[tor-relays] Long-term effect of Heartbleed on Tor

grarpamp grarpamp at gmail.com
Wed Apr 9 21:29:53 UTC 2014

> TvdW
> * Should we consider every key that was created before Tuesday

You'd need to also know the key was created by vulnerable
openssl 1.0.1 versions, didn't already disable heartbeat, etc.
That data isn't announced in the consensus. And those that
weren't vulnerable may be happy continuing with their uptime/key.

On Wed, Apr 9, 2014 at 2:51 PM, Paul Pearce <pearce at cs.berkeley.edu> wrote:
> I'd be interested in hearing people's thoughts on how to do such
> scanning ethically (and perhaps legally).

That's an interesting dual-ish question, given we don't own them,
often have no real contact means, and yet they're part of us in
some voluntary fashion. I don't have any good suggestion on that
other than collecting private data, as opposed to statistical surveys,
is a problem area.

If we knew which were subject to the bug, the long term goal
should be to blacklist their fingerprints. Most uncontactable
operaters will get the clue after a few rounds of that and/or
visiting tpo for new releases due to consensus version deprecation.

If you browse onions you may find some anonymous researchers who
conduct their activities via exits, publish their results on onions, and
announce them in various fora. I've not yet seen anyone cataloging this
bug as it relates to Tor in that manner.

More information about the tor-relays mailing list