On 13 Apr 2014, at 19:45, Scott Bennett wrote:
Mateusz B?aszczyk blahu77@gmail.com wrote:
I am wondering that another effect of the heartbleed was increased TLS overhead, that I saw many times also before April-7. Unfortunately I do not store more than 7 files worth of logs:
Apr 1 02:50:23 localhost Tor[394]: TLS write overhead: 7% Apr 1 08:51:35 localhost Tor[394]: TLS write overhead: 7% Apr 1 14:52:45 localhost Tor[394]: TLS write overhead: 7% Apr 1 20:53:52 localhost Tor[394]: TLS write overhead: 7% Apr 2 02:55:02 localhost Tor[394]: TLS write overhead: 7% Apr 2 08:56:08 localhost Tor[394]: TLS write overhead: 7% Apr 2 14:57:20 localhost Tor[394]: TLS write overhead: 7% Apr 2 20:58:28 localhost Tor[394]: TLS write overhead: 7% Apr 3 02:59:37 localhost Tor[394]: TLS write overhead: 7% Apr 3 09:00:44 localhost Tor[394]: TLS write overhead: 7% Apr 3 15:01:53 localhost Tor[394]: TLS write overhead: 7% Apr 3 21:03:04 localhost Tor[394]: TLS write overhead: 7% Apr 4 03:04:12 localhost Tor[394]: TLS write overhead: 7% Apr 4 09:05:22 localhost Tor[394]: TLS write overhead: 7% Apr 4 15:06:30 localhost Tor[394]: TLS write overhead: 7% Apr 4 21:07:39 localhost Tor[394]: TLS write overhead: 7% Apr 5 03:08:49 localhost Tor[394]: TLS write overhead: 7% Apr 5 09:09:58 localhost Tor[394]: TLS write overhead: 7% Apr 5 15:11:06 localhost Tor[394]: TLS write overhead: 7% Apr 5 21:12:16 localhost Tor[394]: TLS write overhead: 7% Apr 6 03:13:24 localhost Tor[394]: TLS write overhead: 7% Apr 6 09:14:33 localhost Tor[394]: TLS write overhead: 7% Apr 6 15:15:42 localhost Tor[394]: TLS write overhead: 7% Apr 6 21:16:52 localhost Tor[394]: TLS write overhead: 7% Apr 7 23:43:41 localhost Tor[523]: TLS write overhead: 6% Apr 8 05:43:41 localhost Tor[523]: TLS write overhead: 6% Apr 8 11:43:41 localhost Tor[523]: TLS write overhead: 6% Apr 8 23:06:23 localhost Tor[58851]: TLS write overhead: 41% Apr 9 05:06:23 localhost Tor[58851]: TLS write overhead: 37% Apr 9 11:06:23 localhost Tor[58851]: TLS write overhead: 29% Apr 9 17:06:23 localhost Tor[58851]: TLS write overhead: 23% Apr 9 23:06:23 localhost Tor[58851]: TLS write overhead: 19% Apr 10 05:06:23 localhost Tor[58851]: TLS write overhead: 18% Apr 10 11:06:23 localhost Tor[58851]: TLS write overhead: 14% Apr 10 17:06:23 localhost Tor[58851]: TLS write overhead: 8% Apr 11 02:00:13 localhost Tor[65758]: TLS write overhead: 6% Apr 11 08:00:13 localhost Tor[65758]: TLS write overhead: 5% Apr 11 14:00:13 localhost Tor[65758]: TLS write overhead: 5% Apr 11 20:00:13 localhost Tor[65758]: TLS write overhead: 5% Apr 12 02:00:13 localhost Tor[65758]: TLS write overhead: 5% Apr 12 08:00:13 localhost Tor[65758]: TLS write overhead: 5% Apr 12 14:00:13 localhost Tor[65758]: TLS write overhead: 5% Apr 12 20:00:13 localhost Tor[65758]: TLS write overhead: 5%
Especially as it looks to be highly increased after the release of the vulnerability.
How can you tell that? tor did not log those messages back in 2012 whenthe vulnerability was released.
These are from April, 2014. I am running this relay from Jan, 2014 and this messages were definitively logged. I can't tell obviously if I am right, I am guessing, sharing my thoughts.
I am not sure I am on right track but it does look suspicious.
What would interest me would be to know whether the period of increasedTLS write overhead highlighted above involved hidden services directory connections.
I wouldn't be able to tell, don't have logs for that.
-mateusz