[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Relays vulnerable to OpenSSL bug: Please upgrade



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I've updated OpenSSL, deleted the keys on my exit per the
recommendations, and restarted the whole box. I got a new fingerprint.
I'll watch to see how long the flags take to come back, but I predict it
will be like a new relay. I wonder how this changes the flow rates
across the Tor network. Perhaps adversary-controlled exits may not be
upgraded so that they can keep their percentage advantages and take
advantage of the disruption. In due time things will come back to normal.

I'd recommend that every relay operator delete their keys as well, just
to be safe. Pure speculation on my part here, but a well-resourced
adversary might have seized the moment and done some attacking, or
perhaps they knew about it beforehand. This is a major vulnerability.
Admins are revoking SSL certificates, and that's for web servers. The
blog post is very helpful for outlining how this exploit affects us, but
let's assume the worst here.

While we're updating, how about we all make sure we are running the
0.2.4 series of Tor, preferably 0.2.4.21. Switch to the Tor Project's
repositories if you haven't already.

Good luck guys.

Jesse V.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQF8BAEBCgBmBQJTRKL/XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxMjgyMjhENjEyODQ1OTU1NzBCMjgwRkFB
RDk3MzY0RkMyMEJFQzgwAAoJEK2XNk/CC+yAsk4H/RezKq0rEPbdbk9HG3Wjz0rE
wUWBfGh3J4oultac256USLXHBHdyWnp8sT73ZhHm9H9i+ja/OjGpEwvXFIzIW09j
cLMSZTf3AwTIeA8PO3S3qZsuNUwMC6kz5XhyFeRbuaBjD93Dr29Q4/zehGtPU02j
4CEqFqegjxXWL6WoKt2JyhOaV2meEz5d2GN/F6oguzk3orwX8FWc5jOewvNcRknv
stFaz17JBrzqHUQY1NDx29Dw81dO5H4+sTzM+DRvTSSLKx8R1Zbw5ApevNkoWTFg
ldhv/v/pHR1UnB9gsQ+r61BK3OQIWzAaVXgeZh3PDtkfX7yg1LnrdNZ2+NhUi6w=
=eBTS
-----END PGP SIGNATURE-----

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays