[tor-talk] Heartbleed and TOR
Christopher J. Walters
cwal989 at comcast.net
Fri Apr 11 00:00:37 UTC 2014
On 4/10/2014 7:37 PM, Joe Btfsplk wrote:
> On 4/10/2014 3:44 PM, Christopher J. Walters wrote:
.snip.
> Should Tor / TorBrowser be patched for heartbleed bug?
> Apparently so:
> https://blog.torproject.org/blog/
> "Tor Browser users should upgrade as soon as possible to the new 3.5.4 release
> <https://blog.torproject.org/blog/tor-browser-354-released>, which includes
> OpenSSL 1.0.1g, fixing the vulnerability. "The browser itself does not use
> OpenSSL...however, this release is still considered an important security
> update, because it is theoretically possible to extract sensitive information
> from the Tor client sub-process", wrote Mike Perry."
'and to do so without leaving a trace that said information was extracted and
by whom.', he should have added.
> "From what I have read, the bug is a server side bug, and does not pose much
> risk to regular users..."
> ...may *BE* compromised (future tense). Isn't that enough of a risk?
> Too much more risk & they might have to shut down the internet?
Yes, it is a significant risk, and as I understand it, there is no way to
detect whether or not any given vulnerable server had information stolen by
this bug. There are a great many unknowns with this bug, and that makes me
uncomfortable. However, shutting down the Internet is a little extreme, don't
you think? Kind of like burning down your house because you think someone
*MAY* have broken in without you knowledge.
To clarify: Most regular (esp. non-TOR) users are not at *direct* risk from
the bug (you'd basically have to be running a server configuration, with the
vulnerability, as I understand it). Also, Firefox is immune from *direct*
attack since it uses NSS rather than OpenSSL for secure connections.
*Indirect* risk is a whole other story - there simply is not enough
information, and probably never will be, to assess the scope of that.
> I don't quite get comments from some. Even if it came to light that everyone
> but the NSA knew about this bug for yrs, does that negate the need to patch it
> now?
It absolutely should be patched now. As far as who knew about it an when, that
is another unknown. I'd think it a safe bet that the NSA (and other
intelligence agencies, here and abroad) found out about it before the official
release of the CVE. As for the baddies (identity thieves, etc.), who can say
for certain, besides them (and we know they won't).
What concerns me about the NSA is not so much *when* they knew about it, but
that they *do* know about it, given recent revelations about the scope and
nature of their surveillance programs.
Chris
More information about the tor-talk
mailing list