[tor-talk] Is Tor network still vulnerable to Heartbleed?

sssheep sssheep at i2pmail.org
Fri Apr 18 20:32:57 UTC 2014

On Mon, 14 Apr 2014 18:42:09 +0000 (UTC)
Артур Истомин <art.istom at yandex.ru> wrote:

> On Mon, Apr 14, 2014 at 01:45:16PM +0000, antispam06 at sent.at wrote:
> > In his announcement, arma noted it would be a good idea to stay away
> > from the Internet. Is it ok?
> Yeah, let's go to FIDO! :)
> The more you wait (without Internet), the more servers will be
> updated less likely that you'll find yourself a victim of this
> vulnerability in OpenSSL. But now this will probably never be zero.
> So relax and be happy :)

As of right now (Fri Apr 18 19:01:21 UTC 2014), the amount of
vulnerable relays is:

> Bleeding Consensus Weight %: 0.0129271197714
> Number of bleeding relays: 34

You can see an updated list at

The network's pretty solid now. The Tor Directory Authorities have
marked most (if not all) of the vulnerable relays as '!invalid' meaning
no circuits will flow to them and they will see error messages in their

To answer your question, no, the Tor network is invulnerable to
Heartbleed. Wait out a little longer if you want to be sure. This
doesn't mean Tor is safe from other OpenSSL bugs. 

The OpenBSD folk are working on fixing up OpenSSL
(http://opensslrampage.org/) which may be of interest.


More information about the tor-talk mailing list