Tor Blacklisting Exit Nodes Vulnerable To Heartbleed

msm1267 (2804139) writes "The Tor Project has published a list of 380 exit relays vulnerable to the Heartbleed OpenSSL vulnerability that it will reject. This comes on the heels of news that researcher Collin Mulliner of Northeastern University in Boston found more than 1,000 nodes vulnerable to Heartbleed where he was able to retrieve plaintext user traffic. Mulliner said he used a random list of 5,000 Tor nodes from the Dan.me.uk website for his research; of the 1,045 vulnerable nodes he discovered, he recovered plaintext traffic that included Tor plaintext announcements, but a significant number of nodes leaked user traffic in the clear."

Re:

[The123king]

He probably was/did

Re:So much for Net Neutrality.

[TechyImmigrant]

>It will cost billions to fix for the US and the taxpayers will foot the bill.

I haven't noticed the sky fall in yet. Maybe that information didn't need to be secret.

Re:

[cold fjord]

So you are saying your ignorance of the evidence convinces you of your position?

Apparently you aren't familiar with termites.

And even better, you apparently don't seem to have the imagination to see how knowledge of where and how surveillance systems operate could allow you to avoid them or mitigate against them? And you claim to be a system architect?

Russia has just admitted that it really did move members of its armed forces into Crimea prior to the annexation. How do you think they managed that without

Re:

[oodaloop]

Russia has just admitted that it really did move members of its armed forces into Crimea prior to the annexation. How do you think they managed that without people catching on?

Maybe old school subterfuge? Or are you arguing we need mass warrantless surveillance of American citizens in order to track Russain military units overseas?

Re:

[cold fjord]

Maybe you haven't noticed that Snowden leaked a LOT more material than just that. And that is assuming that the Russians don't have everything he had.

Re:

[TechyImmigrant]

And yet you haven't shown a single detrimental results from the Snowden leaks. Not one, unless you count the forced travel plans of Mr Snowden.

Re:So much for Net Neutrality.

[TechyImmigrant]

> the fact that the US Federal government is spending billions of dollars to try to repair some of the damage from Snowden's theft and leaks

They are choosing to spend the money, but they haven't demonstrated the damage.

I see many benefits. The security community and users have a better understanding of the risk landscape and have been changing their behavior as a result.

Re:

[cold fjord]

The only reason that they have the money to spend is because they made a case to Congress, demonstrated the damage, and had their appropriation increased to recover from the damage. They don't get to spend whatever money they want to "just because."

The "many benefits" you see are only the places you look in your narrow view. You aren't looking anywhere near the national security landscape, only the "security landscape" comprised of internet programmers and activists. You avert your eyes from the real dam

Re:

[TechyImmigrant]

Come back and say "I told you so" when we get invaded by an aggressor nation empowered to do so by the Snowden leaks.

Until then, all you are arguing is that embarrassment of the government constitutes damage to national security. That is purest, top quality bullshit.

Re:

[cold fjord]

Oh, I see, the only thing that counts is the gravest possible outcome that is also by far the least likely. Lesser outcomes that might kill people by the hundreds, thousand, or tens of thousands don't count? Outcomes that we could not influence that damage friends or allies due to being blinded don't count? Being put at a serious disadvantage to foreign adversaries doesn't count? It's just fine with you that Russia or China seizes territory from whatever other country they care to, and which but for pro

Re:

[TechyImmigrant]

You know how to push the fear with non specific threats and enemies. Do you do this professionally?

Re:

[cold fjord]

No, I don't. It wouldn't help if I did. Few people here are up to serious if casual fact based discussions on the matter let alone professional level ones. Fear isn't needed, only an open mind, rational thinking, and knowledge. Many of the threats are already known to various levels but people choose to ignore or disparage them because it suits their purposes, or they aren't up to a serious discussion.

Re:

[TechyImmigrant]

So name these threats with specificity and explain how the Snowden leaks enabled these threats.

Re:So much for Net Neutrality.

[drkstr1]

I guess you don't count the fact that the US Federal government is spending billions of dollars to try to repair some of the damage from Snowden's theft and leaks as detrimental. You'll be helping to pay for that since you live in the US. No doubt GCHQ will be paying some bills as well.

There has certainly been other fallout from that, but apparently we can count on you to never go looking for it.

Wait, that argument isn't logical. What is the government spending billions of dollars trying to repair some of the damage if there are no detrimental affects from the leaks (which you confirmed in your rebuttal)? Sounds to me like they are spending billions of dollars covering up the mess they themselves created. Maybe they should just stop doing that. Problem solved.

Re:

[cold fjord]

Your post is a tribute to misunderstanding (or trolling?) and bad moderation. There are detrimental effects from Snowden's leaks. I don't know how you think I said there wasn't.* It is entirely logical that they are spending money to repair the damage caused Snowden's leaks. The mess was caused by Snowden, and you are paying for the clean up. The US will be vulnerable for years or decades to come.

* Well, maybe I do know how you managed to achieve such a "misunderstanding" based on your sig: Fanboy ...

Re:

[oodaloop]

Of course. Let us not forget NSA lying to congress, engaging in corporate espionage, subverting crypto standards, spying on Senators, spying on foreign leaders, and monitoring and managing online discussions on technology websites like Slashdot. But I don't see how any of that would help us track conventional military units overseas.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[cold fjord]

It was my understanding that the "little green men" were simply Russian servicemen already stationed there ...

