[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Heartbleed and TOR



On 4/10/2014 7:37 PM, Joe Btfsplk wrote:
On 4/10/2014 3:44 PM, Christopher J. Walters wrote:
.snip.
Should Tor / TorBrowser be patched for heartbleed bug?
Apparently so:
https://blog.torproject.org/blog/
"Tor Browser users should upgrade as soon as possible to the new 3.5.4 release
<https://blog.torproject.org/blog/tor-browser-354-released>, which includes
OpenSSL 1.0.1g, fixing the vulnerability. "The browser itself does not use
OpenSSL...however, this release is still considered an important security
update, because it is theoretically possible to extract sensitive information
from the Tor client sub-process", wrote Mike Perry."

'and to do so without leaving a trace that said information was extracted and by whom.', he should have added.

"From what I have read, the bug is a server side bug, and does not pose much
risk to regular users..."
...may *BE* compromised (future tense).  Isn't that enough of a risk?
Too much more risk & they might have to shut down the internet?

Yes, it is a significant risk, and as I understand it, there is no way to detect whether or not any given vulnerable server had information stolen by this bug. There are a great many unknowns with this bug, and that makes me uncomfortable. However, shutting down the Internet is a little extreme, don't you think? Kind of like burning down your house because you think someone *MAY* have broken in without you knowledge.

To clarify: Most regular (esp. non-TOR) users are not at *direct* risk from the bug (you'd basically have to be running a server configuration, with the vulnerability, as I understand it). Also, Firefox is immune from *direct* attack since it uses NSS rather than OpenSSL for secure connections. *Indirect* risk is a whole other story - there simply is not enough information, and probably never will be, to assess the scope of that.

I don't quite get comments from some.  Even if it came to light that everyone
but the NSA knew about this bug for yrs, does that negate the need to patch it
now?

It absolutely should be patched now. As far as who knew about it an when, that is another unknown. I'd think it a safe bet that the NSA (and other intelligence agencies, here and abroad) found out about it before the official release of the CVE. As for the baddies (identity thieves, etc.), who can say for certain, besides them (and we know they won't).

What concerns me about the NSA is not so much *when* they knew about it, but that they *do* know about it, given recent revelations about the scope and nature of their surveillance programs.

Chris
--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk