Tor Project infrastructure updates
You should upgrade to Tor 0.2.1.22 or 0.2.2.7-alpha:
https://www.torproject.org/easy-download.html.en
In early January we discovered that two of the seven servers that run directory
authorities were compromised (moria1 and gabelmoo), along with
metrics.torproject.org, a new server we'd recently set up to serve
metrics data and graphs. The three servers have since been reinstalled
with service migrated to other servers.
We made fresh identity keys for the two directory authorities, which is
why you need to upgrade.
Moria also hosted our git repository and svn repository. We took the
services offline as soon as we learned of the breach. It appears the
attackers didn't realize what they broke into -- just that they had
found some servers with lots of bandwidth. The attackers set up some ssh
keys and proceeded to use the three servers for launching other attacks.
We've done some preliminary comparisons, and it looks like git and svn
were not touched in any way.
We've been very lucky the past few years regarding security. It still
seems this breach is unrelated to Tor itself. To be clear, it doesn't
seem that anyone specifically attacked our servers to get at Tor. It
seems we were attacked for the cpu capacity and bandwidth of the servers,
and the servers just happened to also carry out functions for Tor.
We've tried to address the most common questions below.
I read that Tor's encryption keys were compromised, is this true?
No. The operating systems were compromised, not tor. The tor source, and running Tor Directory Authorities were left untouched. It appears the
attackers didn't realize what they broke into -- just that they had
found some servers with lots of bandwidth. We've generated new Directory Authority keys out of an abundance of caution.
Does this mean someone could have matched users up to their
destinations?
No. By design, Tor requires a majority of directory authorities (four
in this case) to generate a consensus; and like other relays in the
Tor network, directory authorities don't know enough to match a user
and traffic or destination.
Does this mean somebody could have changed the Tor source?
No, we've checked the source. It does mean you should upgrade so your
client knows about all the currently valid directory authorities.
Does this mean someone could have learned more about Tor than an
ordinary user?
Since our software and specifications are open, everyone already has
access to almost everything on these machines... except some old bridge
descriptors, which we give out only in small batches as entry points for
blocked clients.
Can I trust Tor's security?
We've taken steps to fix the weaknesses identified and to harden our
systems further. Tor has a track record of openness and transparency,
with its source code and specifications and also with its operations.
Moreover, we're disclosing breaches such as this so you can monitor our
status. You shouldn't assume those who don't disclose security breaches
never have any!
Comments
Please note that the comment area below has been archived.
As of this posting, the link
As of this posting, the link at the top has the 1.3.0 version of the Browser Bundle (which still has the 0.2.1.21 release of Tor)
What can TBB users do?
You can wait, new tbb is
You can wait, new tbb is coming today.
Hmmm i noticed that torchat
Hmmm i noticed that torchat isn't connecting anymore for more than 24 hours now...
Maybe this could be in relationship with your messsage?
re torchat still not
re torchat still not connecting. It is true here too,
Note this line from torchat's torcc file:
## the following is a dirty workaround for the 15 minutes problem:
## hidden service descriptors are cached 15 minutes, so after
## a restart of tor we are not reachable for 15 minutes.
## Using always the same introduction points makes even old
## and stale descriptors still work. I am still searching
## for a better solution.
HiddenServiceNodes moria1,moria2,tor26
At least 2 of the 3 hidden service node above were compromised.
Are there new names for these servers and do they need to replace the 3 shown above? If so, where are these server names to be found?
PS The captchas required to post here are VERY difficult for a human to read. Please use something that is more legible and human friendly
Hi guys! This error appears
Hi guys!
This error appears every time since update. What's wrong? Does someone have the same problem?
Jan 23 13:01:33.166 [Notice] Tor v0.2.2.7-alpha (git-.......). This is experimental software. Do not rely on it for strong anonymity. (Running on Darwin i386)
Jan 23 13:01:33.167 [Notice] Initialized libevent version 1.4.13-stable using method kqueue. Good.
Jan 23 13:01:33.168 [Notice] Opening Socks listener on 127.0.0.1:9050
Jan 23 13:01:33.168 [Notice] Opening Control listener on 127.0.0.1:9051
Jan 23 13:01:35.206 [Notice] Bootstrapped 10%: Finishing handshake with directory server.
