On 13-06-16 06:49 PM, Roman Mamedov wrote: > On Sun, 16 Jun 2013 15:18:47 -0700 > Mike Perry <mikeperry@xxxxxxxxxxxxxx> wrote: > >> Roger Dingledine: >>> Tor 0.2.4.13-alpha fixes a variety of potential remote crash >>> vulnerabilities, makes socks5 username/password circuit isolation >>> actually actually work (this time for sure!), and cleans up a bunch >>> of other issues in preparation for a release candidate. >>> >>> https://www.torproject.org/dist/ >> As a heads up, a bug was introduced in this release that allows >> malicious websites to discover a client's Guard nodes in a very short >> amount of time (on the order an hour), if those Guard nodes upgrade to >> this release. > So a random clearnet end-destination website can trace the client all the way > through Tor network and discover information not about its exit, not about the > middle, but even about the entry node? And nodeS, i.e. all of them?* > Wow; can you explain in more detail how that works? > > * (then a Three Letter Agency (TLA) can obtain lists of connecting clients > from all three Guards, and pretty much "triangulate" the actual source IP of > that user either to a bulls-eye hit or a very short list of IPs simultaneously > on all three.) > >> Unfortunately, the bug was introduced by fixing another issue that >> allows Guard nodes to be selectively DoSed with an OOM condition, so >> Guard node (and Guard+Exit node) operators are kind of in a jam. > One more reason to abandon the Guard system altogether. > What if relays revert to the "stable" 0.2.3.latest for now?
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ tor-talk mailing list tor-talk@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk