Hi All,
Below is an email we sent last week to almost all of the bridge operators who provided contact information for their bridge(s). For those operators we missed and for those we couldn't contact, this hopefully provides some useful information.
All the best, Matt
-----------------------------------------------------------------------
Hi Tor Bridge Relay Operator!
Unfortunately this email must begin with bad news, but it gets better.
Due to the recent Heartbleed OpenSSL vulnerability that was disclosed earlier this week, we are reaching out to you to ask that you install an updated version of OpenSSL. The vulnerability has the potential to decrease the security of your bridge as well as the anonymity of any user connecting to your bridge. As a result of this, we also ask that you generate a new identity key due to the possibility that your current one was leaked.
The process to upgrade your version of OpenSSL depends greatly on your operating system. Please ensure you are using a version that was released within the past four days, see the Heartbleed website[0] for more details on the vulnerability and for which versions are affected. Please do this before you regenerate your identity key.
When this is done, you will need to restart Tor. At this point you can ask us to retest your bridge to confirm that it is not vulnerable anymore.
Next, to regenerate your identity key simply stop Tor and delete the current key. This is done by opening Tor's Data directory and removing the contents in the keys/ directory. Tor's Data directory is located at /var/lib/tor, by default. Let us know if you have trouble locating it. When this is complete, start Tor and it will automatically create a new identity for you.
See the recent blog post for many more details: https://blog.torproject.org/blog/openssl-bug-cve-2014-0160
Now that the bad news was said, we want to take this opportunity to thank you, from the bottom of our hearts, for volunteering to run a bridge relay. We know we do not say it often, but it is really appreciated! Please let us know if you have any question, concerns, or suggestions, especially related to how we communicate with you and how bridge relay operators can be more involved.
Lastly, if you are not already running the obfsproxy pluggable transport[1] (i.e. obfs3) on your bridge, please follow the Debian instructions[2] (for a Debian-based system) on the website and install it. Your bridge is a great contribution to the Tor network, however as censorship on the internet increases around the world users are forced to use a pluggable transport. Tor does not understand how to communicate with them by default, though. Therefore we are asking that all bridge operators install obfsproxy and help as many users as possible.
In addition, also consider subscribing to the tor-relays mailing list[3], if you are not already; we will be posting instructions on how to maximize the contribution of your bridge on that list every now and then.
[0] http://heartbleed.com [1] https://www.torproject.org/docs/pluggable-transports.html.en [2] https://www.torproject.org/projects/obfsproxy-debian-instructions.html.en#in... [3] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Again, thank you for running a bridge relay and sorry for the bad news.
Let us know if you have any questions or if you have any suggestions.
All the best, Matt The Tor Project