Rogue Nodes Turn Tor Anonymizer Into Private Listening Post

A security researcher has figured out a novel way to compromise the security of messages traveling in the Tor anonymizer network. Messages in the Tor network are encrypted as they travel from node to node to their final destination. But the last node has to decrypt the messages before it can deliver them to their final destination on the Internet. Many Tor users mistakenly believe their message remains encrypted through the entire Tor network, when in fact this is not the case: the last node must decrypt them. The researcher simply ran a few of these nodes and was able to read all unencrypted last-node traffic that came through them. This included sensitive communications of many government embassies around the world. The researcher believes that intelligence agencies around the world are already taking advantage of this weakness to eavesdrop on Tor traffic. Interestingly, when he pointed this security hole out to some of the embassies that were sending non-secure message they didn’t respond or even appear to understand the problem. Read more here.