[tor-relays] Relays vulnerable to OpenSSL bug: Please upgrade

Tue Apr 8 20:15:46 UTC 2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hy community :(

It seems, that we are seriously f##### since 14 MAR 2012 with the release of the openssl 1.0.1 branch until yesterday!!!

Affected services which used these libraries are enormous. ftps, https, imaps, smtp over ssl, xmpp, and so on, and so on.

It makes me really feel sad and angry that all efforts to stay secured, especially over TOR, on encryptions were compromised by such a programing mistake that caused this zerodayexploit.

My users and me are virtually crying our hearts out...

Good night, over and out,
elrippo.

On 08. April 2014 06:11:01 MESZ, Moritz Bartl <moritz at torservers.net> wrote:
>https://blog.torproject.org/blog/openssl-bug-cve-2014-0160
>
>A new OpenSSL vulnerability on 1.0.1 through 1.0.1f is out today, which
>can be used to reveal memory to a connected client or server.
>
>If you're using an older OpenSSL version, you're safe.
>
>Note that this bug affects way more programs than just Tor — expect
>everybody who runs an https webserver to be scrambling today. If you
>need strong anonymity or privacy on the Internet, you might want to
>stay
>away from the Internet entirely for the next few days while things
>settle.
>
>Here are our first thoughts on what Tor components are affected:
>
>    Clients: Tor Browser shouldn't be affected, since it uses libnss
>rather than openssl. But Tor clients could possibly be induced to send
>sensitive information like "what sites you visited in this session" to
>your entry guards. If you're using TBB we'll have new bundles out
>shortly; if you're using your operating system's Tor package you should
>get a new OpenSSL package and then be sure to manually restart your
>Tor.
>
>    Relays and bridges: Tor relays and bridges could maybe be made to
>leak their medium-term onion keys (rotated once a week), or their
>long-term relay identity keys. An attacker who has your relay identity
>key can publish a new relay descriptor indicating that you're at a new
>location (not a particularly useful attack). An attacker who has your
>relay identity key, has your onion key, and can intercept traffic flows
>to your IP address can impersonate your relay (but remember that Tor's
>multi-hop design means that attacking just one relay in the client's
>path is not very useful). In any case, best practice would be to update
>your OpenSSL package, discard all the files in keys/ in your
>DataDirectory, and restart your Tor to generate new keys.
>
>    Hidden services: Tor hidden services might leak their long-term
>hidden service identity keys to their guard relays. Like the last big
>OpenSSL bug, this shouldn't allow an attacker to identify the location
>of the hidden service, but an attacker who knows the hidden service
>identity key can impersonate the hidden service. Best practice would be
>to move to a new hidden-service address at your convenience.
>
>   Directory authorities: In addition to the keys listed in the "relays
>and bridges" section above, Tor directory authorities might leak their
>medium-term authority signing keys. Once you've updated your OpenSSL
>package, you should generate a new signing key. Long-term directory
>authority identity keys are offline so should not be affected (whew).
>More tricky is that clients have your relay identity key hard-coded, so
>please don't rotate that yet. We'll see how this unfolds and try to
>think of a good solution there.
>
>    Tails is still tracking Debian oldstable, so it should not be
>affected by this bug.
>
>   Orbot looks vulnerable; we'll try to publish more details here soon.
>    It looks like most of the webservers in the
>https://www.torproject.org/ rotation need upgrades too, and maybe we'll
>need to throw away our torproject SSL web cert and get a new one —
>hopefully we'll deal with all that soon.
>
>
>
>--
>Moritz Bartl
>https://www.torservers.net/
>
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>tor-relays mailing list
>tor-relays at lists.torproject.org
>https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

- --
We don't bubble you, we don't spoof you ;)
Keep your data encrypted!
Log you soon,
your Admin
elrippo at elrippoisland.net

Encrypted messages are welcome.
0x84DF1F7E6AE03644

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.11 (GNU/Linux)

