Tor was supposed to be the Holy Grail of Internet anonymity, providing a secure and private way to browse the web. But a new study claims it could actually be a poisoned chalice because of an exploit to Cisco Systems, Inc. routers called Netflow that is said reveal the identities of as many as 81 percent of Tor users.

The study, On the Effectiveness of Traffic Analysis Against Anonymity Networks using Flow Records, was carried out by Professor Sambuddah Chakravarty from the Indraprastha Institute of Information Technology in Delhi.

Chakravarty ran tests using a high-performance research server, and described how the attack was possible due to Tor’s low-latency design.

“To achieve acceptable quality of service, [Tor] systems attempt to preserve packet inter-arrival characteristics, such as inter-packet delay,” he wrote. “Consequently, a powerful adversary can mount traffic analysis attacks by observing similar traffic patterns at various points of the network, linking together otherwise unrelated network connections.”

He added that although the current capacity of Tor networks makes it challenging to carry out packet-level monitoring at such a scale, attackers could use less accurate but widely available traffic monitoring tools, like Cisco’s Netflow.

According to Chakravarty, the specific network analysis technique he used works by applying statistical correlation to identify pattern similarities in the Tor network’s traffic. By doing so, he claims its possible to identify the IP addresses of about 80 percent of Tor users.

“Our method revealed the actual sources of anonymous traffic with 100 percent accuracy for the in-lab tests, and achieved an overall accuracy of about 81.4 percent for the real-world experiments, with an average false positive rate of 6.4 percent,” writes Chakravarty.

However the Tor Project, which runs the Tor network, tried to brush aside any concerns.

Referring to a 2009 blog post, the organization states: “The Tor design doesn’t try to protect against an attacker who can see or measure traffic going into the Tor network and also traffic coming out of the Tor network.”

“That’s because if you can see both flows, some simple statistics let you decide whether they match up. Because we aim to let people browse the web, we can’t afford the extra overhead and hours of additional delay that are used in high-latency mix networks.”

Tor goes on to remind users that “whether this attack can be performed at all has to do with how much of the internet the adversary is able to measure or control.”

In other words then, Tor is saying it has known about the exploit for some time, and that the task is almost impossible to pull off.