Earlier this month, an undergrad at Harvard University e-mailed an anonymous bomb threat allegedly to get out of taking a final exam. Eldo Kim, a sophomore social sciences student, attempted to mask his identity by sending his e-mail through Tor, an anonymous internet service that’s become known for concealing the identities of everyone from Wikileaks informants like Bradley Manning to illegal weapons and illicit drug dealers.

Despite being extremely careful(Kim shrewdly sent his email from Guerrilla Mail, a service used for sending anonymous emails, while cloaked under Tor), a joint task force of FBI and Harvard university personnel were still able discover his identity.

Kim is just one of the many handful of international arrests conducted by US and NATO authorities on targets who use Tor, including the founders of deep web black market Silk Road and the Tor-based anonymous webhost Freedom Host.

Tor’s sometimes dubious use for concealing online crime and the US government’s ability to violate its previously impenetrable security have cast a new spotlight on this once arcane part of the internet. As stories like Kim’s appear in the mainstream press, many questions arise:

What is Tor? What is the deep web? And how do folks like the FBI and NSA violate what seems like an otherwise impenetrable security protocol?

What is Tor

The name Tor is actually an acronym that harkens to how it works. Tor, or The Onion Router, is a free service that allows internet users to cloak their online activities by hiding behind layers of anonymous hosts that bounce their traffic across a global, encrypted network of nodes.

The above diagram shows the typical usecase of Tor to anonymize regular online traffic.

Alice is an internet user who wants to anonymize her internet traffic. To access Tor, Alice installs software like Vidalia that allows her to access the Tor network. After setting up her web browser to use Vidalia as a source for her internet connection — something that customized versions of Firefox ala the Vidalia Bundle do automatically now — Alice navigates to her online site of choice seemingly normally.

Beyond using Vidalia as a proxy and a noticeable increase in lag, things will probably seem like business as usual to Alice. But behind the scenes, an incredibly complex protocol is seeking to anonymize Alice’s traffic behind a layer of servers that route her traffic across the globe. These servers are known as Tor Nodes — anonymous servers that plug into Tor’s network and semi-blindly shuttle traffic between other nodes.

Alice randomly selects a path through a series of Tor nodes and dispatches a packet of information. That packet flits through Alice’s path, with each node it traverses knowing only the previous node in the path and the immediately next node.

Because there’s no context in this protocol around where each node is or where the packet originally came from (Alice will look like just another Tor node herself), nobody really knows who was the original point of origin. After a few hops through a series of Tor nodes, Alice’s identity is lost. It’s sort of like the childhood game Telephone: after sharing a message a few times around your circle of friends, nobody knows who came up with the message in the first place.

Unlike Telephone though, Alice’s messages (i.e.: internet traffic) retain their integrity. Because Tor operates lower on the networking stack than the content of her traffic, the traffic itself is protected normally. Tor simply muddles the point of origin.

Eventually Alice’s traffic needs to get out of Tor to hit the outside web. The terminal node her traffic traverses is called an exit node. An exit node is just another Tor node, but instead of sending her message back through the Tor network to another node, it sends Alice’s message out into the regular internet. If someone wanted to get Alice’s identity, the Tor exit node would be the visible IP address attributed to her traffic.

The deep web

Tor has another very popular usecase in the form of fostering the deep web.

The deep web is a name given to the cluster of sites on Tor that are otherwise unaccessible to non-Tor users (and similarly not indexed by search engines like Google or Bing). Websites hosted on the deep web are piggybacked on nodes within the Tor network, and are accessed by using a special Tor URL that ends in .onion within a Tor-enabled browser.

While legitimate and legal websites like Wikileaks’ submissions page operate within the deep web, the deep web also harbors many dubious sites that are anonymized because of their illegal nature. These include:

• Silk Road, an e-commerce black market predominantly used for the purchase and sale of drugs and other illicit substances.

• Black Market Reloaded (BMR), a spin-off of Silk Road that was launched after Silk Road’s founders stopped selling “anything that was designed to hurt or harm other people.” BMR is frequently used for selling weapons like military-grade assault rifles and explosives, as well as being a conduit for human trafficking and prostitution.

• Assassin’s Marketplace, a terrifying website where users use Bitcoins to pool “bounties” on the heads of target officials and crowd source their assassination. Assassins would provide proof to a successful assassination and be able to collect the bitcoins associated with that target’s bounty.

• Contract Killer, an e-commerce portal for professional assassinations. Contract Killer can be used to assassinate anyone so long they are over the age of sixteen and not one of the top 10 politicians in the world.

Sites like Contract Killer offering mercenary services are common on Tor, and include hireable professionals from ex-special forces mercenary teams to criminal black hat hackers for hire.

