[tor-relays] Recommended reject lines for relays affected by Heartbleed

Yoriz tor at privshield.com
Thu Apr 17 19:20:10 UTC 2014 

Dear Andrea,

Could you please elaborate if/how we can use your file on a Tor node? Should we use these as 'ExcludeNodes' rules in the `torrc` configuration files of our Tor nodes? Or is the file merely intended for Tor clients?

Best regards,
Yoriz -- Operator of the privshield.com Tor exit node



On 17 Apr 2014, at 03:24, Andrea Shepard <andrea at torproject.org> wrote:

> A list of 1777 proposed reject lines of fingerprints which have
> ever turned up as potentially exposed by Heartbleed in my scans
> is available at the URL below.  This was generated with the following
> query:
> 
> (select distinct
>  hb.probe_identity_digest as identity_digest
> from
>  heartbleed_probe_results hb
> where
>  hb.probe_has_heartbleed and
>  hb.probe_tor_checked_identity)
> union
> (select distinct
>  hb.expected_identity_digest as identity_digest
> from
>  heartbleed_probe_results hb
> where
>  hb.probe_has_heartbleed and
>  not hb.probe_tor_checked_identity)
> order by
>  identity_digest;
> 
> That is, it includes all probe results for which a Tor handshake was
> actually completed with the identity digest in question *and* a response
> to the Heartbleed probe was seen (1729 digests) or for identity digests we
> expected to see for that IP/port pair for which the handshake did not succeed
> but a Heartbleed response was seen (additional 48 digests).
> 
> The target list is all IP/port pairs which have ever appeared in a consensus
> or vote during the time I've been scanning, so some of these may not be
> in the current consensus or have ever appeared, or they may no longer be
> vulnerable but not have changed keys properly.  There are a bit over 900
> vulnerable relays in the latest consensus.
> 
> http://charon.persephoneslair.org/~andrea/private/hb-fingerprints-20140417002500.txt
> 
> -- 
> Andrea Shepard
> <andrea at torproject.org>
> PGP fingerprint (ECC): BDF5 F867 8A52 4E4A BECF  DE79 A4FF BC34 F01D D536
> PGP fingerprint (RSA): 3611 95A4 0740 ED1B 7EA5  DF7E 4191 13D9 D0CF BDA5
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20140417/455ac7b2/attachment.sig>

More information about the tor-relays mailing list