[tor-relays] Long-term effect of Heartbleed on Tor
Nils Kunze
kunze.nils at gmail.com
Wed Apr 9 19:11:45 UTC 2014
2014-04-09 20:51 GMT+02:00 Paul Pearce <pearce at cs.berkeley.edu>:
> > * Should authorities scan for bad OpenSSL versions and force their weight
> > down to 20?
>
> I'd be interested in hearing people's thoughts on how to do such
> scanning ethically (and perhaps legally). I was under the impression
> the only way to do this right now is to actually trigger the bounds
> bug and export some quantity (at least 1 byte) of memory from the
> vulnerable machine.
>
Considering the consequences of having (a lot of) vulnerable machines in
the network, wouldn't it be unethical NOT to do such kind of testing? I
mean, basically every vulnerable relay endangers its users by making it
possible to decrypt their communications. I strongly feel that the benefits
(securing the network) outweigh the costs (exploiting the vulnerable
machines and reading 1 byte of memory, but discarding them). Especially
seeing that anybody would be able to perform the exploit, I don't see moral
problems in such an aproach.
How this works out legally I of course have no idea.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20140409/2c5cefa3/attachment.html>
More information about the tor-relays
mailing list