Anonymity-based web service Tor may have to pull back capacity due to Heartbleed bug
The anonymity-enabling networking service Tor may have to shutter an eighth of its operating capacity thanks to the Heartbleed security vulnerability.
Tor, which allows secure access to the internet through user anonymity, is made possible through a network of donated servers that exchange encrypted data amongst each other before returning through an “exit node,” or the server that is connected back to the internet. The goal is to obscure just where traffic is moving, in order to evade any observers.
Some Tor nodes are operating on servers using OpenSSL versions, the popular encryption software attacked by the Heartbleed bug. One could use the Heartbleed flaw to ascertain Tor information, compromising the network’s security, the Guardian wrote.
Roger Dingledine, an original developer of Tor, has suggested that nodes running unpatched, still-vulnerable versions of OpenSSL should be banished from the network.
"If the other directory authority operators follow suit, we'll lose about 12% of the exit capacity and 12% of the guard capacity," Dingledine wrote on the software's mailing list.
OpenSSL could allow the servers back once they were upgraded to protect against Heartbleed’s vulnerabilities, but "if they were still vulnerable as of [Tuesday], I really don't want this identity key on the Tor network even after they've upgraded their OpenSSL,” Dingledine wrote.
Early last week, the open-source OpenSSL project released an emergency security advisory warning of Heartbleed – a bug that pulls in private keys to a server using vulnerable software, allowing operators to suck in data traffic and even impersonate the server. Heartbleed was first noticed by a Google researcher and Codenomicon, a Finnish security firm.
On Wednesday, a 19-year-old Canadian man became the first person arrested in relation to Heartbleed. Stephen Arthuro Solis-Reyes is accused of exploiting the vulnerability to steal around 900 Social Insurance Numbers from the Canadian Revenue Agency’s website late last week.