PRISM vs Tor

By now, just about everybody has heard about the PRISM surveillance program, and many are beginning to speculate on its impact on Tor.

Unfortunately, there still are a lot of gaps to fill in terms of understanding what is really going on, especially in the face of conflicting information between the primary source material and Google, Facebook, and Apple's claims of non-involvement.

This apparent conflict means that it is still hard to pin down exactly how the program impacts Tor, and is leading many to assume worst-case scenarios.

For example, some of the worst-case scenarios include the NSA using weaponized exploits to compromise datacenter equipment at these firms. Less severe, but still extremely worrying possibilities include issuing gag orders to mid or low-level datacenter staff to install backdoors or monitoring equipment without any interaction what-so-ever with the legal and executive staff of the firms themselves.

We're going to save analysis of those speculative and invasive scenarios for when more information becomes available (though we may independently write a future blog post on the dangers of the government use of weaponized exploits).

For now, let's review what Tor can do, what tools go well with Tor to give you defense-in-depth for your communications, and what work needs to be done so we can make it easier to protect communications from instances where the existing centralized communications infrastructure is compromised by the NSA, China, Iran, or by anyone else who manages to get ahold of the keys to the kingdom.

The core Tor software's job is to conceal your identity from your recipient, and to conceal your recipient and your content from observers on your end. By itself, Tor does not protect the actual communications content once it leaves the Tor network. This can make it useful against some forms of metadata analysis, but this also means Tor is best used in combination with other tools.

Through the use of HTTPS-Everywhere in Tor Browser, in many cases we can protect your communications content where parts of the Tor network and/or your recipients' infrastructure are compromised or under surveillance. The EFF has created an excellent interactive graphic to help illustrate and clarify these combined properties.

Through the use of combinations of additional software like TorBirdy and Enigmail, OTR, and Diaspora, Tor can also protect your communications content in cases where the communications infrastructure (Google/Facebook) is compromised.

However, the real interesting use cases for Tor in the face of dragnet surveillance like this is not that Tor can protect your gmail/facebook accounts from analysis (in fact, Tor could never really protect account usage metadata), but that Tor and hidden services are actually a key building block to build systems where it is no longer possible to go to a single party and obtain the full metadata, communications frequency, *or* contents.

Tor hidden services are arbitrary communications endpoints that are resistant to both metadata analysis and surveillance.

A simple (to deploy) example of a hidden service based mechanism to significantly hinder exactly this type of surveillance is an XMPP client that also ships with an XMPP server and a Tor hidden service. Such a P2P communication system (where the clients are themselves the servers) is both end-to-end secure, and does *not* have a single central server where metadata is available. This communication is private, pseudonymous, and does not have involve any single central party or intermediary.

More complex examples would include the use of Diaspora and other decentralized social network protocols with hidden service endpoints.

Despite these compelling use cases and powerful tool combination possibilities, the Tor Project is under no illusion that these more sophisticated configurations are easy, usable, or accessible by the general public.

We recognize that a lot of work needs to be done even for the basic tools like Tor Browser, TorBirdy, EnigMail, and OTR to work seamlessly and securely for most users, let alone complex combinations like XMPP or Diaspora with Hidden Services.

Additionally, hidden services themselves are in need of quite a bit of development assistance just to maintain their originally designed level of security, let alone scaling to support large numbers of endpoints.

Being an Open Source project with limited resources, we welcome contributions from the community to make any of this software work better with Tor, or to help improve the Tor software itself.

If you're not a developer, but you would still like to help us succeed in our mission of securing the world's communications, please donate! It is a rather big job, after all.

We will keep you updated as we learn more about the exact capabilities of this program.


June 09, 2013


to be honest, beyond what you have mentioned here, I am a bit concerned about this:

[ unsafe shortened urls pointing at unknown/unpopular url shorteners ]

which I am guessing by this point probably affects not just computers with Windows but pretty much anything...

Curious how to get this crap out of our computers because apparently end to end encryption is not enough.

Thoughts / responses?

