Given the extent of the five eyes (NSA,GCHQ,DSD, etc) taping of major fiber lines, Tor is almost certainly useless against the NSA even without backdoors. The NSA doesn't need to resort to expensive key cracking operations to break either the anonymity or confidentiality of Tor. They just have to be able to see entry and exit node traffic.<p>From the original paper by the Tor developers:<p>"A global passive adversary is the most commonly assumed threat when analyzing theoretical anonymity designs. But like all practical low-latency systems, Tor does not protect against such a strong adversary."
--- Tor: The Second-Generation Onion Router <a href="http://www.dtic.mil/dtic/tr/fulltext/u2/a465464.pdf" rel="nofollow">http://www.dtic.mil/dtic/tr/fulltext/u2/a465464.pdf</a>
"Of course, this is still just guessing about the NSA's capabilities. As it turns out, the newer Elliptical keys may turn out to be relatively easier to crack than people thought, meaning that the older software may in fact be more secure. But since 1024 bit RSA/DH has been the most popular SSL encryption for the past decade, I'd assume that it's that, rather than curves, that the NSA is best at cracking."<p>So it is suggested to update to a newer version that uses EC, but we are not sure if EC is not breakable? Others ([1], [2]) suggest that RSA is more secure than EC!?<p>I wish that the security experts could give "clear" advise.<p>EDIT: Added proper links to sources suggesting RSA over EC.<p>[1] Bruce Schneider in <a href="http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance" rel="nofollow">http://www.theguardian.com/world/2013/sep/05/nsa-how-to-rema...</a><p>"Prefer symmetric cryptography over public-key cryptography. Prefer conventional discrete-log-based systems over elliptic-curve systems; the latter have constants that the NSA influences when they can."<p>[2] Fefe (it's in German) <a href="http://blog.fefe.de/?ts=acd52294" rel="nofollow">http://blog.fefe.de/?ts=acd52294</a>
2.3.25 is the current stable version. 2.4.* is in development. Tor server operators would have to compile from source or use the upstream deb/rpm repos.<p><a href="https://www.torproject.org/download/download-unix.html.en" rel="nofollow">https://www.torproject.org/download/download-unix.html.en</a>
Debian/Ubuntu isn't alone in this. It should be noted that the majority of nodes are using Linux and of those, the 0.2.4 package is still not available unless you're running some flavor of "untested" or other bleeding edge distro.<p>Of course that doesn't stop operators from simply downloading the latest package themselves from the Tor project or compiling from source.
<i>Of course, this is still just guessing about the NSA's capabilities. As it turns out, the newer Elliptical keys may turn out to be relatively easier to crack than people thought, meaning that the older software may in fact be more secure.</i><p>Wait, what?
I don't see how ECDHE has any effect on the (in)security mentioned in the article. It clearly states that the RSA keys being only 1024 bits is the problem. How does using ECDHE-RSA change this?