[tor-talk] Heartbleed and TOR
Joe Btfsplk
joebtfsplk at gmx.com
Thu Apr 10 23:37:01 UTC 2014
On 4/10/2014 3:44 PM, Christopher J. Walters wrote:
> "Since I am neither an expert on OpenSSL nor TOR, let's get one question out of
> the way before anything further is said on the topic: Does TOR actually use
> potentially vulnerable versions of OpenSSL (or use it at all, for that matter)?"
Should Tor / TorBrowser be patched for heartbleed bug?
Apparently so:
https://blog.torproject.org/blog/
"Tor Browser users should upgrade as soon as possible to the new 3.5.4
release <https://blog.torproject.org/blog/tor-browser-354-released>,
which includes OpenSSL 1.0.1g, fixing the vulnerability. "The browser
itself does not use OpenSSL...however, this release is still considered
an important security update, because it is theoretically possible to
extract sensitive information from the Tor client sub-process", wrote
Mike Perry."
"From what I have read, the bug is a server side bug, and does not pose much
risk to regular users..."
...may *BE* compromised (future tense). Isn't that enough of a risk?
Too much more risk & they might have to shut down the internet?
I don't quite get comments from some. Even if it came to light that everyone but the NSA knew about this bug for yrs, does that negate the need to patch it now?
I once almost stepped on a Water Moccasin. Because he didn't move or bite me, was there any need to jump back about six feet? (Seemed like it)
More information about the tor-talk
mailing list