According to a report on Heise Online, the German IT security portal, two of the seven directory authority servers (moria1 and gabelmoo) that the Tor Project uses to run its anonymous browsing service have been compromised, along with a new server that the project uses to host metrics and graphs (metrics.torproject.org).
Tor team discovered the attack in early January and are advising users to upgrade to version 0.2.1.22 or 0.2.2.7-alpha of the client software – which acts as an interface between the custom version of Mozilla that the project recommends and the internet.
They said that there is no risk that the attackers could have matched Tor users to their browsing habits.
“By design, Tor requires a majority of directory authorities (four in this case) to generate a consensus; and like other relays in the Tor network, directory authorities don’t know enough to match a user and traffic or destination,” Roger Dingledine, the original developer of the Tor Project wrote in an email this week.
Unconfirmed indications suggest that the two servers were hacked to gain access to the high anonymous bandwidth they offered, but it is also possible that the goal was to set up some SSH keys and use the servers to launch other attacks.
Can you still trust Tor’s security?
Here is what Roger Dingledine says about this: “We’ve taken steps to fix the weaknesses identified and to harden our systems further. Tor has a track record of openness and transparency, with its source code and specifications and also with its operations. Moreover, we’re disclosing breaches such as this so you can monitor our status. You shouldn’t assume those who don’t disclose security breaches never have any!”
