Tor Project infrastructure updates in response to security breach

Harry Hoffman hhoffman at ip-solutions.net
Thu Jan 21 03:42:22 UTC 2010 

When you guys have finished the assessment will you be releasing details
of how the compromise happened?

Cheers,
Harry

On Wed, 2010-01-20 at 16:43 -0500, Roger Dingledine wrote:
> You should upgrade to Tor 0.2.1.22 or 0.2.2.7-alpha:
> https://www.torproject.org/download.html.en
> 
> In early January we discovered that two of the seven directory
> authorities were compromised (moria1 and gabelmoo), along with
> metrics.torproject.org, a new server we'd recently set up to serve
> metrics data and graphs. The three servers have since been reinstalled
> with service migrated to other servers.
> 
> We made fresh identity keys for the two directory authorities, which is
> why you need to upgrade.
> 
> Moria also hosted our git repository and svn repository. We took the
> services offline as soon as we learned of the breach. It appears the
> attackers didn't realize what they broke into -- just that they had
> found some servers with lots of bandwidth. The attackers set up some ssh
> keys and proceeded to use the three servers for launching other attacks.
> We've done some preliminary comparisons, and it looks like git and svn
> were not touched in any way.
> 
> We've been very lucky the past few years regarding security. It still
> seems this breach is unrelated to Tor itself. To be clear, it doesn't
> seem that anyone specifically attacked our servers to get at Tor. It
> seems we were attacked for the cpu capacity and bandwidth of the servers,
> and the servers just happened to also carry out functions for Tor.
> 
> We've tried to address the most common questions below.
> 
> * Does this mean someone could have matched users up to their
> destinations?
> 
> No. By design, Tor requires a majority of directory authorities (four
> in this case) to generate a consensus; and like other relays in the
> Tor network, directory authorities don't know enough to match a user
> and traffic or destination.
> 
> * Does this mean somebody could have changed the Tor source?
> 
> No, we've checked the source. It does mean you should upgrade so your
> client knows about all the currently valid directory authorities.
> 
> * Does this mean someone could have learned more about Tor than an
> ordinary user?
> 
> Since our software and specifications are open, everyone already has
> access to almost everything on these machines... except some old bridge
> descriptors, which we give out only in small batches as entry points for
> blocked clients.
> 
> * Can I trust Tor's security?
> 
> We've taken steps to fix the weaknesses identified and to harden our
> systems further. Tor has a track record of openness and transparency,
> with its source code and specifications and also with its operations.
> Moreover, we're disclosing breaches such as this so you can monitor our
> status. You shouldn't assume those who don't disclose security breaches
> never have any!
> 
> --Roger
> 

***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/

More information about the tor-talk mailing list