Tor Blacklisting Exit Nodes Vulnerable To Heartbleed 56
msm1267 (2804139) writes "The Tor Project has published a list of 380 exit relays vulnerable to the Heartbleed OpenSSL vulnerability that it will reject. This comes on the heels of news that researcher Collin Mulliner of Northeastern University in Boston found more than 1,000 nodes vulnerable to Heartbleed where he was able to retrieve plaintext user traffic. Mulliner said he used a random list of 5,000 Tor nodes from the Dan.me.uk website for his research; of the 1,045 vulnerable nodes he discovered, he recovered plaintext traffic that included Tor plaintext announcements, but a significant number of nodes leaked user traffic in the clear."
Re: (Score:2)
Re:So much for Net Neutrality. (Score:4, Insightful)
>It will cost billions to fix for the US and the taxpayers will foot the bill.
I haven't noticed the sky fall in yet. Maybe that information didn't need to be secret.
Re: (Score:1)
So you are saying your ignorance of the evidence convinces you of your position?
Apparently you aren't familiar with termites.
And even better, you apparently don't seem to have the imagination to see how knowledge of where and how surveillance systems operate could allow you to avoid them or mitigate against them? And you claim to be a system architect?
Russia has just admitted that it really did move members of its armed forces into Crimea prior to the annexation. How do you think they managed that without
Re: (Score:2)
Russia has just admitted that it really did move members of its armed forces into Crimea prior to the annexation. How do you think they managed that without people catching on?
Maybe old school subterfuge? Or are you arguing we need mass warrantless surveillance of American citizens in order to track Russain military units overseas?
Re: (Score:1)
Maybe you haven't noticed that Snowden leaked a LOT more material than just that. And that is assuming that the Russians don't have everything he had.
Re: (Score:2)
And yet you haven't shown a single detrimental results from the Snowden leaks. Not one, unless you count the forced travel plans of Mr Snowden.
Re:So much for Net Neutrality. (Score:4, Insightful)
> the fact that the US Federal government is spending billions of dollars to try to repair some of the damage from Snowden's theft and leaks
They are choosing to spend the money, but they haven't demonstrated the damage.
I see many benefits. The security community and users have a better understanding of the risk landscape and have been changing their behavior as a result.
Re: (Score:1)
The only reason that they have the money to spend is because they made a case to Congress, demonstrated the damage, and had their appropriation increased to recover from the damage. They don't get to spend whatever money they want to "just because."
The "many benefits" you see are only the places you look in your narrow view. You aren't looking anywhere near the national security landscape, only the "security landscape" comprised of internet programmers and activists. You avert your eyes from the real dam
Re: (Score:2)
Come back and say "I told you so" when we get invaded by an aggressor nation empowered to do so by the Snowden leaks.
Until then, all you are arguing is that embarrassment of the government constitutes damage to national security. That is purest, top quality bullshit.
Re: (Score:1)
Oh, I see, the only thing that counts is the gravest possible outcome that is also by far the least likely. Lesser outcomes that might kill people by the hundreds, thousand, or tens of thousands don't count? Outcomes that we could not influence that damage friends or allies due to being blinded don't count? Being put at a serious disadvantage to foreign adversaries doesn't count? It's just fine with you that Russia or China seizes territory from whatever other country they care to, and which but for pro
Re: (Score:2)
You know how to push the fear with non specific threats and enemies. Do you do this professionally?
Re: (Score:1)
No, I don't. It wouldn't help if I did. Few people here are up to serious if casual fact based discussions on the matter let alone professional level ones. Fear isn't needed, only an open mind, rational thinking, and knowledge. Many of the threats are already known to various levels but people choose to ignore or disparage them because it suits their purposes, or they aren't up to a serious discussion.
Re: (Score:2)
So name these threats with specificity and explain how the Snowden leaks enabled these threats.
Re:So much for Net Neutrality. (Score:4, Insightful)
I guess you don't count the fact that the US Federal government is spending billions of dollars to try to repair some of the damage from Snowden's theft and leaks as detrimental. You'll be helping to pay for that since you live in the US. No doubt GCHQ will be paying some bills as well.
There has certainly been other fallout from that, but apparently we can count on you to never go looking for it.
Wait, that argument isn't logical. What is the government spending billions of dollars trying to repair some of the damage if there are no detrimental affects from the leaks (which you confirmed in your rebuttal)? Sounds to me like they are spending billions of dollars covering up the mess they themselves created. Maybe they should just stop doing that. Problem solved.
