Possible Permanent Vacation (heartbleed)

Hi all,

I will still be taking a vacation to make my final decision as i do further reading on the matter, but any informative posts like the_avid's are much appreciated.

*Edit made after more information gathered *

Best of Luck to all, Sincerely, Light Yagami


Comments


[7 Points] IGetDankShit:

This seems overly paranoid IMO but then again I am not a vendor and I'm not in your shoes.


[4 Points] the_avid:

All of us are in danger with this exploit allowing for the server memory to be exploited. At best, nothing was stolen. At worst, the tor key to the servers were directly compromised,

This only applies to the exploit on clearnet https sites, and it is because of how clearnet web servers are setup: the same process which shares the same memory heap (from where the leaked data originates) is shared by openssl and the process handling multiple client connections (using threads).

Even here, where it is tightly integrated with the web server, it is highly dependant on the server operating system. Some operating systems will allocate the memory in an area that is completely barren, thus the exploit potential is low, while others - usually more esoteric systems, will re-use the same part of the memory as they do when serving web application processes, which is where you can find session cookies.

What does this have to do with Tor hidden services, Tor bridges and Tor clients? Nothing. Each of those cases is also unique, but the headline news about the bug that you are reading about affecting clearnet sites and the bug with Tor are completely different.

I think it was good for the Tor project to be over-cautious in advising users to update, because they didn't have more information at the time. I've spent the past 72 hours actually reading source code and testing the exploit against Tor, and I have yet to manage to get it to give up anything useful. Openssl is integrated with the Tor process, and there are a couple of things that make it difficult to exploit:

a) to exploit a hidden service, you'd need to connect to it directly, which means exploiting all 7 machines in the circuit between you and the hidden service in-step.

b) the dropped connections on the hidden service are very noisy, unlike the bug when implemented in web servers. You get an info message that is logged, so hidden service owners have something to look for

c) other information in a tor memory heap just isn't as interesting as what it is in a web server.

Also reading the source and where/how and what Tor allocates in memory and where OpenSSL is. The worst case with the most sophisticated enemy in the world who knew about the bug before it was published isn't that bad. I think there are better ways to attack Tor.

Clients should update though, the client bug is nasty - you can exploit that but again it will only give up info on other tor first-hops and destinations (at worse, even that is difficult) unless you are using something like wget or lynx to do your banking and tor surfing at the same time :)

I was on top of this bug pretty quickly, my messages light up like crazy when the website went public. I almost reached to getting hidden services taken down, but it was clearer within minutes that a lot of Tor sites won't be vulnerable and those that are aren't at a risk level where immediate intervention to shut down the market is required.

What's happen now is contingency planning in-case someone did pull of the 1 in a 100 million hack. Spending an extra few days to weigh the implications won't have a huge impact here so its better to fix it once and well than to knee-jerk react and say you weren't vulnerable or get sucked into the hype of the clearnet attacks and say that your hidden site was exploited.

edit the other part here is the breakdown in the trust chain, something that /u/lukeskywalkr pointed out here in this comment and something i've been thinking about. As with the Tor Market incident you can't really trust, nor should you trust, a DNM admin that all is right. I know that most sites are ok, but because of the trust breakdown and different dynamics and threat nature of DNM's it's probably best to recommend that all hidden sites re-gen their key pairs and reset all user passwords.


[3 Points] galaxyandspace:

Can we get a pgp signature from you?