[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Tor security advisory: Debian flaw causes weak identity keys

On Tue, May 13, 2008 at 11:55:35AM -0400, Roger Dingledine wrote:
>   A local attacker or malicious directory cache may be able to trick
>   a client running 0.2.0.x into believing a false directory consensus, thus
>   (e.g.) causing the client to create a path wholly owned by the attacker.
>   Further, relay identity keys or hidden service secret keys that were
>   generated on most versions of Debian, Ubuntu, or other Debian-derived OS
>   are also weak (regardless of your Tor version):
>     http://lists.debian.org/debian-security-announce/2008/msg00152.html

Hi folks,

I wrote a few more details about the potential impact here:


(It glosses over a few tricky and more esoteric attacks that might
become possible, but I think it captures the main ones. I'll update
it tonight (in ~8 hours) if any more come to mind.)