[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-relays] Bridges included in Tor Browser -- should they regen keys because of Heartbleed?

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-relays] Bridges included in Tor Browser -- should they regen keys because of Heartbleed?
From: David Fifield <david@xxxxxxxxxxxxxxx>
Date: Wed, 23 Apr 2014 16:56:14 -0700
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 23 Apr 2014 19:56:35 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mutt/1.5.23 (2014-03-12)

I wondered whether operators of bridges that are included in the browser
bundle should generate new identity keys after upgrading their OpenSSL.
The argument for generating new keys is that old keys may have been
compromised by Heartbleed. The argument against is that a new
fingerprint will prevent existing browser bundle users from using the
default bridges, because the fingerprint is built into the browser:
https://gitweb.torproject.org/builders/tor-browser-bundle.git/blob/HEAD:/Bundle-Data/PTConfigs/bridge_prefs.js

What I heard from some developers is that it would be good to set up new
bridges with new keys (could be on the same IP address), and give the
new information to the browser devs so they can put it in the bundles.
Leave the old ones running for a while until usage drops off.

A question is how to actually do this, running two copies of tor on the
same IP. Offhand I would say that using a separate DataDirectory
will be enough, but I don't know for sure.

David Fifield
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Prev by Author: Re: [tor-relays] Lots of tor relays send out sequential IP IDs; please fix that!
Next by Author: Re: [tor-relays] Relays vulnerable to OpenSSL bug: Please upgrade
Previous by thread: Re: [tor-relays] Exit node rejection of special IPv4 blocks
Next by thread: [tor-relays] Please need urgent help with the DNS resolver of a fast exit relay
Index(es):
- Author
- Thread