Tor, NSA, GCHQ, and QUICK ANT Speculation
Many Tor users and various press organizations are asking about one slide in a Brazillian TV broadcast. A graduate student in law and computer science at Stanford University, Jonathan Mayer, then speculated on what this "QUICK ANT" could be. Since then, we've heard all sorts of theories.
We've seen the same slides as you and Jonathan Mayer have seen. It's not clear what the NSA or GCHQ can or cannot do. It's not clear if they are "cracking" the various crypto used in Tor, or merely tracking Tor exit relays, Tor relays as a whole, or run their own private Tor network.
What we do know is that if someone can watch the entire Internet all at once, they can watch traffic enter tor and exit tor. This likely de-anonymizes the Tor user. We describe the problem as part of our FAQ.
We think the most likely explanation here is that they have some "Tor flow detector" scripts that let them pick Tor flows out of a set of flows they're looking at. This is basically the same problem as the blocking-resistance problem — they could do it by IP address ("that's a known Tor relay"), or by traffic fingerprint ("that looks like TLS but look here and here how it's different"), etc.
It's unlikely to have anything to do with deanonymizing Tor users, except insofar as they might have traffic flows from both sides of the circuit in their database. However, without concrete details, we can only speculate as well. We'd rather spend our time developing Tor and conducting research to make a better Tor.
Thanks to Roger and Lunar for edits and feedback on this post.
Guys, I have a question/fear in my mind.
I host a tor hidden service, with some nasty content (no, not CP, but otherwise nasty.)
3 days ago my webserver is under some kind of an attack. Somebody (probably a robot) querying my website, once in a second(!), and always the same page. My log is now filled with these GET requests, every 1 or 2 seconds there is one.
These requests coming through the TOR network, firstly because it is originating from 127.0.0.1, secondly because if I shut down Tor, the requests also stopping.
I have a fear. Can it be connected to the NSA/FBI somehow? I mean, why the hell anyone wanna flood me with get requests? It's too slow for a DDOS attack (my website is fully operational).
And speaking of slow, how the hell can a TOR user request anything from my site every one or two seconds?
The TOR network by default is way slower than that. Even if I start pressing the reload button on Tor Browser, it takes 8-10-15 seconds to reconnect and reload the page. And yet, in my log files I see someone who can reload my page every 2 seconds, and does that over 3 days now.
Anybody knows what can it be?
Do I need to fear, is it something with the topic discussed here, or... or what?