Sorry for censoring your comment, but...

to be honest, in a post where I mention the use of weaponized exploits by governments, and where you yourself appear to be alluding to weaponized exploits, I could not in good conscience post your sketch URLs.

Nor as a software developer who writes software that people depend on could I click on those URLs myself without spending a few hours/days to get a fresh computer, fire up a VM, and examine what the hell they did to it.

Do you have any non-shortened versions?

To answer your general point: I truly believe that the use of weaponized exploits risks crashing the world economy. Software engineering is simply not prepared to deal with this threat.

With the number of dependencies present in large software projects, there is no way any amount of global surveillance, isolation, or firewalling could sufficiently isolate and protect the software development process of widely deployed software projects in order to prevent scenarios where malware sneaks in through a dependency into software that is critical to the function of the world economy.

Such malware could be quite simple: One day, a timer goes off, and any computer running the infected software turns into a brick.

This shit is a doomsday scenario on the order of nuclear conflagration, and anything short of global disarmament risks humanity (or at least large sectors of the world economy) losing access to computing for months or even years.

There is no M.A.D. scenario as a deterrent here either. Stockpiling more exploits does not make us safer. In fact, the more exploits exist, the higher the risk of the wrong one leaking -- and it really only takes a chain of just a few of the right exploits for this to happen. There will also be no clear vector for retaliation. Moreover, how do you retaliate if you have no functioning computer systems or networks left?

If there's *anything* we should be spending the NSA's $10B+/yr budget on, it's making sure key software development processes are secure against tampering, exploitation, and backdoors, not reading people's fucking email.

End the madness before it's too late.

Hi, it doesn't bother me that you have excluded the shortened URLs etc. Let me try again... Also, I agree with the stuff you have said above. Yes. Yes. Yes. Also, end the madness, ditto!

That said, here is (hopefully better) non-shortened link... Anything you can do to provide remedy or clarification, would be great help.…

Tor needs a toaster. What I mean is that most people r4eally do not wish to figure out how to load and configure secure stuff and keep prying unconstitutional searches and seizures of our digital effects. Most people do nor really need to understand it either AS Long AS it works and is effortless. They need something that they point and click and they have the best we can manage LIKE a TOASTER plug it in and everything comes out light brown with no special skills. REMEMBER, the more grandmothers and children who use Government or better grade encryption the better everyone else will blend in. I personally have no real need except that it ticks me off to live in a police state with the likes of The NSA looking over everyones shoulders and denying freedoms that were well understood at the foundation of our nation.
Is there some way to have a torified way to have my computer generate BTC for donation to TOR perhaps on a distributed basis. OR perhaps could TOR SET UP ITS OWN CYBERCURRENCY!

It might be nice to also keep out 10 % of what I make for future uses which i might figure out later.


June 09, 2013


Thanks for your article. A great problem in my opinion is also that the general public is hardly aware of their possibilities to protect itself with the tools named above. The tor browser bundle is excellent solution and solves a lot of beginner problems.

What i have to criticize about the Tor site is that even for a technically interested user like myself (IT consultant) its pretty hard to get into the different concepts of tor usage (relay, bridge relay, exit) and through the documentation of installing them.

Keep up your great work and thanks for it! I've donated a few times and also make tor use public whenever i can, i. e. my YouTube Channel.

Perhaps, as with your youtubes, the emphasis can be distributed to us techies to help educate. Im starting to run a weekly series of short tutorials on encryption, mainly for my non techie friends, aiming to talk through concepts such as public/private keys, email, tor, diaspora, etc. The hope for me is to get more non experts using these tools by default. Storms such as Prism represent great opportunities to spread information on basic use while the issues are on peoples minds.


I'm a "non-techie" who is new to Tor and very concerned with internet privacy and security which is why I have it installed in my own and my mother's computer. I am only beginning to have a basic idea of how all this works and you mentioned giving short tutorials to your technically disadvantaged friends. Wouldn't it be helpful if there were such a tutorial for the rest of us who are not your friends? I mean I read the above article and checked out some of the other services you mentioned but I'm not quite sure what they do or how they can serve me. Anyway it would be a great service to many people if there were some way for the rest of us to understand encryption and the internet, how to protect our emails etc.

Maybe you could compile a tutorial on a DVD for sale. I know I would buy one and the proceeds could go to serving the Tor Project because believe me I am not the only person who's concerned, interested and yet clueless and under-informed.


June 09, 2013


Have you considered the possibility that the NSA is able to factor large numbers, such as the 1024 and 2048 bit keys used in RSA and what that would mean for Tor?

Tor was designed at the turn of the century, when it was widely believed that 1024 bit RSA was large enough to last for many decades. Moreover, at that time support for longer key lengths raised the serious risk of overloading relay CPUs. In fact, we still face the CPU overload issues with 1024 bit RSA keys today, and this actually introduces its own security risks (due to DoS attacks, circuit failure attacks, and related route capture issues).

The good news is we are in the process of upgrading Tor's protocols to support faster, stronger ECC keys, as well as making it easier to change key length and algorithms in the future should the NSA prove to be lying about ECC, too. See the "Key Length" section of and the links therein for more details

No, I just meant the SIGINT group's habit of repeatedly lying to Congress and the public makes the COMSEC group's recommendations about ECC curve choice and key length carry less weight by themselves.

It does appear that NSA's previous recommendations on crypto have all been validated so far, but at the end of the day, we don't actually know which NSA group each recommendation actually comes from.

However, since many external researchers and institutions are also in agreement about ECC key length and curve choice at the moment, my concerns don't really have much weight. I was just being snarky.

If that is true, and if the NSA has active MITM intercept systems installed either near the Tor network infrastructure or around the world, then they could break Tor by either capturing routes or altering the consensus to send targeted users through tagged routers.

However, if the intercepts are passive, then because Tor uses Forward Secrecy, simply breaking the RSA keys offline and performing passive intercept is not enough to decrypt Tor communications, unless they can also break DH (and for Tor, ECDH).

Do either you or the Skype commenter below you care to comment about DH/ECDH, or if you have any knowledge about active vs passive global intercept? So far, all the official leaked info we've seen (Mark Klein, et al) seems to indicate that the dragnet surveillance is based on a half-duplex splitter-style configuration that would not be capable of active MITM and in-flight traffic manipulation required to intercept the DH/ECDH handshake..

Either way, we are aware that RSA 1024 is insufficient (and we are assuming that DH in Zp is insufficient), and we are in the process of upgrading, as I said in the parent comment. It will happen sooner if you help!

If "NSA has active MITM intercept systems", how would we know about it?
How would this look like, to a Tor user?
Are there any signs to look for? In "View the Network" window?
But more important:
Can you, or some other Tor developer, design a method to detect/verify if this is the case?

These are two articles with more details on this subject:…
Quote: "We hack network backbones – like huge internet routers"…

I'm no puter techy by any stretch. I have however matain and do try over the last 20 years attempt to read and get a basic understanding of things. From my limited knowledge I understand there's a distinction between encrypted data.voice, or video. And assigning a key to be able to decrypt the file source. While one exists in the wild the other remains private. I remember when 256 bit was thought to be pretty unbreakable. In some ways it is still tough to crack. It would take all the cold air the artic polar region can provide to cool down all the processors necessary to crack something 1000 bit or greater. It's just not possible to have that kind of resource. I believe a little bit of paranoid as taken over your rational. Tor is a thorn to the nsa in that it is like one of those play ball pens they have for children. Only if they can lock on to your ip as the outgoing or input source that they may get to you. The only thing inside of pc to date is the hardware to operate it. Maybe they may mandate gps devices or keylogger hardware. use all your security software often to keep nosy people out. I do believe what Prism is really about is harvesting personal info much like how google does. I would under this circumstance always feel this method is suspect to many other advantages that would be illegal.
hope some of this will be reassuring.

Citation definitely needed. If the NSA has genuinely broken 2048-bit AES encryption, that's a very big deal, because the current literature on encryption says this is impossible before the heat death of the universe, even with every computer on Earth at your disposal. Your say so that you can verify it isn't enough I'm afraid.

In short: citation please.

