<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Wed, Apr 9, 2014 at 3:49 AM, Kostas Jakeliunas <span dir="ltr"><<a href="mailto:kostas@jakeliunas.com" target="_blank">kostas@jakeliunas.com</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">Making a separate thread so as not to pollute the challenger[1] one.<div>

<br></div><div>Roger: you wanted to know (times are UTC if anyone cares),</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">


[22:08:35] [...] we now have a list of 1000 fingerprints, and we could pretend those are in the challenge and use our graphing/etc plans on them<br>[22:08:45] they happen to be the relays vulnerable to our openssl bug<br>


[22:11:43] "what fraction of the tor network by consensus weight are they?"<br>[22:11:49] "over time"</blockquote><div><br></div><div>Given them[2], the challenger (with minimal changes to fix downloader and to make Onionoo not falter)[4] will spit out the following results:</div>


<div><br></div><div>  - <a href="http://ravinesmp.com/volatile/challenger-stuff/vuln1024-combined-bandwidth.json" target="_blank">http://ravinesmp.com/volatile/challenger-stuff/vuln1024-combined-bandwidth.json</a></div><div>

  - <a href="http://ravinesmp.com/volatile/challenger-stuff/vuln1024-combined-weights.json" target="_blank">http://ravinesmp.com/volatile/challenger-stuff/vuln1024-combined-weights.json</a></div>
<div>  - <a href="http://ravinesmp.com/volatile/challenger-stuff/vuln1024-combined-clients.json" target="_blank">http://ravinesmp.com/volatile/challenger-stuff/vuln1024-combined-clients.json</a> [uh oh, this one's empty. Why is it empty? Didn't look into it.]</div>


<div>  - <a href="http://ravinesmp.com/volatile/challenger-stuff/vuln1024-combined-uptime.json" target="_blank">http://ravinesmp.com/volatile/challenger-stuff/vuln1024-combined-uptime.json</a> </div><div><br></div><div>The 'combined-weights.json' is probably the one you might be after. But that's all I did for now.</div>


<div><br></div><div>You also said that these aren't all the vulnerable relays that there are out there. You linked to a more complete list[3], but it has some typos, etc. I haven't done anything with it, maybe someone will take over, or I will do something later on.</div>

</div></blockquote><div><br></div><div>fwiw, this is a beyond-hacky-could-fail quick thing[5] that gives you fingerprints of relays that were vulnerable in a recent vulnerable-relay-file[6] (ideally it would pull those vulnerable relays from some online source) that are in any consensus provided (default is latest consensus available in Tor Metrics):</div>

<div><br></div><div><a href="http://ravinesmp.com:7777/">http://ravinesmp.com:7777/</a><br></div><div><br></div><div>Provide consensus using "/consensus/%Y-%m-%d %H:%M:%S" (standard UTC date format).</div><div>
<br>
</div><div>Consensuses are available since ~2008. So e.g. current vulnerable relay fingerprint list intersected with an older consensus when there were heartbleeding openssl versions:</div><div><br></div><a href="http://ravinesmp.com:7777/consensus/2012-10-20%2016:00:00">http://ravinesmp.com:7777/consensus/2012-10-20%2016:00:00</a> ("<a href="http://ravinesmp.com:7777/consensus/2012-10-20">http://ravinesmp.com:7777/consensus/2012-10-20</a> 16:00:00")</div>

<div class="gmail_quote"><br></div><div class="gmail_quote">There's also a nice concise Nick's script to get the % of network bandwidth of any given list of relay fingerprints (bandwidth is the one in the consensus, so parts of it will be self-reported and parts of it will be measured)[7].</div>

<div class="gmail_quote"><br></div><div class="gmail_quote">[5]: <a href="https://gist.github.com/wfn/11070928">https://gist.github.com/wfn/11070928</a></div><div class="gmail_quote">[6]: <a href="http://freehaven.net/~arma/vulnerable-keys-2014-04-08b">http://freehaven.net/~arma/vulnerable-keys-2014-04-08b</a></div>

<div class="gmail_quote">[7]: <a href="https://gist.github.com/nmathewson/10309480">https://gist.github.com/nmathewson/10309480</a></div><div class="gmail_quote"><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">

[1]: <a href="https://lists.torproject.org/pipermail/tor-relays/2014-April/004214.html">https://lists.torproject.org/pipermail/tor-relays/2014-April/004214.html</a><br>[2]: <a href="http://ravinesmp.com/volatile/challenger-stuff/vuln_fingerprints.txt">http://ravinesmp.com/volatile/challenger-stuff/vuln_fingerprints.txt</a><br>

[3]: <a href="http://freehaven.net/~arma/vulnerable-keys-2014-04-08b">http://freehaven.net/~arma/vulnerable-keys-2014-04-08b</a><br>[4]: commits:<br>  -<a href="https://github.com/wfn/challenger/commit/38d88bcb1136f97881f81152d3d883c4e9480188">https://github.com/wfn/challenger/commit/38d88bcb1136f97881f81152d3d883c4e9480188</a><br>

  -<a href="https://github.com/wfn/challenger/commit/39c800643c040474402fc62d2a2db75c25889dfc">https://github.com/wfn/challenger/commit/39c800643c040474402fc62d2a2db75c25889dfc</a><br>  -<a href="https://github.com/wfn/challenger/commit/7425ef6fc00dedf3b2b7f2649e832fb4c93909ae">https://github.com/wfn/challenger/commit/7425ef6fc00dedf3b2b7f2649e832fb4c93909ae</a></blockquote>

</div></div>