[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-talk] IMPORTANT: Heartbleed vulnerability impact on Hidden Service experiment
-----BEGIN PGP SIGNED MESSAGE-----
After seeing the challenge done by CloudFlare, to setup a server open
to the internet with that vulnerable OpenSSL version so everyone could
try and get its private keys (to see if it's actually possible), after
speaking earlier with people in #tor IRC channel, we think it's a good
way to find out for sure if the Hidden Services could have been
compromised or not. And if yes, make a more serious and visible banner
to notify them. Because so far nobody has changed the Hidden Service
address, from all the Hidden Services I am using.
I don't want them to be exposed to risks and when something happens,
yet another thing which will be blamed on Tor.
So, to developers and special reference to arma, proposition:
- -- Can we setup a Tor circuit, separate from the Tor network, or
within it if it's better this way (if we can choose all the relays in
a circuit via torrc), a circuit in which all the relays are running
the vulnerable version of OpenSSL with heartbeats enabled?
I have a server and offer it to be the Hidden Service and everyone can
test and exploit the heartbleed vulnerability and prove if they
managed to get the private key.
If you think the experiment is worth it email me directly and let me
know what do i have to do. I am sure many others will join.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
-----END PGP SIGNATURE-----
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to