The system that the NSA uses to locate and identify Tor users begins, at least sometimes, with the buying of ads on networks like Google’s AdSense.
“Just because you’re using Tor doesn’t mean that your browser isn’t storing cookies,” said Jeremiah Grossman, a colleague of Hansen’s who also specializes in browser vulnerabilities.
As Grossman described the procedure to CNET, the NSA is aware of Tor’s entry and exit nodes because of its Internet-wide surveillance.
“The very feature that makes Tor a powerful anonymity service, and the fact that all Tor users look alike on the Internet, makes it easy to differentiate Tor users from other Web users,” he wrote.
The NSA buys ads from ad display companies like Google and seeds them around Tor’s access points.
Not all Tor installations are created equal, added Hansen, who has an unusual pedigree in the browser vulnerability field because he’s also a veteran of the ValueClick ad network, which was later bought by DoubleClick, which subsequently was purchased by Google.
“It depends on whether you’re using Tor Button or Tor Browser,” he said. “The Tor Button tends to be more secure because as you jump in and out of the Tor Browser, it tracks cache and cookies.”
More secure than either, Hansen said, was to run Tor on a virtual machine so that cookies and cache are dumped when the machine is closed, and the kind of man-in-the-middle and man-on-the-side attacks described by Schneier are avoided.
“If you don’t take the critical steps to protect your privacy, you will be de-cloaked if you’re doing something interesting,” Hansen said.
“The NSA then cookies that ad, so that every time you go to a site, the cookie identifies you. Even though your IP address changed [because of Tor], the cookies gave you away,” he said.