A research team has published techniques it claims could be used to unmask the IP addresses of people using the The Onion Router (Tor) privacy system.

The report’s lead author, Andrew Christensen of Danish security consultancy FortConsult, uses Practical Onion Hacking [pdf] to detail how the anonymity of the system could be undermined by tampering with traffic going through the server through which traffic exits Tor, the so-called "exit node".

Although the vulnerabilities are in browser-based applications using Tor, Javascript and Shockwave, and not in the peer-to-peer routing protocols of the system itself, the effect could be to render the IP addresses of users accessible to anyone with the motivation to use the exploits.

Tor is an IP tunnelling system that allows users to connect to web servers without revealing their IP address, and therefore their location or identity. Endorsed by the Electronic Frontier Foundation (EFF), the system uses a series of special servers or "nodes" that route traffic using encryption without storing information about a connection’s address origins. The destination web server sees only the exit node - the last node in the chain - rather than the real address.

The system’s free-speech advocates point to its use to circumvent web restrictions in countries such as China in its favour, though others have criticised it as providing a way for child pornographers and criminals to hide their interests. Others think the system is so riddled with hypothetical insecurities caused by mis-configuration as to make it useful only to experts.

"We have not found any weaknesses in Tor - but instead demonstrated weaknesses/features of the software that uses Tor can be exploited to take away people’s privacy/anonymity," concludes Christensen. "We believe we have demonstrated that it is entirely possible to unmask a good portion of the traffic transiting Tor, since it is being viewed using Firefox and Internet Explorer, and is transmitted cleartext."

The authors accept that an expert could configure the system so as to render these exploits null, but that would involve turning off browser plug-ins such as Java, Javascript, ActiveX, Flash, ensuring Tor resolves name addresses, and using SSL, all things that may not occur to an average user.

The new report follows up a previous report, Peeling the Onion, that outlined the vulnerabilities in a more theoretical light.