Attack on internet privacy tool Tor may have unmasked anonymous users

Tor, the prominent system for protecting internet privacy, said many of its users trying to reach hidden sites might have been identified by US government-funded researchers.

In a note posted on Wednesday on the non-profit-making website, Tor Project leader Roger Dingledine said the service had identified computers on its network that had been quietly altering Tor traffic for five months in an attempt to unmask users connecting to what are known as "hidden services".

Dingledine said it was "likely" the attacking computers, which were removed on July 4, were operated on behalf of two researchers at the Software Engineering Institute, which is housed at Carnegie-Mellon University but funded mainly by the US Department of Defence.

The pair had been scheduled to speak on identifying Tor users at the Black Hat security conference next month. After Tor developers complained to Carnegie-Mellon, officials there said the research had not been cleared and cancelled the talk.

Previous reports on the research had already raised alarm among privacy activists. Dingledine went further, warning that "users who operated or accessed hidden services from early February through July 4 should assume they were affected".

Those navigating to ordinary websites should be in the clear.