[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Heartbleed and TOR

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-talk] Heartbleed and TOR
From: "Christopher J. Walters" <cwal989@xxxxxxxxxxx>
Date: Thu, 10 Apr 2014 16:44:51 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 10 Apr 2014 16:57:04 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1397162688; bh=VZbrk1JLtJ630TWtMKCVaI0BIvzEhz0cipgoqV2flDI=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=K2crTVUAvFiiE6UJ15dytlQ2PkRTZy10kp0TTNR+JQ874VhqfyckJgg4MhcGS0DSH 25VgVRCmKG9aO5El95ZCgBuKY1gtgH1cBOqCRbaQUjaCB3LOeCtF1JRNE1vVVYBchA Bdg+ZBsh+yCsOsX5enbPLDl/HcuRH8DukhHXgkytPBau2oYy9O0rYzBOCT4AVAk0cc XFB4uh9pRq01IHSogFZnNOd+nuUOH3ynyvXfB5JQXlb09mLHMGdrS7ly/US5K6CRJu DQ47QuuUyGc1xC4IjXHTs6xDoQeiD48wVzZUcS31ioPHi+MtF3ZGHJ8VkSZVMXCqDS i5kLjQdPdvtuA==
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
Organization: What is that?
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.23) Gecko/20090812 Thunderbird/2.0.0.23 Mnenhy/0.7.6.666

Since I am neither an expert on OpenSSL nor TOR, let's get one question out ofthe way before anything further is said on the topic: Does TOR actually usepotentially vulnerable versions of OpenSSL (or use it at all, for that matter)?

If so, then it *could* pose a risk to TOR (until and unless the version ofOpenSSL that TOR uses is patched). If NOT, then this bug does not affect TOR.

In any event, the BEST places to get information on OpenSSL and the Heartbleedbug are the official Heartbleed web site, and the OpenSSL mailing lists.

From what I have read, the bug is a server side bug, and does not pose muchrisk to regular users (aside from the risk that your user names, passwords andother information in the RAM of servers that you have used in the past 2 yearsor so *MAY* have been compromised - though there are many other ways yourinformation could be compromised).

--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Heartbleed and TOR
  - From: Joe Btfsplk

Prev by Author: Re: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL
Next by Author: Re: [tor-talk] Heartbleed and TOR
Previous by thread: Re: [tor-talk] Tor hidden services not working
Next by thread: Re: [tor-talk] Heartbleed and TOR
Index(es):
- Author
- Thread