How Secure Is Tor? Not Secure at All
Posted3 months agoActive3 months ago
csam-bib.github.ioTechstory
heatedmixed
Debate
80/100
TorOnline SecurityAnonymitySurveillance
Key topics
Tor
Online Security
Anonymity
Surveillance
The article claims Tor is not secure, sparking a debate among commenters about the validity of its claims and the limitations of Tor's anonymity features.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
N/A
Peak period
33
0-2h
Avg / period
6
Comment distribution54 data points
Loading chart...
Based on 54 loaded comments
Key moments
- 01Story posted
Sep 24, 2025 at 3:35 PM EDT
3 months ago
Step 01 - 02First comment
Sep 24, 2025 at 3:35 PM EDT
0s after posting
Step 02 - 03Peak activity
33 comments in 0-2h
Hottest window of the conversation
Step 03 - 04Latest activity
Sep 25, 2025 at 3:27 PM EDT
3 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 45365001Type: storyLast synced: 11/20/2025, 6:30:43 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
Hottest take of the week right there.
Why do they seem to imply that Tor was somehow created explicitly with this purpose in mind? That's like saying only criminals use the Internet, just because it can be used to commit crimes.
I think they are taking Tor's words and applying it to a much broader scope than they originally intended.
> Tor Browser prevents someone watching your connection from knowing what websites you visit.
If someone is watching only your connection as it exits your local ISP and nothing else, then yes, this is in fact true. It's just not articulated that plainly.
But if the author actually went as far as they are trying to, they might as well tell people to just give up because there's a chance your attacker already controls the destination server you're talking to in the first place.
If you're going to the trouble of trying to calculate the chances that nodes in the middle are compromised, why not include the destination itself too?
> The small set of people that centrally control Tor software and centrally manage the Tor network have the power to act to stop this abuse without lessening their (weak) protections.
Source: trust me bro
> The world's standards for encrypting data are so secure that no one has enough money or time to brute force their way into properly encrypted data, not even governments. They are better off waiting for a scientific breakthrough that may never come.
This completely disregards the possibility that any one of a number of root CAs aren't already compromised or cannot be coerced by your attacker.
If you're going to claim tor is insecure, you might as well go all the way and say it's pointless to use anything at all, ever.
CSAM is still distributed on the clearnet too... why isn't there a "solution" for that too?
So far the only solutions people seem to have come up with is mass surveillance, and that's not an option.
Did you know that the Tor Project allows exit nodes to filter based on the clear internet IP. So filtering is ok.
However, if a relay refuses to service an onion site directory look up, it will be banned by the Directory Authority. They could allow this today. But they don’t. That’s the simple solution. No surveillance. Not back door. No less privacy for everyone else.
edit: This is easy to confirm. I’m not asking anyone to trust me.
> For the Tor network, Onion Services can alleviate the load on exit nodes, since it's connections don't need to reach the exits.
Also:
> Directory Authority.
"These authorities are operated by trusted organizations or individuals with a strong commitment to the principles of privacy, security, and network neutrality."
Emphasis on neutrality... it's not the job of network operators to police the sites people can and can't access, this is exactly why many people use Tor in the first place.
> They could allow this today. But they don’t.
Speaking for onion services... no, they cannot, because the entire design of the tor network prevents this in the first place. No relay in the circuit knows the final destination because it is encrypted multiple times (like an onion) and each hop can only see where it needs to go next, not what the destination is.
Because the network was explicitly designed to not allow this... otherwise it becomes subject to censorship, which is one of the main goals they try to prevent.
The (onion) address itself is never transmitted in plaintext through the Tor network... when you access an onion site, your Tor client encrypts the traffic multiple times, literally like an onion. No relay in the circuit knows the final destination.
Conversely, even if the official project implemented an onion blacklist, a fork would quickly appear to remove it. And node operators would likely prefer that one.
Anyone with any sense understands that introducing a node blacklist creates the capability to expand the use of that blacklist in the interest of political and/or military censorship. The Tor project, Tor devs, and node operators are adamantly opposed to any such censorship capabilities. Therefore it will not happen, period.
Edit: on second look I can see how you could think it was. I’m just proposing that if you run a node you be allowed to not become a rendezvous point for onion sites.
Specifically, it would be easy to add code to hsdir functionality to deny requests for onion sites that are known to be related to csam. Those sites could be announced by the DAs as part of the consensus file, for example. The Tor Project currently lets exit nodes filter by IP address as long as they announce that in their config; this new functionality is of the same kind in the abstract. This change would not be a backdoor. It’s not going to weaken the privacy of anyone using Tor.
The current setup is an extremist position that children who have been abused are not deserving of privacy. It’s a position that all information deserves to be free even if that information is very clearly harmful to others and has no positive benefit to society. One can have that opinion but you won’t find many (outside of this thread) that agree.
That's simply not true. Exit operators who intentionally block websites are flagged as bad relays.
https://community.torproject.org/policies/relays/expectation... https://gitlab.torproject.org/tpo/network-health/team/-/wiki...
https://support.torproject.org/relay-operators/exit-policies...
The documents you referred to just say you need to honor your own exit policy.
But the calculator states that if the investigating party has $150,000 a month budget for all targets they have a 100% certainty of getting your IP address... obviously this is false, so what else has the author claimed that is also not true?
