You might have thought that by browsing the web via the secure Tor network, you’d be safe from the prying eyes of the NSA, but you’d be wrong. Last week, Errata Security CEO Rob Graham published a blog post that dispelled the myth once and for all that Tor is anywhere near as anonymous as people believe, when he revealed that American spies were most likely capable of breaking 90% of its keys – and thus able to snoop on 90% of all traffic that uses them.

The problem boils down to this – around 90% of Tor users are still using older software which can be hacked. The software, version 2.3, uses something called 1024 bit RSA/DH encryption keys, which Graham says could be cracked in a matter of hours by the NSA using extremely expensive, custom-made chips. Graham estimates that the chips would cost in excess of $1 billion, yet he warns that the NSA has probably gone and spunked that much on them anyway, most likely purchased from IBM. While the NSA can’t decrypt Tor communications in real-time as of yet, it is capable of doing so eventually, which means that it can and most probably will, learn everything.

The good news is that the latest version of Tor, version 2.4, isn’t believed to be ‘crackable’ by the NSA, as it uses something called elliptical curve Diffie-Hellman ciphers that are thought to be beyond its capabilities at the moment.

Unfortunately, few people use this latest software. Graham blames the Tor Project for failing to get people to update their software, but ARS Technica also points out that Linux platforms like Ubuntu and Debian should share some of this blame as they don’t currently distribute the latest version. In any case, the news will hopefully give the Tor Project a badly needed kick up the ass and force it to start pushing its update.

The news that Tor is insecure follows revelations last week that the NSA has the ability to decrypt the ‘secure’ communications of virtually every web service known to man. The suggestion was that the NSA’s cracking skills were far more advanced than anyone previously thought, but it’s not as clear cut as that.

Rather, what the NSA has done is to spend a shed load of money – money that far surpasses anything its spent on PRISM – to bully software companies, hardware firms, and privacy standards bodies into accepting a secret ‘backdoor’ into their products. In a way, this is even more worrying than the prospect of the NSA developing super-advanced programs that can crack any kind of encryption, as this kind of knowledge could well remain secret for years. What the NSA has effectively done is to sabotage the most commonly used encryption tools in the world, leaving holes that anyone with sufficient skill, resources and patience could possibly find – including terrorist, criminals and hostile foreign states.

We’re not quite at the end of the road yet. Thankfully, as Ed Snowden himself points out in a recent ProPublica article, “properly implemented strong crypto systems are one of the few things that you can rely on.”

In other words, open source security tools like the (latest) version of Tor are still secure, so long as the encryption used is of the highest possible standards and well implemented.

That the NSA now has the ability to crack 1024 bit RSA/DH keys through brute force attacks isn’t really surprising. It takes time, but with the vast financial and computing resources it possesses it was only ever a matter of time. The good thing is that the strength of encryption increases exponentially – for example, 1025 bit RSA/DH keys would make the encryption twice as difficult to break, while 1030 bit RSA/DH keys would be four times as difficult to crack. And with Tor now using elliptical curve Diffie-Hellman ciphers, which provide even greater security, cracking the network will be an almost impossible task even for the NSA. All we need now is for Tor users to actually start using it.