[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-relays] Rejecting 380 vulnerable guard/exit keys

To: <tor-relays@xxxxxxxxxxxxxxxxxxxx>
Subject: [tor-relays] Rejecting 380 vulnerable guard/exit keys
From: Sebastian Urbach <sebastian@xxxxxxxxxx>
Date: Wed, 16 Apr 2014 17:42:03 +0200
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 16 Apr 2014 11:42:24 -0400
In-reply-to: <1456b32f990.27ae.e04ee758f2dadc1889b5b423dda555f9@xxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <20140416044254.GR6713@xxxxxxxxxxxxxx>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:9.0) Gecko/20111222 Thunderbird/9.0.1 AquaMail/1.3.8 (build: 2100414)

Hi Roger,

That sounds good to me and from what i see there should be at least enoughguard capacity to go through with it. Exit's are a whole other matter buthonestly if those 12% still running around with the bleedingheart than kick'em.



Hi folks,

I'm attaching the list of relay identity fingerprints that I'm
rejecting on moria1 as of yesterday.

I got the list from Sina's scanner:
https://encrypted.redteam.net/bleeding_edges/

I thought for a while about taking away their Valid flag rather
than rejecting them outright, but this way they'll get notices
in their logs.

I also thought for a while about trying to keep my list of fingerprints
up-to-date (i.e. removing the !reject line once they've upgraded their
openssl), but on the other hand, if they were still vulnerable as of
yesterday, I really don't want this identity key on the Tor network even
after they've upgraded their openssl.

If the other directory authority operators follow suit, we'll lose about
12% of the exit capacity and 12% of the guard capacity.

I/we should add to this list as we discover other relays that come
online with vulnerable openssl versions.

Also these are just the relays with Guard and/or Exit flags, so we should
add the other 1000+ at some point soon.

--Roger




_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

References:
- [tor-relays] Rejecting 380 vulnerable guard/exit keys
  - From: Roger Dingledine

Prev by Author: [tor-relays] Clarification regardind business as usual
Next by Author: [tor-relays] Fwd: Tracking the bleeding relays
Previous by thread: Re: [tor-relays] Rejecting 380 vulnerable guard/exit keys
Next by thread: [tor-relays] Recommended reject lines for relays affected by Heartbleed
Index(es):
- Author
- Thread