Heartbleed bug in SSL might be of interest to some of you.

Check it out: http://heartbleed.com/ This is how it effects Tor users: https://blog.torproject.org/blog/openssl-bug-cve-2014-0160


Comments


[2 Points] aalewis____:

We have been speculating if a tor relay couldn't be made to leak information about the IP address of the next hop in a circuit, since an arbitrary memory leak is possible. Then, in theory, one could walk all nodes in a circuit to eventually uncover the other end of the circuit... (if all nodes in the circuit are linked to vulnerable openssl). Is that somehow prevented by the implementation design?

Scary shit


[1 Points] lgats:

I made a tool to check the status of your SSL and see if heartbeat is enabled. If it is, you should run this command: openssl version -a

Ensure your version is NOT 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1, 1.0.2-beta1

Tool at: http://rehmann.co/projects/heartbeat/


[1 Points] None:

I wonder how many markets have updated to the patched OpenSSL packages. Any markets running the aforementioned OpenSSL packages could potentially have the Tor private keys stolen. This would mean there's a possibility that an onion address could be hijacked, and potentially even worse, a hacker or LE could intercept all encrypted traffic such as usernames and passwords.

The worse part is that there is no method to detect if the keys have been compromised. The only definite secure thing to do is to change all Tor keys. However, if every market changed their private keys, this would mean every onion address currently existing would change as well.

On a side note, all clearnet sites that are using the vulnerable packages suffer the same issues. This would mean using an HTTPS connection does not guarantee that the encrypted information being sent is secured. Credit cards and banking information can also be intercepted in the same manner if the server's SSL keys have been compromised.


[1 Points] bobstheyreuncle:

Big question: is reddit using OpenSSL?