[tor-relays] Recommended reject lines for relays affected by Heartbleed
Tobias Markus
tobias at miglix.eu
Thu Apr 17 16:05:18 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
(Disclaimer: I am just a "regular" supporter and have no great
in-depth knowledge about Tor internals.)
there is a difference between a directory *authority* and a directory
*mirror*. There are only 8 or so directory authorities in the Tor
network which each give a "vote" on each relay. (E.g. Authority A
thinks that Relay R should get the Running and Valid flag.)
The posts above are from Tor senior contributors, some running a
directory authority. Roger (Tor "founder") originally said that he
recommends dirauths to reject (give no flags to relays in their votes
and therefore throwing them out of the Tor network) relays affected by
the Heartbleed bug.
A directory mirror (a relay with the Directory Mirror option enabled)
just mirrors the original votes by the dirauths. Because they are all
cryptographically signed, any tampering you could do to the vote could
be detected by clients. (Tor clients only trust votes signed by the
dirauths' keys.)
Correct me if I'm wrong! :D
On 04/17/2014 04:55 PM, Saint Aardvark the Carpeted wrote:
> Roger Dingledine disturbed my sleep to write:
>> On Wed, Apr 16, 2014 at 08:03:51PM -0700, Andrea Shepard wrote:
>>>> http://charon.persephoneslair.org/~andrea/private/hb-fingerprints-20140417002500.txt
>>>
>>>
>>>>
The SHA-256 hash of that file, for the sake of stating it under a PGP
>>> signature, is:
>>>
>>> dadd2beca51d1d5cd7ffe7d3fe3a57200c7de7e136cad23b0691df2fbe84ee3f
>>
>>
>>>
Thanks Andrea. 374 of the 380 lines from Sina's file overlap with yours.
>>
>> I've moved moria1 to reject the union of the two lists.
>
> As an ordinary Tor relay operator who's running a directory mirror,
> is there anything I need to do for my Tor relay about this? I've
> found this message from the mailing list from a couple years ago:
>
> https://lists.torproject.org/pipermail/tor-talk/2011-October/021936.html
>
> ...which seems to imply that the directory operators are separate,
> and this is nothing I have to take action about. But I wanted to
> make sure about this, as I couldn't find anything on the Tor FAQ.
> Apologies if this is answered somewhere else.
>
> Thanks, Hugh
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iEYEARECAAYFAlNP+74ACgkQAO6N0EYmC9a3OgCgrwgZqo6BUGlD+DaYNPPHzWCc
9XkAnRHN5klCU3w4PEuEm7vg0KDJfgZv
=TQAH
-----END PGP SIGNATURE-----
More information about the tor-relays
mailing list