Tor relays vulnerable to Heartbleed dropped from anonymity network
Posted on 17 April 2014.
Thanks to the OpenSSL Heartbleed bug, the Tor anonymity network is set to temporarily lose around "12 per cent of the exit capacity and 12 per cent of the guard capacity.

The estimate was made by Roger Dingledine, leader of the Tor Project, in a post on the Tor-relays mailing lists.

When the existence of the bug was first made public, the Tor team noted that "Tor relays and bridges could maybe be made to leak their medium-term onion keys or their long-term relay identity keys," and those who operate them were advised to update their OpenSSL package, discard all the files in keys/ in their DataDirectory, and restart Tor to generate new keys.

Some of them did, and others still haven't, and the latter are getting rejected for the time being.

"Switching to a new relay identity key means that the relay is seen as new to the authorities again: they will lose their Guard status and bandwidth measurement," Tor support coordinator and developer Lunar noted on Wednesday. "It seems that a number of operators followed the advice, as the network lost around 1 Gbit/s of advertised capacity between April 7th and April 10th."

"On April 8th, [community member] grarpamp observed that more than 3000 relays had been restarted hopefully to use the fixed version of OpenSSL. It is unknown how many of those relays have switched to a new key since. [Tor developer] Andrea Shepard has been working on a survey to identify them," he shared.

"What is known though are relays that are unfortunately still vulnerable. [Developer and maintainer of Tor Cloud] Sina Rabbani has set up a visible list for guards and exits. To protect Tor users, directory authority operators have started to reject descriptors for vulnerable relays."

Dingledine has attached to his post a list of relay identity fingerprints he is
rejecting on the moria1 main node, and has said he and others should expand the list as they discover other relays that come online with vulnerable OpenSSL versions.









Spotlight

Using Hollywood to improve your security program

Posted on 29 July 2014.  |  Tripwire CTO Dwayne Melancon spends a lot of time on airplanes, and ends up watching a lot of movies. Some of his favorite movies are adventures, spy stuff, and cunning heist movies. A lot of these movies provide great lessons that we can apply to information security.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Wed, Jul 30th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //