The Inquirer-Home

Tor network starts rejecting Heartbleed vulnerable relays

Wants to get its hands off those fingerprints
Thu Apr 17 2014, 12:14

heartbleed bugTHE SECURE Tor network has started rejecting the points in its system that remain vulnerable to the Heartbleed security bug, which we discuss in the below video.

One of the Tor developers announced the cull on the Tor mailing list, where he said that blocking vulnerable nodes could remove as much as 12 percent of the available network.

Dingledine pulled a list of 380 suspect nodes from a Sina scanner, and he said he had already begun acting on it.

"I'm attaching the list of relay identity fingerprints that I'm rejecting on moria1 as of yesterday," he said. "I thought for a while about taking away their Valid flag rather than rejecting them outright, but this way they'll get notices in their logs."

Dingledine said that he will limit the amount of information that he releases, for fear of enabling exploits.

"I also thought for a while about trying to keep my list of fingerprints up-to-date (i.e. removing the !reject line once they've upgraded their openssl), but on the other hand, if they were still vulnerable as of yesterday, I really don't want this identity key on the Tor network even after they've upgraded their openssl," he added.

"If the other directory authority operators follow suit, we'll lose about 12 percent of the exit capacity and 12 percent of the guard capacity."

Security firm Trend Micro has discussed Heartbleed and the impact that it might be having on the criminal community.

"Not only is [Heartbleed] impacting services that are legitimately conducting secure transactions, it is also causing shell shock in the Deep Web as many of the hidden services within the TOR (The Onion Router) are impacted as well. In an ironic twist of events, the same veil that allows for anonymous and 'secure' transactions within the cyber underground can also be susceptible to attack," wrote Trend Micro analyst JD Sherry.

"Users of these hidden services will have to balance their need to transact and support their nefarious lifestyles versus the possibility of being exposed on what was once thought to be an "anonymous" platform, pre Heartbleed."

The Heartbleed bug continues to wash over the industry, and this week the first person thought to have exploited it was pinched by Canadian rozzers. µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Existing User
Please fill in the field below to receive your profile link.
Sign-up for the INQBot weekly newsletter
Click here
INQ Poll

Microsoft Windows 10 poll

Which feature of Windows 10 are you most excited about?