are relays susceptible to the latest OpenSSL "freak" attack - tor-relays - lists.torproject.org

newer
Re: [tor-relays] New relay...

are relays susceptible to the latest OpenSSL "freak" attack

older
7 relays gone because of spammers

starlight.2015q1＠binnacle.cx

4 Mar 2015 4 Mar '15

4:26 a.m.

Cipher-downgrade CVE-2015-0204 fixed in OpenSSL 1.0.1k. usual sensational write-up courtesy of El-Reg http://theregister.co.uk/security For operators who don't obsess over "non-critical" OpenSSL releases, is it time to catch up?

Reply

Sign in to reply online Use email software

Show replies by date

Nick Mathewson

4 Mar 4 Mar

1:12 p.m.

New subject: are relays susceptible to the latest OpenSSL "freak" attack

On Wed, Mar 4, 2015 at 5:26 AM, <starlight.2015q1@binnacle.cx> wrote:

Cipher-downgrade CVE-2015-0204 fixed in OpenSSL 1.0.1k.

usual sensational write-up courtesy of El-Reg

http://theregister.co.uk/security

I believe this doesn't affect Tor relays or clients, because we have never supported export ciphers or generated export keys.

For operators who don't obsess over "non-critical" OpenSSL releases, is it time to catch up?

I would suggest that everybody should update their openssl releases as a matter of best practice, IMNSHO. For more information, Matthew Green's writeup is quite informative: http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-fact...

Reply

Sign in to reply online Use email software

3730

Age (days ago)

3730

Last active (days ago)

Download

1 comments

2 participants

tags

participants (2)

Nick Mathewson
starlight.2015q1＠binnacle.cx