Tor Blacklisting Exit Nodes Vulnerable To Heartbleed

msm1267 (2804139) writes "The Tor Project has published a list of 380 exit relays vulnerable to the Heartbleed OpenSSL vulnerability that it will reject. This comes on the heels of news that researcher Collin Mulliner of Northeastern University in Boston found more than 1,000 nodes vulnerable to Heartbleed where he was able to retrieve plaintext user traffic. Mulliner said he used a random list of 5,000 Tor nodes from the Dan.me.uk website for his research; of the 1,045 vulnerable nodes he discovered, he recovered plaintext traffic that included Tor plaintext announcements, but a significant number of nodes leaked user traffic in the clear."

Re:So much for Net Neutrality.

[TechyImmigrant]

>It will cost billions to fix for the US and the taxpayers will foot the bill.

I haven't noticed the sky fall in yet. Maybe that information didn't need to be secret.

The only thing that may be leaked in addition...

[ControlFreal]

... to what Tor already leaks, is the previous hop from which the exit traffic came, and possibly meta data on other tunnels relayed by (but not terminated at) the node. If the relayed connection is SSL/TLS encrypted, that encryption is end-to-end from the original client to the server; sniffing some exit-node memory does not help you there. If the related connection is in the plain, then, well, then sniffing the exit node's memory does not tell you any more than you already knew by looking at its plain-text traffic.

Now, Heartbleed is not completely harmless here: You may, if you're very lucky, be able to sniff the previous node name, but as Tor tunnels are longer than that, that does not help you much. Plus, tunnels endpoints tend to change every couple of minutes, making the cross section even smaller. Also, you may now be in a position to sniff data from nodes whose ISP network you do not control, allowing you to do network-wide attacks. That may in fact be the biggest problem.

Re:So much for Net Neutrality.

[treebeard77]

Russia & China got nothing from Snowden. His material is being carefully vetted by journalists and experts before any is released. Snowden, rightly, chose others to decide what was safe to be released and how/what to redact parts. Bruce Schneier is one helping them in their analysis. 6 members of congress had Schneier brief them on some of the material because the NSA wouldn't answer their questions.

Re:The only thing that may be leaked in addition..

[cryptizard]

The point is that, if you know the IP address of the exit node, you can use the heartbleed bug to examine it's outgoing traffic even if you don't have control of the network the exit node is on. This makes intersection attacks much easier because you only need to have data from one end. If I control a network where I see some Tor users, all I have to do is use this exploit on exit nodes until I see outgoing traffic that matches the traffic I see on my own network. I can then link that data to clients on my network and Tor is defeated. This attack is always possible if you control both the client's network and the end point they are communicating with (or some piece of the network between the exit node and the end point), but with this attack you don't need to actually control any part of the network on the exit side because you can just query the exit nodes directly and they will tell you themselves.

Re:Don't people encrypt over TOR anyway?

[cryptizard]

That's not really the point though, since you can always encrypt traffic using TLS. The point of Tor is to hide the end point you are communicating with from someone who controls the network that your computer is on, like a decentralized VPN. You could always gather traffic on both ends (client side and end point/exit node, called an intersection attack), but it is very unlikely that one party will have control of two separate networks like that. With this attack, you don't actually need control of the other end since you can just query the exit nodes directly and they will leak traffic information to you.

Re:So much for Net Neutrality.

[TechyImmigrant]

> the fact that the US Federal government is spending billions of dollars to try to repair some of the damage from Snowden's theft and leaks

They are choosing to spend the money, but they haven't demonstrated the damage.

I see many benefits. The security community and users have a better understanding of the risk landscape and have been changing their behavior as a result.

Re:So much for Net Neutrality.

[drkstr1]

I guess you don't count the fact that the US Federal government is spending billions of dollars to try to repair some of the damage from Snowden's theft and leaks as detrimental. You'll be helping to pay for that since you live in the US. No doubt GCHQ will be paying some bills as well.

There has certainly been other fallout from that, but apparently we can count on you to never go looking for it.

Wait, that argument isn't logical. What is the government spending billions of dollars trying to repair some of the damage if there are no detrimental affects from the leaks (which you confirmed in your rebuttal)? Sounds to me like they are spending billions of dollars covering up the mess they themselves created. Maybe they should just stop doing that. Problem solved.

Re:So much for Net Neutrality.

[TheCarp]

> It will cost billions to fix for the US and the taxpayers will foot the bill.

It already cost us billions, and it was always going to cost us billions more. Any suggestion they were not going to waste that money anyway is just laughable. They will spend as much as they can justify in their crusade against whatever bogeymen they can dream up.