Putin admits Crimea involvement [cnbc.com]

No, as far as I know the only Russian ground combat forces stationed in Crimea prior tot he crisis were a regiment of marines, only about 2,000 men. The Russians moved in attack helicopters, airborne infantry, spetsnaz commando units, and possibly others.

Re:So much for Net Neutrality.

[treebeard77]

Russia & China got nothing from Snowden. His material is being carefully vetted by journalists and experts before any is released. Snowden, rightly, chose others to decide what was safe to be released and how/what to redact parts. Bruce Schneier is one helping them in their analysis. 6 members of congress had Schneier brief them on some of the material because the NSA wouldn't answer their questions.

Re:

[TheCarp]

> Russia & China got nothing from Snowden.

Do belly-laughs count? I bet they got a number of those.

> His material is being carefully vetted by journalists and experts before any is released

Of course, since russia, china, and several others players all have their own NSA and CIA-like entities, I would assume they have made attempts, and probably been successful by now, at obtaining the entire archive... or at least, what they didn't already have of it from their own operations pre-snowden.

With Mann

Re:

[cold fjord]

Russia & China got nothing from Snowden.

That is absolute bullshit on the face of it. As a minimum they have what is being published in every newspaper around the world, which isn't trivial, especially since they often pursue independent lines of stories. You wouldn't try to deny that would you? And that is assuming that they either don't have a source inside the papers that is a volunteer, a plant, or bought for a few million dollars. Who is vetting the people in the newspapers? I'm pretty sure they don't have Top Secret clearances. That al

Re:

[cold fjord]

Unfortunately for your argument the intelligence business does not operate according to the prescriptions of technical information theory. Secondary and alternate sources of information are important as part of judging the reliability of other sources, adding context, and evaluating it. Those sorts of considerations don't really apply in trying to move bits from here to there, do they? You also seem to be committing the common fallacy of assuming that the Russians and Chinese already knew everything that

Re:So much for Net Neutrality.

[TheCarp]

> It will cost billions to fix for the US and the taxpayers will foot the bill.

It already cost us billions, and it was always going to cost us billions more. Any suggestion they were not going to waste that money anyway is just laughable. They will spend as much as they can justify in their crusade against whatever bogeymen they can dream up.

Don't people encrypt over TOR anyway?

[Anonymous Coward]

I'm under the impression the higher-end folks are encrypting their traffic before the routing layer and anyone else is an idiot, is that about right?

Re:

[Anonymous Coward]

people using it for privacy/secret stuff = yes.

people using it simply as a proxy to avoid censorship = maybe not

Re:

[cryptizard]

That's not really the point though, since you can always encrypt traffic using TLS. The point of Tor is to hide the end point you are communicating with from someone who controls the network that your computer is on, like a decentralized VPN. You could always gather traffic on both ends (client side and end point/exit node, called an intersection attack), but it is very unlikely that one party will have control of two separate networks like that. With this attack, you don't actually need control of the o

Re:

[allo]

when the private key of your node is stolen, you cannot provide anonymity anymore. everyone will see, where the packet you are getting will be routed, because the client decides the nodes, not the network.

The only thing that may be leaked in addition...

[ControlFreal]

... to what Tor already leaks, is the previous hop from which the exit traffic came, and possibly meta data on other tunnels relayed by (but not terminated at) the node. If the relayed connection is SSL/TLS encrypted, that encryption is end-to-end from the original client to the server; sniffing some exit-node memory does not help you there. If the related connection is in the plain, then, well, then sniffing the exit node's memory does not tell you any more than you already knew by looking at its plain-text traffic.

Now, Heartbleed is not completely harmless here: You may, if you're very lucky, be able to sniff the previous node name, but as Tor tunnels are longer than that, that does not help you much. Plus, tunnels endpoints tend to change every couple of minutes, making the cross section even smaller. Also, you may now be in a position to sniff data from nodes whose ISP network you do not control, allowing you to do network-wide attacks. That may in fact be the biggest problem.

Re:The only thing that may be leaked in addition..

[cryptizard]

The point is that, if you know the IP address of the exit node, you can use the heartbleed bug to examine it's outgoing traffic even if you don't have control of the network the exit node is on. This makes intersection attacks much easier because you only need to have data from one end. If I control a network where I see some Tor users, all I have to do is use this exploit on exit nodes until I see outgoing traffic that matches the traffic I see on my own network. I can then link that data to clients on my network and Tor is defeated. This attack is always possible if you control both the client's network and the end point they are communicating with (or some piece of the network between the exit node and the end point), but with this attack you don't need to actually control any part of the network on the exit side because you can just query the exit nodes directly and they will tell you themselves.

Better yet

[Arancaytar]

It'd be neat if tor exit nodes enforced a complete no-plaintext policy (and the tor network, in turn, blacklisted exit nodes that didn't do this). Any plain http connection you try to tunnel through tor should be blocked as soon as it reaches the exit node, just as a precaution.

Re:

[cryptizard]

What does that have to do with anything? You could still learn the destination address, which is what Tor is trying to hide.

More attacks on Tor by the Republicans

[Anonymous Coward]

As they keep taking more and more nodes down with these policy changes, Tor becomes even slower and less reliable. These continued attacks will destroy Tor if we allow them to continue. We should fight against this attempt to shut-down nodes.