[tor-relays] Recommended reject lines for relays affected by Heartbleed

Andrea Shepard andrea at torproject.org
Thu Apr 17 01:24:40 UTC 2014


A list of 1777 proposed reject lines of fingerprints which have
ever turned up as potentially exposed by Heartbleed in my scans
is available at the URL below.  This was generated with the following
query:

(select distinct
  hb.probe_identity_digest as identity_digest
from
  heartbleed_probe_results hb
where
  hb.probe_has_heartbleed and
  hb.probe_tor_checked_identity)
union
(select distinct
  hb.expected_identity_digest as identity_digest
from
  heartbleed_probe_results hb
where
  hb.probe_has_heartbleed and
  not hb.probe_tor_checked_identity)
order by
  identity_digest;

That is, it includes all probe results for which a Tor handshake was
actually completed with the identity digest in question *and* a response
to the Heartbleed probe was seen (1729 digests) or for identity digests we
expected to see for that IP/port pair for which the handshake did not succeed
but a Heartbleed response was seen (additional 48 digests).

The target list is all IP/port pairs which have ever appeared in a consensus
or vote during the time I've been scanning, so some of these may not be
in the current consensus or have ever appeared, or they may no longer be
vulnerable but not have changed keys properly.  There are a bit over 900
vulnerable relays in the latest consensus.

http://charon.persephoneslair.org/~andrea/private/hb-fingerprints-20140417002500.txt

-- 
Andrea Shepard
<andrea at torproject.org>
PGP fingerprint (ECC): BDF5 F867 8A52 4E4A BECF  DE79 A4FF BC34 F01D D536
PGP fingerprint (RSA): 3611 95A4 0740 ED1B 7EA5  DF7E 4191 13D9 D0CF BDA5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 840 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20140416/4e9d8b6e/attachment.sig>


More information about the tor-relays mailing list