[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Tor is out

On 13-06-16 06:49 PM, Roman Mamedov wrote:
> On Sun, 16 Jun 2013 15:18:47 -0700
> Mike Perry <mikeperry@xxxxxxxxxxxxxx> wrote:
>> Roger Dingledine:
>>> Tor fixes a variety of potential remote crash
>>> vulnerabilities, makes socks5 username/password circuit isolation
>>> actually actually work (this time for sure!), and cleans up a bunch
>>> of other issues in preparation for a release candidate.
>>> https://www.torproject.org/dist/
>> As a heads up, a bug was introduced in this release that allows
>> malicious websites to discover a client's Guard nodes in a very short
>> amount of time (on the order an hour), if those Guard nodes upgrade to
>> this release.
> So a random clearnet end-destination website can trace the client all the way
> through Tor network and discover information not about its exit, not about the
> middle, but even about the entry node? And nodeS, i.e. all of them?*
> Wow; can you explain in more detail how that works?
> * (then a Three Letter Agency (TLA) can obtain lists of connecting clients
> from all three Guards, and pretty much "triangulate" the actual source IP of
> that user either to a bulls-eye hit or a very short list of IPs simultaneously
> on all three.)
>> Unfortunately, the bug was introduced by fixing another issue that
>> allows Guard nodes to be selectively DoSed with an OOM condition, so
>> Guard node (and Guard+Exit node) operators are kind of in a jam.
> One more reason to abandon the Guard system altogether.

What if relays revert to the "stable" 0.2.3.latest for now?

Attachment: signature.asc
Description: OpenPGP digital signature

tor-talk mailing list