[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-relays] Bridges included in Tor Browser -- should they regen keys because of Heartbleed?
I wondered whether operators of bridges that are included in the browser
bundle should generate new identity keys after upgrading their OpenSSL.
The argument for generating new keys is that old keys may have been
compromised by Heartbleed. The argument against is that a new
fingerprint will prevent existing browser bundle users from using the
default bridges, because the fingerprint is built into the browser:
https://gitweb.torproject.org/builders/tor-browser-bundle.git/blob/HEAD:/Bundle-Data/PTConfigs/bridge_prefs.js
What I heard from some developers is that it would be good to set up new
bridges with new keys (could be on the same IP address), and give the
new information to the browser devs so they can put it in the bundles.
Leave the old ones running for a while until usage drops off.
A question is how to actually do this, running two copies of tor on the
same IP. Offhand I would say that using a separate DataDirectory
will be enough, but I don't know for sure.
David Fifield
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays