[tor-relays] NSA knew about Heartbleed

[Mateusz Błaszczyk]

On 13 Apr 2014, at 19:45, Scott Bennett wrote:

> Mateusz B?aszczyk <blahu77 at gmail.com> wrote:
> 
>> 
>> I am wondering that another effect of the heartbleed was increased TLS overhead, that I saw many times also before April-7.
>> Unfortunately I do not store more than 7 files worth of logs:
>> 
>> Apr  1 02:50:23 localhost Tor[394]: TLS write overhead: 7%
>> Apr  1 08:51:35 localhost Tor[394]: TLS write overhead: 7%
>> Apr  1 14:52:45 localhost Tor[394]: TLS write overhead: 7%
>> Apr  1 20:53:52 localhost Tor[394]: TLS write overhead: 7%
>> Apr  2 02:55:02 localhost Tor[394]: TLS write overhead: 7%
>> Apr  2 08:56:08 localhost Tor[394]: TLS write overhead: 7%
>> Apr  2 14:57:20 localhost Tor[394]: TLS write overhead: 7%
>> Apr  2 20:58:28 localhost Tor[394]: TLS write overhead: 7%
>> Apr  3 02:59:37 localhost Tor[394]: TLS write overhead: 7%
>> Apr  3 09:00:44 localhost Tor[394]: TLS write overhead: 7%
>> Apr  3 15:01:53 localhost Tor[394]: TLS write overhead: 7%
>> Apr  3 21:03:04 localhost Tor[394]: TLS write overhead: 7%
>> Apr  4 03:04:12 localhost Tor[394]: TLS write overhead: 7%
>> Apr  4 09:05:22 localhost Tor[394]: TLS write overhead: 7%
>> Apr  4 15:06:30 localhost Tor[394]: TLS write overhead: 7%
>> Apr  4 21:07:39 localhost Tor[394]: TLS write overhead: 7%
>> Apr  5 03:08:49 localhost Tor[394]: TLS write overhead: 7%
>> Apr  5 09:09:58 localhost Tor[394]: TLS write overhead: 7%
>> Apr  5 15:11:06 localhost Tor[394]: TLS write overhead: 7%
>> Apr  5 21:12:16 localhost Tor[394]: TLS write overhead: 7%
>> Apr  6 03:13:24 localhost Tor[394]: TLS write overhead: 7%
>> Apr  6 09:14:33 localhost Tor[394]: TLS write overhead: 7%
>> Apr  6 15:15:42 localhost Tor[394]: TLS write overhead: 7%
>> Apr  6 21:16:52 localhost Tor[394]: TLS write overhead: 7%
>> Apr  7 23:43:41 localhost Tor[523]: TLS write overhead: 6%
>> Apr  8 05:43:41 localhost Tor[523]: TLS write overhead: 6%
>> Apr  8 11:43:41 localhost Tor[523]: TLS write overhead: 6%
>> Apr  8 23:06:23 localhost Tor[58851]: TLS write overhead: 41%
>> Apr  9 05:06:23 localhost Tor[58851]: TLS write overhead: 37%
>> Apr  9 11:06:23 localhost Tor[58851]: TLS write overhead: 29%
>> Apr  9 17:06:23 localhost Tor[58851]: TLS write overhead: 23%
>> Apr  9 23:06:23 localhost Tor[58851]: TLS write overhead: 19%
>> Apr 10 05:06:23 localhost Tor[58851]: TLS write overhead: 18%
>> Apr 10 11:06:23 localhost Tor[58851]: TLS write overhead: 14%
>> Apr 10 17:06:23 localhost Tor[58851]: TLS write overhead: 8%
>> Apr 11 02:00:13 localhost Tor[65758]: TLS write overhead: 6%
>> Apr 11 08:00:13 localhost Tor[65758]: TLS write overhead: 5%
>> Apr 11 14:00:13 localhost Tor[65758]: TLS write overhead: 5%
>> Apr 11 20:00:13 localhost Tor[65758]: TLS write overhead: 5%
>> Apr 12 02:00:13 localhost Tor[65758]: TLS write overhead: 5%
>> Apr 12 08:00:13 localhost Tor[65758]: TLS write overhead: 5%
>> Apr 12 14:00:13 localhost Tor[65758]: TLS write overhead: 5%
>> Apr 12 20:00:13 localhost Tor[65758]: TLS write overhead: 5%
>> 
>> Especially as it looks to be highly increased after the release of the vulnerability.
> 
>     How can you tell that?  tor did not log those messages back in 2012 when
> the vulnerability was released.

These are from April, 2014. I am running this relay from Jan, 2014 and this messages were definitively logged.
I can't tell obviously if I am right, I am guessing, sharing my thoughts.

> 
>> I am not sure I am on right track but it does look suspicious.
>> 
>     What would interest me would be to know whether the period of increased
> TLS write overhead highlighted above involved hidden services directory
> connections.
> 

I wouldn't be able to tell, don't have logs for that.


-mateusz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20140413/49ef621c/attachment.sig>