https://www.openssl.org/news/vulnerabilities.html#2014-0160 http://heartbleed.com/ Is TBB affected? Is there a plan for an update? --Roger
This is a server-side attack, so clients don't need to make any change, but you should look at the server configuration and see what version of what SSL library you're running. And actually, now that I think of it, look at tor itself and see how it impacts it. Worst case scenario would be people being able to steal tor node identity keys.... -tom On 7 April 2014 16:41, Roger Dingledine <arma@mit.edu> wrote:
https://www.openssl.org/news/vulnerabilities.html#2014-0160 http://heartbleed.com/
Is TBB affected? Is there a plan for an update?
--Roger
_______________________________________________ tbb-dev mailing list tbb-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tbb-dev
On Mon, Apr 07, 2014 at 04:52:05PM -0400, Tom Ritter wrote:
This is a server-side attack, so clients don't need to make any change,
Unless somebody is certain that the bug can't be triggered against Tor clients to have them send arbitrary memory to Tor relays (including, say, past stream history), it seems like we do indeed want new TBBs. I agree that it appears Tor Browser (which is based on libnss) is unaffected. --Roger
On Mon, 07 Apr 2014, Roger Dingledine wrote:
https://www.openssl.org/news/vulnerabilities.html#2014-0160 http://heartbleed.com/
Is TBB affected? Is there a plan for an update?
On friday tbb meeting, Mike was talking about doing a new 3.5.x release in the begining of the week, for a security release of one of the components.
participants (3)
-
Nicolas Vigier -
Roger Dingledine -
Tom Ritter