Jan 23 13:01:35.328 [Warning] TLS error: unexpected close while renegotiating (SSL_ST_OK)
Jan 23 13:01:35.340 [Notice] No current certificate known for authority moria1; launching request.
Jan 23 13:01:35.340 [Notice] No current certificate known for authority tor26; launching request.
Jan 23 13:01:35.341 [Notice] No current certificate known for authority dizum; launching request.
Jan 23 13:01:35.341 [Notice] No current certificate known for authority ides; launching request.
Jan 23 13:01:35.341 [Notice] No current certificate known for authority gabelmoo; launching request.
Jan 23 13:01:35.342 [Notice] No current certificate known for authority dannenberg; launching request.
Jan 23 13:01:35.342 [Notice] No current certificate known for authority urras; launching request.
Jan 23 13:01:35.487 [Warning] TLS error: unexpected close while renegotiating (SSL_ST_OK)
Jan 23 13:01:36.042 [Warning] TLS error: unexpected close while renegotiating (SSL_ST_OK)
Jan 23 13:01:36.184 [Warning] TLS error: unexpected close while renegotiating (SSL_ST_OK)
Jan 23 13:02:36.193 [Notice] No current certificate known for authority moria1; launching request.
Jan 23 13:02:36.226 [Notice] No current certificate known for authority tor26; launching request.
Jan 23 13:02:36.227 [Notice] No current certificate known for authority dizum; launching request.
Jan 23 13:02:36.227 [Notice] No current certificate known for authority ides; launching request.
Jan 23 13:02:36.228 [Notice] No current certificate known for authority gabelmoo; launching request.
Jan 23 13:02:36.228 [Notice] No current certificate known for authority dannenberg; launching request.
Jan 23 13:02:36.229 [Notice] No current certificate known for authority urras; launching request.
Jan 23 13:02:36.331 [Warning] TLS error: unexpected close while renegotiating (SSL_ST_OK)
Jan 23 13:02:36.384 [Warning] TLS error: unexpected close while renegotiating (SSL_ST_OK)
If you could help me, that would be great. :-) Thanks guys!
Yes, we know,
Yes, we know, https://bugs.torproject.org/flyspray/index.php?do=details&id=1225
and http://archives.seul.org/or/talk/Jan-2010/msg00157.html
Apple updated OS X and broke ssl.
well, I wouldn't say exactly
well, I wouldn't say exactly that they 'broke' it...the fact is rather that the ssl protocol is broken.
Btw that captcha is f*ing unreadable
thank you for posting .
thank you for posting . please do more good article.i like it so much .I will always follow it.
After reading the bug
After reading the bug reports I just wanted to add that this issue is not restricted to Snow Leopard (10.6). I experience it on Leopard 10.5.8 as well after application of Apple's latest security Update 2010-001.
I also use OS X Snow Leopard
I also use OS X Snow Leopard 10.6.2 and I must say, I have the same problem.
I get these error message everytime, weather I start Vidalia (TOR)
TLS error: unexpected close while renegotiating
Hope it comes a solution quickly. I don't know what I could do
It seems to come and go for
It seems to come and go for me. Traffic-based?
My Torchat is essentially
My Torchat is essentially now broken by the recent changes to Tor. Upgrading to 19 Jan 2010 ver of Tor allows user to connect to himself but rarely with any others users even if they have upgraded to new Tor too.
Torchat uses Tor hidden services to communicate with others; something must still be broken in that respect.
PS Tor for surfing in FireFox works fine.
Any other clients that use Tor hidden services affected by these changes to Tor?
Tor/Firefox is fine.
Tor/Firefox is fine. Torchat remains broken despite attempts to insert updated tor.exe and/or tor.resolve. Quite unfortunate. Torchat was an excellent resource. I suspect commie hackers are to blame, but that's just me.
I am using MacOSX Snow
I am using MacOSX Snow Leopard 10.6. I updated to intelMac Tor Bundle 0.2.1.22 as advised. I now find I cannot access the Tor Network. The following messages (repeating) appear in the log:
Warning: TLS error: unexpected close while negotiating
Notice: No current certificate known for authority moria1
Same notice for authorities: moria1, tor26, ides, gabelmoo, dannenberg, urras.
