[tor-relays] [tor-talk] Tor 0.2.4.13-alpha is out
Roman Mamedov
rm at romanrm.ru
Sun Jun 16 22:49:35 UTC 2013
On Sun, 16 Jun 2013 15:18:47 -0700
Mike Perry <mikeperry at torproject.org> wrote:
> Roger Dingledine:
> > Tor 0.2.4.13-alpha fixes a variety of potential remote crash
> > vulnerabilities, makes socks5 username/password circuit isolation
> > actually actually work (this time for sure!), and cleans up a bunch
> > of other issues in preparation for a release candidate.
> >
> > https://www.torproject.org/dist/
>
> As a heads up, a bug was introduced in this release that allows
> malicious websites to discover a client's Guard nodes in a very short
> amount of time (on the order an hour), if those Guard nodes upgrade to
> this release.
So a random clearnet end-destination website can trace the client all the way
through Tor network and discover information not about its exit, not about the
middle, but even about the entry node? And nodeS, i.e. all of them?*
Wow; can you explain in more detail how that works?
* (then a Three Letter Agency (TLA) can obtain lists of connecting clients
from all three Guards, and pretty much "triangulate" the actual source IP of
that user either to a bulls-eye hit or a very short list of IPs simultaneously
on all three.)
> Unfortunately, the bug was introduced by fixing another issue that
> allows Guard nodes to be selectively DoSed with an OOM condition, so
> Guard node (and Guard+Exit node) operators are kind of in a jam.
One more reason to abandon the Guard system altogether.
--
With respect,
Roman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20130617/064dc575/attachment.pgp>
More information about the tor-relays
mailing list