THE SECURE Tor network has started rejecting the points in its system that remain vulnerable to the Heartbleed security bug, which we discuss in the below video.
One of the Tor developers announced the cull on the Tor mailing list, where he said that blocking vulnerable nodes could remove as much as 12 percent of the available network.
Dingledine pulled a list of 380 suspect nodes from a Sina scanner, and he said he had already begun acting on it.
"I'm attaching the list of relay identity fingerprints that I'm rejecting on moria1 as of yesterday," he said. "I thought for a while about taking away their Valid flag rather than rejecting them outright, but this way they'll get notices in their logs."
Dingledine said that he will limit the amount of information that he releases, for fear of enabling exploits.
"I also thought for a while about trying to keep my list of fingerprints up-to-date (i.e. removing the !reject line once they've upgraded their openssl), but on the other hand, if they were still vulnerable as of yesterday, I really don't want this identity key on the Tor network even after they've upgraded their openssl," he added.
"If the other directory authority operators follow suit, we'll lose about 12 percent of the exit capacity and 12 percent of the guard capacity."
"Not only is [Heartbleed] impacting services that are legitimately conducting secure transactions, it is also causing shell shock in the Deep Web as many of the hidden services within the TOR (The Onion Router) are impacted as well. In an ironic twist of events, the same veil that allows for anonymous and 'secure' transactions within the cyber underground can also be susceptible to attack," wrote Trend Micro analyst JD Sherry.
"Users of these hidden services will have to balance their need to transact and support their nefarious lifestyles versus the possibility of being exposed on what was once thought to be an "anonymous" platform, pre Heartbleed."
The Heartbleed bug continues to wash over the industry, and this week the first person thought to have exploited it was pinched by Canadian rozzers. µ
Plus, it's goodbye to Device Assist
Vulnerabilities in the iOS sandbox thankfully found by the good guys
Data watchdog will make sure firm is being fully transparent about the controversial move
Chinese firm reportedly forces staff to do 82 hours of overtime a month