Law enforcement agencies' recent takedown operation against dark web service are not a sign the Tor network is fundamentally insecure, or broken, according to experts from the security community.
Concerns about possible security holes within the Tor network erupted after law enforcement agencies successfully tracked and shut down a multitude of dark web services.
However, speaking to V3, security architect at Voltage Security Luther Martin pointed out many of the sites uncovered were not taking advantage of all the Tor network's anonymising powers.
"[Law enforcements'] recent effort seemed to only scratch the surface of the ‘deep web' or ‘dark net' where cyber criminals operate," he said
"All of the web sites that were taken down in Operation Onyomous were sites that existed in levels one and two of the deep web, where the illicit sites are not indexed by search engines but are easily accessible to anyone
"It seems that the cybercriminals that operate in the deeper levels of the dark net were essentially unaffected by this operation, and that's where stolen credit card numbers and medical record information are bought and sold."
Operation Onymous was a joint campaign between numerous law enforcement agencies that successfully shut down hundreds of 'dark web' sites, including Silk Road 2.0, earlier in November.
The operation led to questions about Tor's security as the agencies also managed to successfully track and arrest 17 people believed to have run the illegal services.
The UK National Crime Agency (NCA) confirmed that six people were arrested and bailed in the UK as part of the crackdown.
They were a 20 year-old man from Liverpool, a 19 year-old man from New Waltham, Lincolnshire, a 30 year-old man from Cleethorpes, a 29 year-old man and a 58 year-old man and a 58 year-old woman from Aberdovey, Wales.
It is currently unknown how the agencies were able to track the users. FireEye director of technology strategy Jason Steer argued it is likely many of those caught made mistakes connecting to Tor.
"Tor is just a encrypted routing network at the end of the day, so websites and other software is equally as vulnerable on Tor as being online," he said.
"Software vulnerabilities are the same in or out of Tor. The biggest risk is when users connect to [the network] this exposes where they connect from frankly today. Vulnerabilities are vulnerabilities at the end of the day."
Despite the security experts' confidence, the take down has caused concerns within the Tor Project.
The Tor Project's 'Phobos' issued a call for aid to the wider research community, warning users that Tor has still not figured out how law enforcement identified the location of the services and individuals, earlier in November.
"Tor is most interested in understanding how these services were located, and if this indicates a security weakness in Tor hidden services that could be exploited by criminals or secret police repressing dissent," wrote Phobos in a blog post.
"We are also interested in learning why the authorities seized Tor relays even though their operation was targeting hidden services. If anyone has more details, please get in contact with us. If your relay was seized, please also tell us its identity so that we can request that the directory authorities reject it from the network."
Tor is a custom network designed to let people surf the internet anonymously and host web services without them being indexed on the public internet. Numerous firms have reported a spike in Tor use since news of the NSA's Prism campaign broke.
The Prism scandal erupted in 2013 when Edward Snowden leaked documents to the press proving that US intelligence agencies siphoned off vast amounts of data from technology companies including Microsoft, Google, Twitter and Facebook.
The growth in Tor use has led many law enforcement agencies to take increased interest in the technology and begin attempting to find ways to track its users.
Phobos said the attacks have pushed the Tor Project's resources to its limits and forced it to consider outsourcing its investigation to bug hunters.
"Although the Tor source code gets continuously reviewed by our security-minded developers and community members, we would like more focused auditing by experienced bug hunters," read the post.
"Public-interest initiatives like Project Zero could help out a lot here. Funding to launch a bug bounty programme of our own could also bring real benefit to our codebase. If you can help, please get in touch."
The idea of a Tor bug bounty programme has been praised by the security community. FireEye's Steer said the popularity of Tor within the research and wider technology community means a bug bounty programme would likely accrue support fairly quickly.
"Tor is a threat to law enforcement agencies and governments, but the desire for privacy is a high priority [at the moment], so there are many parties supporting Tor to continue to do what it does well," he said.
"Bug bounty lets you get free testing of your code for security issues. This benefits all users and is the best way to get smart people looking for issues that you may not have had time to think about."
Technical director for Trend Micro UK, Ross Dyer, mirrored Steer's argument, but added it could also have some negative consequences.
"There are many skilled coders globally who would be able and willing to help. Whether they all have the best interest of the Tor organisation is a good question though. Infiltration of the group may have explained previous back doors that have been leveraged by government agencies," he told V3.
"This is the constant battle that we see between those that seek to do good and those that seek financial profit and/or are engaged in cyber warfare. The aims of the Tor group are admirable, but it is very difficult to maintain anonymity and free access without opening yourself up to exploitation."
Bug bounties are an increasingly popular strategy for firms looking to boost their services' security.
Google increased the maximum payout in its Chrome bug bounty programme to $15,000 in October, claiming that hunters had already helped to fix over 700 security flaws.
Using photocatalysts to convert carbon dioxide into usable energy such as methane or ethane
Trained on curated data from Moorfields Eye Hospital, the neural networks show clinicians how they reached their decisions
Yokohama National University demonstrate technology that could lead to a fault-tolerant universal quantum computer
Top-of-the-range Threadripper 2990WX now available from Scan, Ebuyer, Overclockers, Novatech and Amazon