[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Heartbleed and TOR

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Heartbleed and TOR
From: Joe Btfsplk <joebtfsplk@xxxxxxx>
Date: Thu, 10 Apr 2014 18:37:01 -0500
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 10 Apr 2014 19:42:03 -0400
In-reply-to: <534702C3.1050002@xxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <534702C3.1050002@xxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0

On 4/10/2014 3:44 PM, Christopher J. Walters wrote:

"Since I am neither an expert on OpenSSL nor TOR, let's get one question out of
the way before anything further is said on the topic:  Does TOR actually use
potentially vulnerable versions of OpenSSL (or use it at all, for that matter)?"

Should Tor / TorBrowser be patched for heartbleed bug?
Apparently so:
https://blog.torproject.org/blog/

"Tor Browser users should upgrade as soon as possible to the new 3.5.4release <https://blog.torproject.org/blog/tor-browser-354-released>,which includes OpenSSL 1.0.1g, fixing the vulnerability. "The browseritself does not use OpenSSL...however, this release is still consideredan important security update, because it is theoretically possible toextract sensitive information from the Tor client sub-process", wroteMike Perry."


"From what I have read, the bug is a server side bug, and does not pose much
risk to regular users..."
...may *BE* compromised (future tense).  Isn't that enough of a risk?
Too much more risk & they might have to shut down the internet?

I don't quite get comments from some.  Even if it came to light that everyone but the NSA knew about this bug for yrs, does that negate the need to patch it now?

I once almost stepped on a Water Moccasin.  Because he didn't move or bite me, was there any need to jump back about six feet? (Seemed like it)


--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Heartbleed and TOR
  - From: Christopher J. Walters

References:
- [tor-talk] Heartbleed and TOR
  - From: Christopher J. Walters

Prev by Author: Re: [tor-talk] Private keys at risk due to HeartBleed: Are we sure?
Next by Author: Re: [tor-talk] US ip address
Previous by thread: [tor-talk] Heartbleed and TOR
Next by thread: Re: [tor-talk] Heartbleed and TOR
Index(es):
- Author
- Thread