[tor-relays] Recommended reject lines for relays affected by Heartbleed

Chris Whittleston csw34 at cam.ac.uk
Thu Apr 17 16:19:25 UTC 2014 

I was going to ask something similar, and this sounds like the best kind of
answer - 'you don't need to do anything' :D


On 17 April 2014 17:05, Tobias Markus <tobias at miglix.eu> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> (Disclaimer: I am just a "regular" supporter and have no great
> in-depth knowledge about Tor internals.)
>
> there is a difference between a directory *authority* and a directory
> *mirror*. There are only 8 or so directory authorities in the Tor
> network which each give a "vote" on each relay. (E.g. Authority A
> thinks that Relay R should get the Running and Valid flag.)
>
> The posts above are from Tor senior contributors, some running a
> directory authority. Roger (Tor "founder") originally said that he
> recommends dirauths to reject (give no flags to relays in their votes
> and therefore throwing them out of the Tor network) relays affected by
> the Heartbleed bug.
>
> A directory mirror (a relay with the Directory Mirror option enabled)
> just mirrors the original votes by the dirauths. Because they are all
> cryptographically signed, any tampering you could do to the vote could
> be detected by clients. (Tor clients only trust votes signed by the
> dirauths' keys.)
>
> Correct me if I'm wrong! :D
>
> On 04/17/2014 04:55 PM, Saint Aardvark the Carpeted wrote:
> > Roger Dingledine disturbed my sleep to write:
> >> On Wed, Apr 16, 2014 at 08:03:51PM -0700, Andrea Shepard wrote:
> >>>>
> http://charon.persephoneslair.org/~andrea/private/hb-fingerprints-20140417002500.txt
> >>>
> >>>
> >>>>
> The SHA-256 hash of that file, for the sake of stating it under a PGP
> >>> signature, is:
> >>>
> >>> dadd2beca51d1d5cd7ffe7d3fe3a57200c7de7e136cad23b0691df2fbe84ee3f
> >>
> >>
> >>>
> Thanks Andrea. 374 of the 380 lines from Sina's file overlap with yours.
> >>
> >> I've moved moria1 to reject the union of the two lists.
> >
> > As an ordinary Tor relay operator who's running a directory mirror,
> > is there anything I need to do for my Tor relay about this?  I've
> > found this message from the mailing list from a couple years ago:
> >
> > https://lists.torproject.org/pipermail/tor-talk/2011-October/021936.html
> >
> >  ...which seems to imply that the directory operators are separate,
> > and this is nothing I have to take action about.  But I wanted to
> > make sure about this, as I couldn't find anything on the Tor FAQ.
> > Apologies if this is answered somewhere else.
> >
> > Thanks, Hugh
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
>
> iEYEARECAAYFAlNP+74ACgkQAO6N0EYmC9a3OgCgrwgZqo6BUGlD+DaYNPPHzWCc
> 9XkAnRHN5klCU3w4PEuEm7vg0KDJfgZv
> =TQAH
> -----END PGP SIGNATURE-----
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>



-- 
*Dr Chris Whittleston 栗主*
Department of Chemistry
University of Cambridge
Lensfield Road, Cambridge, CB2 1EW
Email: csw34 at cam.ac.uk
Tel: +44 (0)1223 336423
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20140417/4d859630/attachment.html>

More information about the tor-relays mailing list