While Tor itself is legitimate and the goal of anonymizing internet traffic for the safety of its user is a valiant one, seeing deep web websites like BMR or Assassin’s Marketplace make it easy to understand why US government officials want to violate Tor in order to monitor its activities. Sites like BMR are rumored to be linked to organized crime and terrorist organizations, who use BMR to finance their operations by selling illegal wares such as ex-Soviet military materiel.

How Tor gets hacked

Tor itself is a very resilient and safe protocol. Unless an attacker was able to capture an overwhelming majority of servers within the Tor network (something that seems improbable given the constantly-changing nature of Tor and the mercurial/ephemeral nature of Tor nodes), it’s for the most part impossible to determine the point of origin for Tor users given their use of Tor alone.

Instead, most authorities violate Tor anonymity by employing a side channel attack. They don’t attack a user’s Tor path at all, instead relying on non-anonymized data that the user accidentally gives out from their browser.

The most notorious side channel attack deployed against users was the infamous Javascript Exploit launched by Freedom Hosting, an anonymous service that hosted many of the Tor deep web’s more infamous sites.

After Freedom Hosting was successfully hit by the FBI in early 2013, the FBI conducted a sting operation through the website where they silently inserted malicious code into many of Freedom Hosting’s sites.

This code exploited a bug in Firefox (the most common browser used in navigating the deep web due to its inclusion within the Vidalia bundle) that made the original Tor user’s browser send an unencrypted message to a FBI-controlled server in Virginia. Because this message didn’t use the Tor proxy — and thus navigate through the Tor network — it could be traced back to the original user’s computer via IP address.

This is just one of the many side channel attacks employed by attackers who have successfully violated the anonymity that Tor otherwise provides. In the case of Eldo Kim, Harvard university officials were able to discover his identity by combing through copious network and router logs (Eldo Kim sent his message from inside Harvard’s campus network) for the unique signature of Tor traffic and using simple deduction and interrogation to suss out the original user and his confession.

But Tor lives on. Despite the FBI’s largely successful campaign against Tor’s users, sites like Silk Road and BMR have reappeared under new owners and resumed operations. Many attribute this to the fact that most of Tor’s elite (which include targets of international law enforcement and military/national intelligence investigations) have been paranoid enough to avoid attacks like the Javascript Vulnerability.

Security-conscious Tor elite (i.e.: sufficiently paranoid users) have traditionally disabled software platforms like Javascript or Flash when browsing Tor, knowing that these platforms could be compromised and used to void their anonymity by techniques similar to the ones employed by the FBI.

Attacking these users is much more complicated and difficult. But it can be done. To violate the anonymity of security-conscious Tor elite, attackers like the NSA most likely employ a technique known as an exit node vulnerability to spy on users’s data and guess the origin and location of users using complex statistical analysis.

Because Tor doesn’t touch data located higher on the networking stack, most of the data handled by Tor exit nodes is unencrypted. If you control an exit node, you can intercept this data and correlate users based off of the timing of when data is sent and the nature of that data.

To use our earlier Alice and Bob example: let’s pretend Alice is using Tor to browse for a gift for Bob on eBay. As the tor exit node that Alice is using for her transaction, you can correlate the nature of traffic Alice is sending (a series of encrypted and unencrytypted HTTP and HTTPs traffic to/from eBay.com) and the timing of certain messages to help build a profile of Alice’s randomly-chosen path.

If you also have some Tor nodes that were included in that path — and get very, very lucky — you might be able to guess Alice’s location by discovering which nodes she frequently uses and attacking them to determine frequent origin traffic.

Exit node vulnerabilities have long been the tool of sophisticated (read: state sponsored) Tor attackers, but they leave a telltale signature in the form of their curious, often revealing geographical location.

For a long time there were a series of highly trafficked Tor exit nodes located suspiciously in Fort Meade, Maryland. Fort Meade is a hub of US national intelligence agencies, including DISA and NSA. Many of the world’s elite hackers were quick to point this out during campaigns launched in the mid-late 00's, and savvy Tor users learned to prune their choice of exit nodes accordingly.

Still, suspicious exit nodes continue to be a concern for Tor users. While Fort Meade-based exit nodes no longer exist on the Tor network, they seem to have been replaced by Amazon-hosted AWS exit nodes located precariously close to NSA headquarters. Given Amazon’s newly-signed deal with US intelligence agencies like the CIA, many within the deep web consider these exit nodes to nominally be controlled by US intelligence organizations.

Despite the multitude of attacks possible against Tor users, Tor remains a critical part of maintaining anonymity on the internet. Wikileaks and other legitimate organizations continue to trust Tor because of the platform’s inherent ability to protect it users. And so long as those users are mindful of the risks of side channel attacks and exit node vulnerabilities, Tor remains an effective means of cloaking their traffic on the internet and deep web.