mQINBFH797MBEAC0Y0NeI7lmDR9szTEcWuHuRe0r/WjSRC0Nr5nXsghuMcxpJ3Dd
BOBimi4hdMMK4iqPVMwNw6GpKYR3A9LHHjbYRXHUKrJmB+BaJVyzJXN5H6XvxTTb
UfX+DaXAGJW/G+3cBB3qm/QaU8QGkBKfXq0DLTaTGPkGKxEAldj/8onGZhawdJs+
B92JrW+S2HDh15pIuXzSqe7eCcIOdvvwfWe0fJi2AraA7LYGpxP6GcC/b9JJpbq5
Y6DfE2Aun9ZK3iHqURyrms0Whbv1CgmUahL2MVYCsTsXwe0GwlAxxKvjXAiXuo+R
9wO5wsXvVVSVNqsk9Yqi+wYzdPKndTU0GyxSApQHroF+cxaZ8Lk0xloj18+LdCSs
e5IiTSXH0MMsDdWWdHlrgk+bgDG+0Gu3ne4vMwGdKO7AhYgQW/ueMy4RnkG/nsV9
jry5BO4gGAI1Ij8KvqUzEnvJFGE3ptJogU+zazWWDUWmL3ecKb3aDRlJFnZ3kJ5h
q8GolZVjpk99V+4B5WVRPXdej/p5J19tXycK/jdNmr4oC8NyUhIpe8xHELnfoB4z
+rxiTx+KMnW0rY8EQg8O2ixEYt5my90IwQkxcxIxextVrqjJjYn8extc2/v8yGzI
KmTEJxdADB5v/Jx4HiLHNDSfBUb8gfONCkNSTYvTcSwTjWzHOkXeE/9ZbQARAQAB
tD5lbHJpcHBvIChrZWVwIHlvdXIgZGF0YSBlbmNyeXB0ZWQpIDxlbHJpcHBvQGVs
cmlwcG9pc2xhbmQubmV0PokCOAQTAQIAIgUCUfv3swIbLwYLCQgHAwIGFQgCCQoL
BBYCAwECHgECF4AACgkQhN8ffmrgNkT8+BAAoAXBqu4/O2Cs5FSWWZpzgScNEgq7
uHhOKeYmRfgKlOUPoYlPB1DBqdOAXSKb9OvsmyOvpoGnqijB7aAJBoyQYW/OCQgd
U8L4eTCf4yRZnfFLdgskcPfN1p0Rs/yinGEooBJFtYa7mT6J0UTW2JjCLZK2AFCW
oF+KBu5JICXGBXigb2ZbX1jWjxP5H1RidQw6HF5z4z34SjLWAOOeZ8B/Xfz6Fs0s
IAuLu2O4HE4DI8Qu196LhSVHHgr3uMTkvN1t5nKwyjrRQztwXXk9qIomII3ydNYb
BYAGdWNNMfLb1kmDwC5wQHAFvSP1aiMF3aKAY+gl2wXSGO6JqM0SteJS3dytIljI
kzu0atc9HuGs/HDQgdmpAS4WU2YefEr/WieltSiAKlwuC+3wg+CONJ6TE1vgNDU/
axerttb0jq7UQb/nAp05bsrB7XH1Vs+1ON9lUPEfWRmwQcrVK5JUrUWa/4tA/UeM
XvFcPFtFluGTlLewgJIqcvjPXFwpbDZprXJsMkwew/A6B6n3+0sbgf7p3QSGkVbi
dwQAymTbHdYqLnbcnKZhjto3Wjw1J5QB2wuiRYlpjV3i7AWTGlqoSTOWCCV+HamQ
qeFYNYAWNFx3+J/oi7xDi8t9bHVNA205equ+y2sj3G5uGJ6LSHQ8AXp9uOipUUvU
1MJN0yLXr9PIwvi5Ag0EUfv3swEQAL0+MnxHGrTjSYdfdua4SBpmytDONM1EngeY
s+WyaC/760MughKbaysI/nK2LB1vnwEY7f3NM4fxBx8u2T7VBm6Ez6Fs23Bb8Rkz
f97bPSdxCmg64GPHfLA9uwTIXcYS+MpI86WOf6eWY0rRpf7Y9Nl7YoUNvzOyUPqc
ggdcnHce8zYv7A/WS8flZDm8tVFPsHrQDEwNMws7ZhiNnHkeZeRJrvCuB7oEVich
O/ROYoA5o6NozWYQbjxe1f6Yur4Q10qgVcxVnyLFJSbg6vZSzL7KYh3Z5iBOzPHt
7cwEDrW8W4Kl2Qj8rhJ4Wxs94CAtua7IXK44sVZWQbyHcOXRikgGMZKkEZzVCQa5
KD1u1ZrcBCyuMAir0hsmS3jhCUwpiE2c3SRk8O8CgixhTcBk0X/k9ZFu3Hbi1JMB
FLzs/Nq3tYAYvVivhPloSxmYBPsafYHCZM83yBNNsralXh5zjB+di90G+AMXt2PN
LTcdovZuWtC0s8/jrx+zv/AA4FAGYU9OVl+YL9ybFX8gSdMEcixyzQcKfiFBjpWv
5iFrwIuDlaXMcheyrhc9aGOxfx44OXc505+VjO/1Q/8EOWlJ6UwOi6GMkj5T+RFJ
MDyP0UixS7dt6wTuD5t6PRuyWWxZswgrbL9hjwGFr154Z19TWeNWc23pWtUvQJos
UCxl2nFHABEBAAGJBD4EGAECAAkFAlH797MCGy4CKQkQhN8ffmrgNkTBXSAEGQEC
AAYFAlH797MACgkQJEPd69lQ0evA+Q/+M7lSFlrQWiRsFqDjh+kTJc+0OEBCvnfo
N2KPyXXbfc//qup55PfEygE6C60zvrlv3WE33GZ5GS5MLuDMP82b+a5Yt16NQU7L
WtAg1g0S0BvazW+28TgnfO8bhbGaFeE9ccw3xLmlbwZQ3f3LtMKdwFIROiG6hvAs
9U54QYti3tv9DowRYYWpdr0Ga8RqeGNtCKc0v2opy51MpzKWjwUW0i3XlSlyY8Lj
1KT8PyznNPw32nYpmDizz+0OUJNnn/kT+GnFoR3DJnFosTOrnxFJp+N+nejMp/gW
r9NM0/E7H+P53IiytBOt5/0vsOaCFGdYGhKEjmJi3dHS4Xk1ObD1mjdD1YDOlWWU
3Md6BDHd4W7Q8gT7oQfTIMLd3HzV+WNPIdocPLBaeA/tRD8Pg5CCmncAmSub4F5T
An7FlnACtSOv3cIWQ0TymS42DihDaJ5d1RvNzKw+zHYdPvf471JFZR3TDhkPbLIr
9czR7kbpnXRwchgwXQn306NVWf37TgA8wpbnFTazZ38iOeqcb9oKprqnbgEdr3PN
OhKSlMTkzAqf3MEi2Fyua4BADMhS3oBwCRgDTlt6wquEytpNSlZaHnyiyIgOpekF
Uy5K3w8NhHqeifRPrNb/UcCbXtXz+puqIEZHMenpv6FRlTTKpdoHoVXSkp1TPMGN
/VaCiLbP4Z3xEw/9EbAJJkhmmx1Qw3ueoqc4h1MmhUtIdxSZ/oA9SjwlnY++zvaZ
6w1wTS4P+OUkETNDtItdpxXMJ9qfSy9voAQc2K43WMZCCmpPJYSdqaZZNPFj+Ne8
6FNtNKuUkXREybpHwlVAXnHzInmFOOM9RAmF70r3zEmKt77W1ztBLo2o9X79gPgL
u9ThgrH6Oc2k46n+9nc3joccr7miiX/bp976DNWcWdOYThiSSOCb8Zw9/Zs935i1
wUVkYTj24tmBH4H5ov9ib7RPmU21ru458RbUKG0ONAqBtAHNyXHzUnXsrke+D4VW
MI06YcXSk8YeYgQ8GxgHQc+W2bb8LIbKN1hEYJ0wzM62vKR2/Oiwuf8lXutIKTuz
+v7Vj1PQd66DGHsxtWRaWnr1c54JTL2wICHJYKFH4grp7864+GL/uQ1O/Z/XxVku
E1JQ/AnwBGU1M1S6otwWGWVRjzEzQtxsfcCEPvV/9td3FIFQAbGTPb+48XFU+TY9
8AlcXBlDzXq7c5f8Evn/oSIsZDt63K4HNTmMGqOTl/p1aA0e4eyX76LczY06rDP5
GMSNs+AHmYgZiS4RYhRUIvS9uLXMnnDAMYst0SDl2orDUUeHBTzu0rchyknBZMGP
p5wQuWQ9CFlV+dj3UYbrBwC1lTkAMXRG2vlhA0V0TZqos7A5D4VHgSUQQjE=
=otlL
- -----END PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP SIGNATURE-----
Version: APG v1.1.1

