous.
The top secret NSA document titled Tor Stinks
explains, "We will never be able to de-anonymize all Tor users all the time. With manual analysis we can de-anonymize a very small fraction of Tor users, however no success de-anonymizing a user in response to a TOPI request/on demand."
What this means is that the NSA, at least at the time the document was created, June 2012, realized that it could never completely compromise Tor to make it possible to discover the identity of anyone using it at any moment. In fact, at that time, the agency hadn't been able to discover the identity of Tor users that it wanted to target specifically.
Instead, what success it has had was by using a compromised site to infect the computers of people using Tor, essentially phishing. But this method relied on people visiting that site, so the agency could never be sure a particular target would be infected.
"The good news is that they went for a browser exploit, meaning there's no indication they can break the Tor protocol or do traffic analysis on the Tor network," Roger Dingledine, the president of the Tor project, told the Guardian
. "Infecting the laptop, phone, or desktop is still the easiest way to learn about the human behind the keyboard.
"Just using Tor isn't enough to keep you safe in all cases. Browser exploits, large-scale surveillance, and general user security are all challenging topics for the average internet user. These attacks make it clear that we, the broader internet community, need to keep working on better security for browsers and other internet-facing applications," he added.