[tor-relays] Bridge Operators - Heartbleed, Heartwarming, and Increased Help

Grozdan neutrino8 at gmail.com
Wed Apr 23 06:53:08 UTC 2014 

Hi,

Thanks for the mail, even though I wasn't notified personally (yes, my
bridge has a contact email). I can say that after the issue with
OpenSSL occurred,  I immediately installed the update provided by my
distro, stopped Tor and removed all key and let it generate new ones.
My bridge is an obfuscated one. Do I have to do anything else? I mean,
since obfsproxy isn't linking to OpenSSL as it's written in Python, it
should be safe, no? Or maybe Python itself links to OpenSSL but since
I updated OpenSSL and restarted everything that was using its libs, I
should be safe?

Thanks

On Wed, Apr 23, 2014 at 8:32 AM, Matthew Finkel
<matthew.finkel at gmail.com> wrote:
> Hi All,
>
> Below is an email we sent last week to almost all of the bridge
> operators who provided contact information for their bridge(s). For
> those operators we missed and for those we couldn't contact, this
> hopefully provides some useful information.
>
> All the best,
> Matt
>
> -----------------------------------------------------------------------
>
> Hi Tor Bridge Relay Operator!
>
> Unfortunately this email must begin with bad news, but it gets better.
>
> Due to the recent Heartbleed OpenSSL vulnerability that was disclosed
> earlier this week, we are reaching out to you to ask that you install
> an updated version of OpenSSL. The vulnerability has the potential to
> decrease the security of your bridge as well as the anonymity of any
> user connecting to your bridge. As a result of this, we also ask that
> you generate a new identity key due to the possibility that your
> current one was leaked.
>
> The process to upgrade your version of OpenSSL depends greatly on
> your operating system. Please ensure you are using a version that was
> released within the past four days, see the Heartbleed website[0] for
> more details on the vulnerability and for which versions are affected.
> Please do this before you regenerate your identity key.
>
> When this is done, you will need to restart Tor. At this point you can
> ask us to retest your bridge to confirm that it is not vulnerable
> anymore.
>
> Next, to regenerate your identity key simply stop Tor and delete the
> current key. This is done by opening Tor's Data directory and removing
> the contents in the keys/ directory. Tor's Data directory is located at
> /var/lib/tor, by default. Let us know if you have trouble locating it.
> When this is complete, start Tor and it will automatically create a new
> identity for you.
>
> See the recent blog post for many more details:
> https://blog.torproject.org/blog/openssl-bug-cve-2014-0160
>
> Now that the bad news was said, we want to take this opportunity to
> thank you, from the bottom of our hearts, for volunteering to run
> a bridge relay. We know we do not say it often, but it is really
> appreciated! Please let us know if you have any question, concerns, or
> suggestions, especially related to how we communicate with you and how
> bridge relay operators can be more involved.
>
> Lastly, if you are not already running the obfsproxy pluggable
> transport[1] (i.e.  obfs3) on your bridge, please follow the Debian
> instructions[2] (for a Debian-based system) on the website and install
> it. Your bridge is a great contribution to the Tor network, however as
> censorship on the internet increases around the world users are forced
> to use a pluggable transport. Tor does not understand how to
> communicate with them by default, though. Therefore we are asking that
> all bridge operators install obfsproxy and help as many users as
> possible.
>
> In addition, also consider subscribing to the tor-relays mailing
> list[3], if you are not already; we will be posting instructions on how
> to maximize the contribution of your bridge on that list every now and
> then.
>
> [0] http://heartbleed.com
> [1] https://www.torproject.org/docs/pluggable-transports.html.en
> [2] https://www.torproject.org/projects/obfsproxy-debian-instructions.html.en#instructions
> [3] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
> Again, thank you for running a bridge relay and sorry for the bad news.
>
> Let us know if you have any questions or if you have any suggestions.
>
> All the best,
> Matt
> The Tor Project
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays



-- 
Yours truly

More information about the tor-relays mailing list