[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Tor security advisory: Debian flaw causes weak identity keys

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Tor security advisory: Debian flaw causes weak identity keys
From: Roger Dingledine <arma@xxxxxxx>
Date: Wed, 14 May 2008 02:57:38 -0400
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Wed, 14 May 2008 02:57:42 -0400
In-reply-to: <20080513155535.GA18848@xxxxxxxxxxxxxx>
References: <20080513155535.GA18848@xxxxxxxxxxxxxx>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Mutt/1.5.13 (2006-08-11)

On Tue, May 13, 2008 at 11:55:35AM -0400, Roger Dingledine wrote:
> IMPACT:
>   A local attacker or malicious directory cache may be able to trick
>   a client running 0.2.0.x into believing a false directory consensus, thus
>   (e.g.) causing the client to create a path wholly owned by the attacker.
> 
>   Further, relay identity keys or hidden service secret keys that were
>   generated on most versions of Debian, Ubuntu, or other Debian-derived OS
>   are also weak (regardless of your Tor version):
>     http://lists.debian.org/debian-security-announce/2008/msg00152.html

Hi folks,

I wrote a few more details about the potential impact here:

https://blog.torproject.org/blog/debian-openssl-flaw%3A-what-does-it-mean-tor-clients%3F

(It glosses over a few tricky and more esoteric attacks that might
become possible, but I think it captures the main ones. I'll update
it tonight (in ~8 hours) if any more come to mind.)

--Roger

References:
- Tor security advisory: Debian flaw causes weak identity keys
  - From: Roger Dingledine

Prev by Author: Tor security advisory: Debian flaw causes weak identity keys
Next by Author: Re: Undeciperable message...
Previous by thread: Re: Tor security advisory: Debian flaw causes weak identity keys
Next by thread: Re: Tor security advisory: Debian flaw causes weak identity keys
Index(es):
- Author
- Thread