[tor-talk] Tor 0.2.4.13-alpha is out
krishna e bera
keb at cyblings.on.ca
Sun Jun 16 22:55:55 UTC 2013
On 13-06-16 06:49 PM, Roman Mamedov wrote:
> On Sun, 16 Jun 2013 15:18:47 -0700
> Mike Perry <mikeperry at torproject.org> wrote:
>
>> Roger Dingledine:
>>> Tor 0.2.4.13-alpha fixes a variety of potential remote crash
>>> vulnerabilities, makes socks5 username/password circuit isolation
>>> actually actually work (this time for sure!), and cleans up a bunch
>>> of other issues in preparation for a release candidate.
>>>
>>> https://www.torproject.org/dist/
>> As a heads up, a bug was introduced in this release that allows
>> malicious websites to discover a client's Guard nodes in a very short
>> amount of time (on the order an hour), if those Guard nodes upgrade to
>> this release.
> So a random clearnet end-destination website can trace the client all the way
> through Tor network and discover information not about its exit, not about the
> middle, but even about the entry node? And nodeS, i.e. all of them?*
> Wow; can you explain in more detail how that works?
>
> * (then a Three Letter Agency (TLA) can obtain lists of connecting clients
> from all three Guards, and pretty much "triangulate" the actual source IP of
> that user either to a bulls-eye hit or a very short list of IPs simultaneously
> on all three.)
>
>> Unfortunately, the bug was introduced by fixing another issue that
>> allows Guard nodes to be selectively DoSed with an OOM condition, so
>> Guard node (and Guard+Exit node) operators are kind of in a jam.
> One more reason to abandon the Guard system altogether.
>
What if relays revert to the "stable" 0.2.3.latest for now?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 545 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20130616/fb54b1a3/attachment.pgp>
More information about the tor-talk
mailing list