Tor Project Promises to Stay Backdoor-Free

Apple has received support from an unlikely source in its stand-off against the FBI – the Tor Project, which says it’s ramping up its own efforts to keep users safe from government snoops.

The lead developer of the anonymizing Tor Browser, Mike Perry, repeated a commitment to “never backdoor our software,” explaining that users of the service depend on the integrity of the software and on strong cryptography for their security.

As it’s a fully open source product, anyone can get the source code and produce identical copies of the programs Tor distributes using reproducible builds, “eliminating the possibility of single points of compromise or coercion in our software build process,” he said in a blog post.

“The Tor Browser downloads its software updates anonymously using the Tor network, and update requests contain no identifying information that could be used to deliver targeted malicious updates to specific users,” he continued.

“These requests also use HTTPS encryption and pinned HTTPS certificates (a security mechanism that allows HTTPS websites to resist being impersonated by an attacker by specifying exact cryptographic keys for sites).”

Also, the updates themselves are protected by strong cryptography, again reducing single points of failure.

Despite being part funded by the US government, the Tor Project has never received an Apple-style request to insert a backdoor in its programs or hand over cryptographic signing material, and its open source set up means any attempt to do so would likely be quickly discovered, Perry assured.

The non-profit is currently looking at ways to accelerate a bug bounty program and is “exploring further ways to eliminate single points of failure” so that any government interference would be quickly discovered and reported.

“We congratulate Apple on their commitment to the privacy and security of their users, and we admire their efforts to advance the debate over the right to privacy and security for all,” Perry concluded.

What’s Hot on Infosecurity Magazine?