You are referring to brute-force attacks. "Breaking" a crypto system such as RSA or AES implies a design weakness. Brute-force attacks remain unfeasible as long as reasonably-sized keys are used.

AES 1024 and 2048 broken many years ago by NSA...since at least 2008..they also had quite a hard and frustrating time figuring out Skype until it was purchased by an American corporation. ;) (fun little tid bit)

Factoring large numbers might not be necessary if the encryption used is based on a trust model founded on the public Certificate Authorities.

(I do not know what trust model Tor uses and would LOVE to know... hope someone knowledgeable can comment.)

Google on [certificate authority hacked] and you'll find that the CA infrastructure has been compromised. An eavesdropper possessing stolen CA credentials or tools for generating them can access encrypted streams with little computational or practical effort.

Tor does not rely on any CAs. Every node generates its own keys and directory authorities are hard coded into the application. If you are looking for an introduction to the way Tor works there are several videos on YouTube.


June 09, 2013


Well, is this enough imputes to get you guys/gals focusing more on HS?!

I am REALLY disappointed that my offer of $100 (or more) a month to support HS dev (see the very FIRST post in that HS blog post you linked to) wasn't taken up, NO ONE EVEN TRIED TO CONTACT ME. I guess you guys/gals have all the money you need . . . oh wait, not you don't (fell free to slap Tor Projects' collective forehead)

Tor really needs developers these days. The Hidden Service blog post was not about getting money, it was about getting developers.

Even if Tor got your $100 per month, they wouldn't have a developer to give the money to.

This is not true. So far, every position we have announced to hire for has gotten scores of high-quality applicants. There is no reason to believe hidden services would be any different.

There are also many contractors at Tor who do not work full time, and even small donations would allow us to fund more of their time.

So you are suggesting I shouldn't give $100 a month? It's not that my $100 will be a big difference, but if lots of people did that it would. So, don't you put up or shut up?

Well, look at it this way: We have an extremely large number of people who donate around that many hours per month to Tor by running relays, occasionally helping to track down bugs, and writing the occasional patch. These efforts are extremely important, and Tor would not be possible on its current budget without them.

If you're not technical enough to devote your time, or if you don't have that time, or if you do donate your time, but your day job/family/whatever prevents you from doing more, small donations are just as awesome as volunteering more time.

From this perspective, $100/mo is absolutely a huge contribution from an individual.

Hi Mike!

Can my $100 be earmarked for HS work? Or is there only one way to donate, to a large kitty that you guys use at your discretion?

I'm cutting the cord to T.V., so that's $100 I won't be spending per month that I can donate to Tor. I use Tor much more than my T.V., anyway! :D

This is a good question. I'm not the one to answer it unfortunately. Perhaps email the donations address listed on the donate page?

To support this, we probably would have to define our own large buckets carefully such that they are big enough to justify the management overhead involved in allocating and prioritizing development for each bucket...

That management is its own expense though, and right now, tor is rather light on the management/overhead side (and all of our management is rather overwhelmed with tracking large sponsors' specific line-item feature deliverables).

I am personally in favor of creating these large buckets for large scale sponsors, too, because specific feature deliverables are really hard to handle when we have so many different things we need to react to on a given day just to keep stuff running properly for each of our major components.


June 09, 2013


Below, let me post the offer I already made (in the HS need love blog post) and no one even bothered to respond to; maybe this time will be different?

Though, I doubt it, most Tor Project folks seem to hate communication via. blog posts, yet, they don't offer a real discussion forum (e-mail lists are not a real solution for laypersons)!

"Are we able to donate to Tor Project and make sure said donations are only used for use X, which in this case would be to research/implement some of the points above?

I'd send in at least $100 a month to support such a project."


June 09, 2013


Many thanks for your blog on the PRISM program. Wikipedia > HTTP Secure > Overview, says "As of 2012-06-22 12.3% of the Internet's 186821 most popular web sites have a secure implementation of HTTPS". I know this information is almost a year old and that more websites have HTTPS. Let's hope 100% of the websites we use are in that 12.3% plus more. The EFF interactive graphic showing use/ non use of Tor and/ or HTTPS is indeed excellent! I'm sure the websites of TorBirdy, Enigmail, OTR and Diaspora have had more 'hits' since your blog was published. I look forward to updates about PRISM vs Tor. Thanks again!


