[tor-relays] Long-term effect of Heartbleed on Tor

Nils Kunze kunze.nils at gmail.com
Wed Apr 9 19:11:45 UTC 2014

2014-04-09 20:51 GMT+02:00 Paul Pearce <pearce at cs.berkeley.edu>:

> > * Should authorities scan for bad OpenSSL versions and force their weight
> > down to 20?
> I'd be interested in hearing people's thoughts on how to do such
> scanning ethically (and perhaps legally). I was under the impression
> the only way to do this right now is to actually trigger the bounds
> bug and export some quantity (at least 1 byte) of memory from the
> vulnerable machine.

Considering the consequences of having (a lot of) vulnerable machines in
the network, wouldn't it be unethical NOT to do such kind of testing? I
mean, basically every vulnerable relay endangers its users by making it
possible to decrypt their communications. I strongly feel that the benefits
(securing the network) outweigh the costs (exploiting the vulnerable
machines and reading 1 byte of memory, but discarding them). Especially
seeing that anybody would be able to perform the exploit, I don't see moral
problems in such an aproach.

How this works out legally I of course have no idea.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20140409/2c5cefa3/attachment.html>

More information about the tor-relays mailing list