The NSA Can Probably Break Tor's Encryption Keys

The NSA Can Probably Break Tor's Encryption Keys

When it turned out that the Firefox JavaScript Tor vulnerability shenanigans were originating from the NSA not the FBI, it was pretty clear that the agency was looking to undermine and access Tor's anonymous internet. It's like a moth to a flame. But now security expert Robert Graham has outlined his reasons for believing that the NSA doesn't even need tricks and paltry exploits to access Tor.

Because they have the keys to the kingdom. Or can.

Tor uses 1024 bit keys for a lot of its encryption, and it's pretty much agreed that the NSA can crack these with custom chips that IBM and others manufacture for them. This is especially true for anyone using an old version of Tor like 2.3. The 2.4 version has better security but only about 10 per cent of Tor servers have upgraded.

Graham ran a "hostile" exit node on 22,920 Tor connections and looked at the encryption mediated by algorithms on incoming connections. Only about 24 per cent were using the newer 2.4 software, meaning 76 per cent were using the old, NSA-vulnerable keys. With everything that's coming out about the NSA working to undermine encryption across the board it's another concerning example of NSA proliferation in what's supposed to be an especially anonymous corner of the internet. [Ars Technica]



    NSA strikes me less as law enforcement and more a business with far too much power.

    Six weeks from now it'll be shocking news to the world that the NSA is selling acquired intel on people to their governments.

    I prefer to take the paranoid side of the Tor debate: The American government created Tor to give criminals/terrorists/spies a false sense of security in using the internet. Let's be serious about this though, if some dangerous person/group were targeted by an intelligence agency, it's really only a matter of cost and man hours to break any level of security/anonymity - both of which a large organization funded by a government has plenty of.

    So it's illegal and outlawed for anyone to break someones encryption without authorization (Anonymous springs to mind here of course), however if a government entity decides to do it en mass, in order to spy (read: keep their citizens safe) it's perfectly OK?

    I don't know about perfectly OK, but bear in mind that it's the government that makes the laws and the exceptions to them.

    I was under the impression that the NSA works autonomous from the government however still under government direction? Ergo they can do what they want when they want with complete deniability from the government? Could be wrong

Join the discussion!