June 09, 2013


So when is the Tor Browser Bundle gonna stop being the flagship of the Tor project so we can get email (Torbirdy is barely a consideration) and chat clients (OTR is likewise barely an option) similarly hardened instead of waiting on the Tor project to do it for us?

Modularity is the only way you avoid stuff like feature-creep and backdoors.

Nope. I'm sick of, as you can see with the 3.0 alpha builds, Tor being more and more asinie Firefox-dependent crap instead of taking a modular approach which enables creation of hardened clients and use of portable bundles that do more than web browse.

Now it's all controlled through a Firefox addon. Next it'll be written in Flash? /sarcasm


June 09, 2013


Most likely, they just take all the data streams going to/from the entry nodes, all the data streams going from/to the exit nodes, and then use traffic and timing analysis to figure out the rest.

This is indeed possible in the more extreme scenarios of total NSA compromise of global Internet infrastructure that I mentioned in the original post, especially with the relatively low number of concurrent Tor users that we have today.

However, if they take any shortcuts to reduce the resolution of their timing information to conserve storage, computation, or bandwidth, then it is very likely that they will be unable to fully correlate the activity of very large numbers of Tor users in the future. Similarly, if Tor (or a Tor user) takes efforts to obscure high-resolution timing data through padding or other schemes, either the NSA's false positive rates will go up, or their success rates will go down.

Such a correlation also assumes the NSA would be capable of recognizing and correlating custom pluggable transports and other entrance mechanisms that would allow entrance into the Tor network without looking like the Tor protocol. After all, one can write a new pluggable transport in python in just a few weeks...

Such correlation also adds another N^2 factor to the complexity (computation costs) of metadata analysis for the dragnet scenario. This can prove quite expensive if they have to correlate against potentially large volumes of traffic due to pluggable transports that look like say, bittorrent.

In fact, as bandwidth becomes cheaper and transmissions more frequent and varied, it seems like correlation will only continue to get harder.

The situation is further worsened if users can move around or compromise hosts at will (perhaps because say, the military industrial complex now has an incentive against US companies actually *fixing* flaws in software, and also because that shit will leak like a powerpoint deck in no time flat).

They may have short term victories because of the relatively low numbers of Tor users today, but in the long run it sure seems like our job is easier and cheaper by many, many orders of magnitude. Thank chaos for that, because I would rather have secure communications than oppressive, secret surveillance engineering who-knows-what political machinations behind the scenes...

It really makes one wonder exactly how much money we need to throw into those shiny black holes at Fort Meade and Utah before this becomes clear...

Excellent point. Thank you.

Running a bridge or relay will help to remove some of the high-resolution inter-packet timing information that makes correlation accurate.

Custom padding schemes are probably actually less help than being some sort of relay. If you don't have a really full understanding of exactly what you're doing, you're likely only hurting the Tor network for no reason, because naive padding schemes can be modeled and subtracted from the packet traces easily.

In fact, I think it is fair to speculate that running the latest and greatest pluggable transport bridges to help censored users is the best existing way to defend your own traffic from correlation, especially if your transport is under heavy use.

That way, you avoid showing up in the public Tor network router list, but still have a Tor traffic stream coming out of your IP to blend with your client-originating traffic. Further, the fact that the pluggable transports are necessarily under rapid development to avoid detection by censorship systems will at least mean that the NSA needs to devote constant attention to recognizing the input stream to your pluggable transport bridge. And if that is hard for China, it's probably hard for NSA, too.

Hey Mike,

Me again.

What are your thoughts about running Tor Flashproxy badge (Firefox w/o Tor) and Cupcake (Chrome/Chromium w/o Tor), with respect to this topic overall (i.e. for when we're not using Tor . . . )? I use both those in the respective bowers I use.

Also, I assume this would be dumb, so please let me know if it's dumb: Installing Tor Flashproxy badge into Tor Browser.