Heartbleed Cuts Tor Capacity

Monday, April 21, 2014 @ 07:04 PM gHale

Because of the OpenSSL Heartbleed bug, the Tor anonymity network will temporarily lose some capacity.

The Tor network will temporarily lose “12 percent of the exit capacity and 12 percent of the guard capacity,” said Roger Dingledine, leader of the Tor Project, in a post on the Tor-relays mailing lists.

Heartbleed Solution: All in a Honeypot
VMWare Issues Initial Heartbleed Fix
Heartbleed an ICS Irritation, Not Disaster
Innominate Fixes Heartbleed Hole

The Heartbleed bug affects about two-thirds of websites previously believed to be secure. These are websites that use the computer code library called OpenSSL to encrypt supposedly secure Internet connections used for sensitive purposes such as online banking and purchasing, sending and receiving emails, and remotely accessing work networks. Heartbleed became public last week.

In 2012, a new feature called Heartbeat added in to the software primarily for slow Internet connections. Heartbeat allowed connections to stay open, even during idle time. A flaw in the implementation allowed confidential information pass through the connection, hence the name Heartbleed.

When the bug first became public, the Tor team noted that “Tor relays and bridges could maybe be made to leak their medium-term onion keys or their long-term relay identity keys,” and those who operate them ended up advised to update their OpenSSL package, discard all the files in keys/ in their DataDirectory, and restart Tor to generate new keys.

Some of them did, and others still haven’t, and the latter are facing rejections for the time being.

“Switching to a new relay identity key means that the relay is seen as new to the authorities again: They will lose their Guard status and bandwidth measurement,” Tor support coordinator and developer Lunar said Wednesday. “It seems that a number of operators followed the advice, as the network lost around 1 Gbit/s of advertised capacity between April 7th and April 10th.”

“On April 8th, [community member] grarpamp observed that more than 3000 relays had been restarted — hopefully to use the fixed version of OpenSSL. It is unknown how many of those relays have switched to a new key since. [Tor developer] Andrea Shepard has been working on a survey to identify them,” he said.

“What is known though are relays that are unfortunately still vulnerable. [Developer and maintainer of Tor Cloud] Sina Rabbani has set up a visible list for guards and exits. To protect Tor users, directory authority operators have started to reject descriptors for vulnerable relays.”

Dingledine has attached to his post a list of relay identity fingerprints he is rejecting on the moria1 main node, and has said he and others should expand the list as they discover other relays that come online with vulnerable OpenSSL versions.

Leave a Reply

You must be logged in to post a comment.