[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Long-term effect of Heartbleed on Tor

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] Long-term effect of Heartbleed on Tor
From: grarpamp <grarpamp@xxxxxxxxx>
Date: Wed, 9 Apr 2014 17:29:53 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 09 Apr 2014 17:30:06 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=ZYKcGKCxtvbqoQjwhv0OZ/F9fZeLGQI/ojZGRyfzkyo=; b=gecjAX8APPDBLz1wltVAtFgVlR8icbp0I/0z6/jbX633sOi1+pYoPcV097kQsG9o1J JIE6727LmV07ZlVFqHef4BS1DOFYpsESwrBw3YCQPMUN+IeJXsMdoj5uoO5VDC1yHrG/ +EkeQbCRv+d2r4zwAWElqvAZ9kWZQGsHkupUbA9B/SmudgXNk9GRysKwoPkqC7v+wxRW 6bpmi0eeSAMlur34UYgmI6EtnTfK1nhZYE/wOAul9jd2azM74CYH0WJNd7700ah/pI85 2dx3f9zgdpXGqpa4EE0Xdy3+Wd62kV/4ZmG/pBQYBGAyWp25uIyELNR66TvHkjtkDUdD FPfA==
In-reply-to: <CAOUgPvTTXyObR7gn=+3-MKjZqpERJg9zKPBaBHnT4c=1Dr7t7Q@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <534587AC.6080902@xxxxxxx> <CAOUgPvTTXyObR7gn=+3-MKjZqpERJg9zKPBaBHnT4c=1Dr7t7Q@xxxxxxxxxxxxxx>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

> TvdW
> * Should we consider every key that was created before Tuesday

You'd need to also know the key was created by vulnerable
openssl 1.0.1 versions, didn't already disable heartbeat, etc.
That data isn't announced in the consensus. And those that
weren't vulnerable may be happy continuing with their uptime/key.

On Wed, Apr 9, 2014 at 2:51 PM, Paul Pearce <pearce@xxxxxxxxxxxxxxx> wrote:
> I'd be interested in hearing people's thoughts on how to do such
> scanning ethically (and perhaps legally).

That's an interesting dual-ish question, given we don't own them,
often have no real contact means, and yet they're part of us in
some voluntary fashion. I don't have any good suggestion on that
other than collecting private data, as opposed to statistical surveys,
is a problem area.

If we knew which were subject to the bug, the long term goal
should be to blacklist their fingerprints. Most uncontactable
operaters will get the clue after a few rounds of that and/or
visiting tpo for new releases due to consensus version deprecation.

If you browse onions you may find some anonymous researchers who
conduct their activities via exits, publish their results on onions, and
announce them in various fora. I've not yet seen anyone cataloging this
bug as it relates to Tor in that manner.
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

References:
- [tor-relays] Long-term effect of Heartbleed on Tor
  - From: Tom van der Woerdt
- Re: [tor-relays] Long-term effect of Heartbleed on Tor
  - From: Paul Pearce

Prev by Author: Re: [tor-relays] Relays vulnerable to OpenSSL bug: Please upgrade
Next by Author: Re: [tor-relays] Strange Problem Browsing Blocked Websitesâ
Previous by thread: Re: [tor-relays] Long-term effect of Heartbleed on Tor
Next by thread: [tor-relays] Strange Problem Browsing Blocked Websites‏
Index(es):
- Author
- Thread