[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Tor is out

On Sun, 16 Jun 2013 15:18:47 -0700
Mike Perry <mikeperry@xxxxxxxxxxxxxx> wrote:

> Roger Dingledine:
> > Tor fixes a variety of potential remote crash
> > vulnerabilities, makes socks5 username/password circuit isolation
> > actually actually work (this time for sure!), and cleans up a bunch
> > of other issues in preparation for a release candidate.
> >
> > https://www.torproject.org/dist/
> As a heads up, a bug was introduced in this release that allows
> malicious websites to discover a client's Guard nodes in a very short
> amount of time (on the order an hour), if those Guard nodes upgrade to
> this release.

So a random clearnet end-destination website can trace the client all the way
through Tor network and discover information not about its exit, not about the
middle, but even about the entry node? And nodeS, i.e. all of them?*
Wow; can you explain in more detail how that works?

* (then a Three Letter Agency (TLA) can obtain lists of connecting clients
from all three Guards, and pretty much "triangulate" the actual source IP of
that user either to a bulls-eye hit or a very short list of IPs simultaneously
on all three.)

> Unfortunately, the bug was introduced by fixing another issue that
> allows Guard nodes to be selectively DoSed with an OOM condition, so
> Guard node (and Guard+Exit node) operators are kind of in a jam.

One more reason to abandon the Guard system altogether.

With respect,

Attachment: signature.asc
Description: PGP signature

tor-talk mailing list