[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Heartbleed and TOR

On 4/10/2014 3:44 PM, Christopher J. Walters wrote:
"Since I am neither an expert on OpenSSL nor TOR, let's get one question out of
the way before anything further is said on the topic:  Does TOR actually use
potentially vulnerable versions of OpenSSL (or use it at all, for that matter)?"
Should Tor / TorBrowser be patched for heartbleed bug?
Apparently so:
"Tor Browser users should upgrade as soon as possible to the new 3.5.4 release <https://blog.torproject.org/blog/tor-browser-354-released>, which includes OpenSSL 1.0.1g, fixing the vulnerability. "The browser itself does not use OpenSSL...however, this release is still considered an important security update, because it is theoretically possible to extract sensitive information from the Tor client sub-process", wrote Mike Perry."

"From what I have read, the bug is a server side bug, and does not pose much
risk to regular users..."
...may *BE* compromised (future tense).  Isn't that enough of a risk?
Too much more risk & they might have to shut down the internet?

I don't quite get comments from some.  Even if it came to light that everyone but the NSA knew about this bug for yrs, does that negate the need to patch it now?

I once almost stepped on a Water Moccasin.  Because he didn't move or bite me, was there any need to jump back about six feet? (Seemed like it)

tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to