1. Tor is primarily used to distribute CSAM,
2. a single organization with a budget of $150k could deanonymize every Tor user simultaneously.
Since pretty much every firat world law enforcement organization can cough up this amount in spare budget, either
- at least one of the claims above is false; or
- there's a global conspiracy involving every major law enforcement organization in the planet being taken over by pedos.
In fact, both claims (you?) made without evidence are simply false.
Having published calculations for the second claim is like having published calculations for "the Sun went supernova yesterday". The conclusion is blatantly wrong, so the calculations have a mistake, and an intellectually honest author would double check them, find that mistake, then retract the claim (or would not have made it in the first place).
2. My site shows a mathematical model of security that Tor provides in terms of its design for relays alone. I say on the site I’m not including staff and other costs. In fact bringing someone to court is a further cost. My point in making the site is to quantify solely the costs that the design brings to the table. You can then compare that design to some other anonymous system. Or compare it to a doublespend attack on bitcoin or to brute force decryption. That’s important for users.
Unlike the Tor Project, I’m being transparent by showing assumptions, the math, and the code. Do you have a better model? Great, then publish it. I’m trying to start a formal conversation. The Tor Project should be relying on science, and not strong assertions, to ensure its security.
And while there are costs to, say, bring someone to court for csam, do you believe all adversaries are going to do that? That’s why it’s not part of the costs I model.
Finally, to be more clear, Onion Services in particular are the problem when it comes to CSAM (and ransomeware). Tor Browser is not the issue when it comes to CSAM.
The formula is wrong and it all falls apart.
BUT the author asked a different (but valid) question: assuming the adversary controls x out of N existing nodes, what is the success rate? I am unclear: is the assertion that everyone’s relay is honest today? From a privacy standpoint, that’s not a great assumption.
Posting some words on a URL does not make them factually accurate.
Lol, are we using the regular internet as an example of preventing all CSAM?
We've known for years that owning enough nodes results in the compromise of privacy and that it's likely the NSA has achieved this. Although there is some question around how that plays out if adversaries like China are also competing for similar node share percentage.
https://99firms.com/research/tor-stats
Says there seem to be about 65k onion sites.
This site:
https://protectchildren.ca/en/press-and-media/blog/2025/tor-...
Has some varying numbers depending on the observation time, but in final month listed saw 30k sites that had they identified as having CSAM.
I’m not sure how accurate either number is or if they are directly comparable but that would be a 50% of all onion sites ballpark.
Not sure how to measure general sites vs dedicated abuse sites.
https://metrics.torproject.org/hidserv-dir-v3-onions-seen.ht...
It's definitely better than regular browsing for security, but it's not perfect.
The whole thing reads as scaremongering FUD to prevent people from using Tor, with further FUD tacked on to make people think that using it might be illegal somehow. Tor is actually great for personal infrastructure (no need for domain names or a static IP), limited anonymity, and censorship resistance.
To me, TOR is not adequate to protect users targeted by a nation state who are the ones that TOR claims to be created for.
Clearnet traffic via exit node is a bit different. With only three hops it might be possible to correlate targeted traffic by owning a huge number of nodes, but even then, unless you also control the server being connected (or it barely receives any traffic) then it may not give you anything actionable. (Using Tor is not a crime.) Unless you can see what is being done on the server by the unmasked user, or you can establish a pattern of behavior, or you see something like a large data transfer whose size matches a known event of interest, then all you know is someone accessed the server over Tor. And even then, owning both the entry and exit isn’t sufficient if the user is masking their traffic with decoy and/or relay traffic.
https://github.com/Attacks-on-Tor/Attacks-on-Tor
and if you can get the guard and exit node for a clearnet connection and the guard, rendezvous point and exit for the onion service that can be enough.
Come back when you have evidence of real-world attacks and not just FUD against the best current network for anonymity.
But I don’t think we disagree. My view is that TOR is inadequate against a nation state attack because for some of these attacks it is easier to do mass de-anonymization and hope you get some particular user or set of users you are interested in. The resources to do this are small for something the scale of an intelligence agency, but excessively large for some local police department.
I’m not sure why you appear so hostile to citing attacks that are well-known and already part of the public threat model.
There just aren’t that many people who are both legitimate and likely targets of such an attack. And since the most likely actor to be able to afford such an attack (USG) also has practical uses for Tor, IMHO it would be unlikely to do anything that actually threatens the network. I could be misremembering, but I believe the one big successful deanonymization attack was in Europe, not the US, and the approach used there would not have worked to locate an occasional end user of a busy server.
I am not really interested in debating this further. Feel free to respond of course, but it’s obvious to me (and hopefully everyone else) that you have an axe to grind against Tor.
How exactly does someone in China or North Korea go about getting a multi-hop VPN to access Tor?
Is it correct? Probably. Does it justify the "Not secure at all" indictment? No.
That the author has received funding from the DOJ makes me wonder what their proposed solution is.
I see in the comments that the author is an academic, my cursory look of the site makes me disappointed to see such weak rigor applied here. This looks like a hit piece dressed up to sound scary. Not going to waste my time further on its claims when on the surface its given me this impression. Strikes me as yelling and not listening type of personality.
1 more comments available on Hacker News