The latest threat to Tor, the online anonymity tool, is simple but serious: Mouse movements may be used to identify users online.
Tor is designed to hide your identity on the Internet by making it impossible for websites, or people eavesdropping on network traffic, to determine your true IP address. It does a pretty good job of that by routing traffic through multiple relays (Tor is short for “The Onion Router” because connections are routed through may different layers, like an onion). That way, no one party can figure out where traffic originated.
But a new Tor privacy loophole has been identified. Jose Carlos Norte, an Internet security researcher, disclosed on his blog earlier this month a technique that monitors mouse movements to keep track of a user’s online activity.
The method requires only that the user’s Web browser have JavaScript enabled. By default, the Tor Browser, a specifically modified browser that most people use to access the Tor network, has this turned on — so it’s likely that a large number of Tor users are exposed to this sort of identification method.
On their own, mouse movements inside the Tor browser wouldn’t reveal a user’s true IP address. They would only make it possible to trace a Tor user’s activity across different sites.
But the real danger comes from the possibility that mouse patterns inside the Tor browser could be matched with those that a user makes when visiting a website from a normal browser, which does expose his true IP address. With enough data from both sources, it would become possible to determine the real identify of an Internet user even if he is connecting to certain sites using Tor.
Don’t panic yet. Norte makes clear that this method requires “controlled environments.” In other words, it could work well in a laboratory, but it might be much harder to identify a Tor user this way in the real world. And if you’re worried about it, of course, you can just disable JavaScript in your Tor browser.
Still, Norte’s experiment is a reminder of another way that Tor privacy can be undermined. In this case, it’s especially striking because the technique doesn’t require particularly intrusive methods or expensive technology. All an attacker has to do is get a Tor user to visit websites using his default browser settings.