[tor-relays] Recommended reject lines for relays affected by Heartbleed

Tobias Markus tobias at miglix.eu
Thu Apr 17 16:05:18 UTC 2014

Hash: SHA1


(Disclaimer: I am just a "regular" supporter and have no great
in-depth knowledge about Tor internals.)

there is a difference between a directory *authority* and a directory
*mirror*. There are only 8 or so directory authorities in the Tor
network which each give a "vote" on each relay. (E.g. Authority A
thinks that Relay R should get the Running and Valid flag.)

The posts above are from Tor senior contributors, some running a
directory authority. Roger (Tor "founder") originally said that he
recommends dirauths to reject (give no flags to relays in their votes
and therefore throwing them out of the Tor network) relays affected by
the Heartbleed bug.

A directory mirror (a relay with the Directory Mirror option enabled)
just mirrors the original votes by the dirauths. Because they are all
cryptographically signed, any tampering you could do to the vote could
be detected by clients. (Tor clients only trust votes signed by the
dirauths' keys.)

Correct me if I'm wrong! :D

On 04/17/2014 04:55 PM, Saint Aardvark the Carpeted wrote:
> Roger Dingledine disturbed my sleep to write:
>> On Wed, Apr 16, 2014 at 08:03:51PM -0700, Andrea Shepard wrote:
>>>> http://charon.persephoneslair.org/~andrea/private/hb-fingerprints-20140417002500.txt
The SHA-256 hash of that file, for the sake of stating it under a PGP
>>> signature, is:
>>> dadd2beca51d1d5cd7ffe7d3fe3a57200c7de7e136cad23b0691df2fbe84ee3f
Thanks Andrea. 374 of the 380 lines from Sina's file overlap with yours.
>> I've moved moria1 to reject the union of the two lists.
> As an ordinary Tor relay operator who's running a directory mirror,
> is there anything I need to do for my Tor relay about this?  I've
> found this message from the mailing list from a couple years ago:
> https://lists.torproject.org/pipermail/tor-talk/2011-October/021936.html
>  ...which seems to imply that the directory operators are separate,
> and this is nothing I have to take action about.  But I wanted to
> make sure about this, as I couldn't find anything on the Tor FAQ. 
> Apologies if this is answered somewhere else.
> Thanks, Hugh
Version: GnuPG v2.0.22 (GNU/Linux)


More information about the tor-relays mailing list