Re: (Score:1)
Your post is a tribute to misunderstanding (or trolling?) and bad moderation. There are detrimental effects from Snowden's leaks. I don't know how you think I said there wasn't.* It is entirely logical that they are spending money to repair the damage caused Snowden's leaks. The mess was caused by Snowden, and you are paying for the clean up. The US will be vulnerable for years or decades to come.
* Well, maybe I do know how you managed to achieve such a "misunderstanding" based on your sig: Fanboy ...
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
It was my understanding that the "little green men" were simply Russian servicemen already stationed there ...
Putin admits Crimea involvement [cnbc.com]
No, as far as I know the only Russian ground combat forces stationed in Crimea prior tot he crisis were a regiment of marines, only about 2,000 men. The Russians moved in attack helicopters, airborne infantry, spetsnaz commando units, and possibly others.
Re:So much for Net Neutrality. (Score:5, Informative)
Re: (Score:2)
> Russia & China got nothing from Snowden.
Do belly-laughs count? I bet they got a number of those.
> His material is being carefully vetted by journalists and experts before any is released
Of course, since russia, china, and several others players all have their own NSA and CIA-like entities, I would assume they have made attempts, and probably been successful by now, at obtaining the entire archive... or at least, what they didn't already have of it from their own operations pre-snowden.
With Mann
Re: (Score:1)
Russia & China got nothing from Snowden.
That is absolute bullshit on the face of it. As a minimum they have what is being published in every newspaper around the world, which isn't trivial, especially since they often pursue independent lines of stories. You wouldn't try to deny that would you? And that is assuming that they either don't have a source inside the papers that is a volunteer, a plant, or bought for a few million dollars. Who is vetting the people in the newspapers? I'm pretty sure they don't have Top Secret clearances. That al
Re: (Score:1)
Unfortunately for your argument the intelligence business does not operate according to the prescriptions of technical information theory. Secondary and alternate sources of information are important as part of judging the reliability of other sources, adding context, and evaluating it. Those sorts of considerations don't really apply in trying to move bits from here to there, do they? You also seem to be committing the common fallacy of assuming that the Russians and Chinese already knew everything that
Re:So much for Net Neutrality. (Score:4, Insightful)
> It will cost billions to fix for the US and the taxpayers will foot the bill.
It already cost us billions, and it was always going to cost us billions more. Any suggestion they were not going to waste that money anyway is just laughable. They will spend as much as they can justify in their crusade against whatever bogeymen they can dream up.
Don't people encrypt over TOR anyway? (Score:1)
I'm under the impression the higher-end folks are encrypting their traffic before the routing layer and anyone else is an idiot, is that about right?
Re: (Score:1)
people using it for privacy/secret stuff = yes.
people using it simply as a proxy to avoid censorship = maybe not
Re: (Score:3)
Re: (Score:2)
when the private key of your node is stolen, you cannot provide anonymity anymore. everyone will see, where the packet you are getting will be routed, because the client decides the nodes, not the network.
The only thing that may be leaked in addition... (Score:5, Informative)
... to what Tor already leaks, is the previous hop from which the exit traffic came, and possibly meta data on other tunnels relayed by (but not terminated at) the node. If the relayed connection is SSL/TLS encrypted, that encryption is end-to-end from the original client to the server; sniffing some exit-node memory does not help you there. If the related connection is in the plain, then, well, then sniffing the exit node's memory does not tell you any more than you already knew by looking at its plain-text traffic.
Now, Heartbleed is not completely harmless here: You may, if you're very lucky, be able to sniff the previous node name, but as Tor tunnels are longer than that, that does not help you much. Plus, tunnels endpoints tend to change every couple of minutes, making the cross section even smaller. Also, you may now be in a position to sniff data from nodes whose ISP network you do not control, allowing you to do network-wide attacks. That may in fact be the biggest problem.
Re:The only thing that may be leaked in addition.. (Score:5, Informative)
Better yet (Score:2)
It'd be neat if tor exit nodes enforced a complete no-plaintext policy (and the tor network, in turn, blacklisted exit nodes that didn't do this). Any plain http connection you try to tunnel through tor should be blocked as soon as it reaches the exit node, just as a precaution.
Re: (Score:2)
More attacks on Tor by the Republicans (Score:1)
As they keep taking more and more nodes down with these policy changes, Tor becomes even slower and less reliable. These continued attacks will destroy Tor if we allow them to continue. We should fight against this attempt to shut-down nodes.