nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Tor Project works on anti-FBI defenses amid iOS row with Apple

Vows never to add backdoors, improve tamper detection, remove single points of failure

By Iain Thomson, 22 Mar 2016

In a blog post timed for the start of Apple's now-delayed FBI showdown, Mike Perry, lead developer of Tor Browser, said the project is stepping up efforts to keep its anonymizing network free of government interference.

The Feds' attempt to compel Apple to build a deliberately weakened version of iOS with its security mechanisms filed off has spooked makers of secure software – Tor included. Its tools are used by all sorts of people, from whistleblowers and journalists avoid violent governments to drug dealers and crims avoiding the law.

"For all of our users, their privacy is their security," he said.

"And for all of them, that privacy depends upon the integrity of our software, and on strong cryptography. Any weakness introduced to help a particular government would inevitably be discovered and could be used against all of our users."

The Tor Project, which is partially funded by the US government, has never received a legal demand for backdoors in its code nor the project's crypto keys, Perry said. Where Tor nodes are seized by police or "unknown actors," its keys are automatically blacklisted, he said.

The open nature of Tor's code makes it likely a developer would spot backdoors sneaked into the system, Perry asserted, and the use of multiple cryptographic mechanisms and independent keys, along with reproducible builds of its code, make a single point of failure unlikely.

In light of Apple's battle with the FBI, the Tor Project is going to further toughen up its code base by rolling out a bug bounty program ahead of schedule, Perry said. In the not-too-distant future, the group will also list Tor browser binary hashes in the network's consensus document and then audit the consensus with a certificate transparency-style log that would raise an alert if the majority of the directory authority keys were stolen or Tor browser downloads were tampered with.

Such attacks could be mounted by miscreants and g-men to potentially snoop on Tor users and unmask them. Perry also said Tor developers would rather walk away from the project than knacker their own software at the request of investigators.

"Like those at Apple, several of our developers have already stated that they would rather resign than honor any request to introduce a backdoor or vulnerability into our software that could be used to harm our users," he concluded. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing