[tor-relays] Rejecting 380 vulnerable guard/exit keys

Sebastian Urbach sebastian at urbach.org
Wed Apr 16 15:42:03 UTC 2014


Hi Roger,

That sounds good to me and from what i see there should be at least enough 
guard capacity to go through with it. Exit's are a whole other matter but 
honestly if those 12% still running around with the bleedingheart than kick 
'em.


Hi folks,

I'm attaching the list of relay identity fingerprints that I'm
rejecting on moria1 as of yesterday.

I got the list from Sina's scanner:
https://encrypted.redteam.net/bleeding_edges/

I thought for a while about taking away their Valid flag rather
than rejecting them outright, but this way they'll get notices
in their logs.

I also thought for a while about trying to keep my list of fingerprints
up-to-date (i.e. removing the !reject line once they've upgraded their
openssl), but on the other hand, if they were still vulnerable as of
yesterday, I really don't want this identity key on the Tor network even
after they've upgraded their openssl.

If the other directory authority operators follow suit, we'll lose about
12% of the exit capacity and 12% of the guard capacity.

I/we should add to this list as we discover other relays that come
online with vulnerable openssl versions.

Also these are just the relays with Guard and/or Exit flags, so we should
add the other 1000+ at some point soon.

--Roger






More information about the tor-relays mailing list