[tor-relays] Bridge Operators - Heartbleed, Heartwarming, and Increased Help

Matthew Finkel matthew.finkel at gmail.com
Wed Apr 23 06:32:15 UTC 2014


Hi All,

Below is an email we sent last week to almost all of the bridge
operators who provided contact information for their bridge(s). For
those operators we missed and for those we couldn't contact, this
hopefully provides some useful information.

All the best,
Matt

-----------------------------------------------------------------------

Hi Tor Bridge Relay Operator!

Unfortunately this email must begin with bad news, but it gets better.

Due to the recent Heartbleed OpenSSL vulnerability that was disclosed
earlier this week, we are reaching out to you to ask that you install
an updated version of OpenSSL. The vulnerability has the potential to
decrease the security of your bridge as well as the anonymity of any
user connecting to your bridge. As a result of this, we also ask that
you generate a new identity key due to the possibility that your
current one was leaked. 

The process to upgrade your version of OpenSSL depends greatly on
your operating system. Please ensure you are using a version that was
released within the past four days, see the Heartbleed website[0] for
more details on the vulnerability and for which versions are affected.
Please do this before you regenerate your identity key.

When this is done, you will need to restart Tor. At this point you can
ask us to retest your bridge to confirm that it is not vulnerable
anymore.

Next, to regenerate your identity key simply stop Tor and delete the
current key. This is done by opening Tor's Data directory and removing
the contents in the keys/ directory. Tor's Data directory is located at
/var/lib/tor, by default. Let us know if you have trouble locating it.
When this is complete, start Tor and it will automatically create a new
identity for you.

See the recent blog post for many more details:
https://blog.torproject.org/blog/openssl-bug-cve-2014-0160

Now that the bad news was said, we want to take this opportunity to
thank you, from the bottom of our hearts, for volunteering to run
a bridge relay. We know we do not say it often, but it is really
appreciated! Please let us know if you have any question, concerns, or
suggestions, especially related to how we communicate with you and how
bridge relay operators can be more involved.

Lastly, if you are not already running the obfsproxy pluggable
transport[1] (i.e.  obfs3) on your bridge, please follow the Debian
instructions[2] (for a Debian-based system) on the website and install
it. Your bridge is a great contribution to the Tor network, however as
censorship on the internet increases around the world users are forced
to use a pluggable transport. Tor does not understand how to
communicate with them by default, though. Therefore we are asking that
all bridge operators install obfsproxy and help as many users as
possible.

In addition, also consider subscribing to the tor-relays mailing
list[3], if you are not already; we will be posting instructions on how
to maximize the contribution of your bridge on that list every now and
then.

[0] http://heartbleed.com
[1] https://www.torproject.org/docs/pluggable-transports.html.en
[2] https://www.torproject.org/projects/obfsproxy-debian-instructions.html.en#instructions
[3] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Again, thank you for running a bridge relay and sorry for the bad news.

Let us know if you have any questions or if you have any suggestions.

All the best,
Matt
The Tor Project


More information about the tor-relays mailing list