[tor-talk] IMPORTANT: Heartbleed vulnerability impact on Hidden Service experiment

s7r at sky-ip.org s7r at sky-ip.org
Sat Apr 12 09:16:18 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

After seeing the challenge done by CloudFlare, to setup a server open
to the internet with that vulnerable OpenSSL version so everyone could
try and get its private keys (to see if it's actually possible), after
speaking earlier with people in #tor IRC channel, we think it's a good
way to find out for sure if the Hidden Services could have been
compromised or not. And if yes, make a more serious and visible banner
to notify them. Because so far nobody has changed the Hidden Service
address, from all the Hidden Services I am using.

I don't want them to be exposed to risks and when something happens,
yet another thing which will be blamed on Tor.

So, to developers and special reference to arma, proposition:
- -- Can we setup a Tor circuit, separate from the Tor network, or
within it if it's better this way (if we can choose all the relays in
a circuit via torrc), a circuit in which all the relays are running
the vulnerable version of OpenSSL with heartbeats enabled?

I have a server and offer it to be the Hidden Service and everyone can
test and exploit the heartbleed vulnerability and prove if they
managed to get the private key.

If you think the experiment is worth it email me directly and let me
know what do i have to do. I am sure many others will join.


s7r
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBCAAGBQJTSQRiAAoJEIN/pSyBJlsRqe4H/3JB7136euT/3tQLJqMjHqZS
OKyptAUFg6ZnOqGeOnacAqxz79XfNYXDDV8Bxh2erWpVvAIxQjzJFatKtUdjzGBG
UKHQyNuDRifbaOSAoFcf93hfWvS387I3YMAhHWR5+yQjcucGpcECh8gmlOJNnsZD
Zt1U1MjzQJfY6t9J5PXMvNDIYXhYE2DYtAmVXRDDNYKssX18Cc/qDid1s1t5OjGr
wnWWK6lnZ64VJx+U8wsYutLYVUzrXOyp+POK6j8rM22vJlbrdbtGRGscCyaUGVTi
L+cvFodxn16mL+x+7AjVa1ReHxu0KYXW+3l94Kil9qu2LiW0sPTG358zIOTb1as=
=zrv8
-----END PGP SIGNATURE-----


More information about the tor-talk mailing list