Updated Security researchers speaking at the Hack in the Box conference in Amsterdam this week have demonstrated that users of hidden services on Tor are putting themselves at risk of being identified – if an attacker is willing to put in the time and resources.
The discovery is significant, because browsing hidden services had been thought to be more secure than the more typical practice of using the Tor network to browse the open web anonymously.
Not so, say Filippo Valsorda, a member of CloudFlare's security team, and George Tankersley, an independent researcher. In their
presentation, the pair showed that it's surprisingly easy to subvert anonymous access to a hidden server – and thus possibly identify a user of that server – if you're sneaky about it.
That's bad, because hidden services are operated not just by dodgy sites like the Silk Road but also by legitimate sites like
Facebook. Tor often hits the headlines for
enabling things like online drug souks and other
criminal operations, when it can be and is used by journalists, whistleblowers, security researchers, and
anyone who values their privacy, to exchange information and surf the web anonymously.