iQJcBAEBCgBGBQJTRFjyPxxlbHJpcHBvIChrZWVwIHlvdXIgZGF0YSBlbmNyeXB0
ZWQpIDxlbHJpcHBvQGVscmlwcG9pc2xhbmQubmV0PgAKCRAkQ93r2VDR66Z4D/40
08KBcnkjU6aVUwMnCAdJ77Wa8n6aNIfAMrCwyYzBH/uCakOrQOKJCj9eLHPtzRjT
McDnwmi96jH1ay/ZsyH4qTNhmAZ+EFrrAiIVPIQGU5X5KcZJkjnRrbA9COnpvB+T
NgLaK98Xwsg3g2FM1blfTEnCFTVGoQ/rFlCMcPOEolik5ddEyJ+NkyiZ3Pw96l90
5IIyKYp3EV5fItOCBYvMfgNW8EY6TvuP/eSd/HkKT7PqtlJqJH8H0P6qbu0ns8iA
PXHAnz1pxjFUfiuWU+w2THJR+lfg8eTPGXpjNWp7KFaCzqLDZ+chvKRfmBvZ2Ip8
JbT6k9PQuLsS6lXmDZ+8I/NeWjJMi+o+Ik71HH/utKKEPOmyP1kqt+d2ScjnyvJA
aQZ0Qkf8N8Dwc8vjnddg9sOcwZFPzc2ZWTcKwaEbo4K95Duh8zhbOdffxs2xdIry
Ttq0zIY5eAlzhby13RSf/bWgZxvWo8+h8SIOSEthY9nTx8yuU0PrY+/2MGRT/dB9
RXOoLzf17trO9B6mt7Im8rLjqlHIZJnv5uxcIJMymlz9gILoes65wLcRf9er5Z1A
1PWBLoPwsvHCwxqYVnz6OpmieVutUxPLRTO65v7xVsXyJlpXeePrXYgmW0BdniEC
mKW2Ns5LxzjRaorT6ygUSF4IoDuZTV0p5C83QiObsw==
=vnlp
-----END PGP SIGNATURE-----