[tor-talk] Cancelled black hat talk

Roger Dingledine arma at mit.edu
Mon Jul 21 22:58:44 UTC 2014

On Mon, Jul 21, 2014 at 10:05:26PM +0000, Nusenu wrote:
> > 1) We did not ask Black Hat or CERT to cancel the talk. We did (and
> > still do) have questions for the presenter and for CERT about some
> > aspects of the research
> Does that imply that the exploited "weakness" is not yet fully
> understood by you (core developers)? (which also would imply that
> there is no "fix" yet)

I think I have a handle on what they did, and how to fix it. We've been
trying to find delicate ways to explain that we think we know what they
did, but also it sure would have been smoother if they'd opted to tell
us everything. The main reason for trying to be delicate is that I don't
want to discourage future researchers from telling us about neat things
that they find. I'm currently waiting for them to answer their mail so
I can proceed.

> Also (if you can anticipate that ahead of the coordinated disclosures):
> Should relay ops get ready to deploy a critical patch?
> Should users get ready to update their Tor Browser Bundles soon?
> Will there be a "fix" at all?

Based on our current plans, we'll be putting out a fix that relays can
apply that should close the particular bug they found. The bug is a nice
bug, but it isn't the end of the world. And of course these things are
never as simple as "close that one bug and you're 100% safe".

Less vague sentences soon I hope,

More information about the tor-talk mailing list