I wish to use the previous bundle (0.2.1.19 for intelMac and PPC)
of Tor. I would be be grateful if someone could give me the address where previous versions of Tor bundles can be downloaded.
Thank you in advance.
Still broken :(
Still broken :(
I'm getting the same "TLS"
I'm getting the same "TLS" errors. I was also using an older version of Vidalia and just updated to the latest version to see if it would fix it, but no.
So is it just Intel-Mac users with Snow Leopard having problems? I have ver. 10.6.2
This sucks, Tor was working great a few days ago : (
Fucking hackers - find them and cut off their balls!
BTW, I realize the hackers
BTW, I realize the hackers had nothing to do with why Tor isn't working on Macs at the moment; I was just saying they were assholes. I realize Apple's latest security update screwed it up. Didn't want to be misread..
To fix you need to replace
To fix you need to replace the tor.exe and tor-resolve.exe in your TORchat folder.
DL the lastest TOR package and install what you need (min is TOR), then copy the new tor.exe (2110kb) and tor-resolve exe (118kb) into your TORchat bin/tor folder.
Start torchat and off you go.
or it did for me
As noted in previous
As noted in previous posting, I did exactly this with no improvement in Torchat performance. Torchat is running as I write this. The system has resolved only myself and one other user. It is as though at least half of the previous relays have been taken off-line. Perhaps someone can send an email to the Torchat developer and request a Torchat update to fix all issues. Would be much appreciated.
See fault report filed at
See fault report filed at torchat homepage: http://code.google.com/p/torchat/issues/detail?id=54 ----- And also see issue 53 there too, ---- Unfortunately, the developer of torchat has not released any fixes or improvements in a very long time. Too bad as it conceptually is an excellent software. ---- I suspect that if there are any other clients which use tor Hidden Services that they are affected too, Maybe somebody could report such clients here? ----Maybe this is not a torchat problem but a tor problem?
Previous torchat folder did
Previous torchat folder did not contain a tor-resolve.exe. It contained only the tor.exe. On first attempt to fix, I did inport the new tor-resolve.exe into torchat and it had no effect over two days of testing. So I removed it, leaving just the updated tor.exe. I am able to see myself and (rarely) two other users of torchat only. The system is still crippled.
Yes, torchat is still
Yes, torchat is still crippled as described above. ---
And this is true whether you are using the win or linux version. Replacing a previous tor version (and tor resolve if it is present, ie, win torchat portable) does NOT solve the problem. Clients who replace the relevant file(s) might be able to connect to each other for a short while but this restored facility quickly disappears and they are unable to connect to each other again. --- Tellingly, after the tor file update, a user CAN reliably connect every time to herself, but NOT to any other torchat user ----
We surmise this is a Hidden Services fault in tor. Why? Identifiers, keys or what ever else it might be is beyond our ken. One thing is for sure: this problem did not exist in torchat before the hack attacks and subsequent modifications to tor of Jan 2010.
Easily, the article is in
Easily, the article is in reality the sweetest on this valuable topic. I fit in with your conclusions and I think www.bestbootsale.com is a good topic. will thirstily look forward to your approaching updates. A simple thanks will not just be complete for the exceptional lucidity in your writing.
hmmm it takes some time, but
hmmm it takes some time, but i can connect to other TC users with updated tor.exe.. and chatting for many hours.
running Linux or windows
running Linux or windows torchat? Please give details. Have tried it with both to no benefit. Of course it should not take hours to make connexion; it never did before Jan of 2010. This suggests recent necessary security changes to tor itself have inadvertently created this torchat problem.
I am running Windows XP. One
I am running Windows XP.
One day it is working pretty good and i can chat for a long time, the other day tc needs almost an hour to connect to others.. The question is: what's the fuckin reason for that????
torchat is fine but you have
torchat is fine but you have to get the new tor files. easiest: get the new tor
browser bundle and install it (just overwrite is fine, but backup if you like). then
get the /Tor Browser/App/tor.exe and tor-resolve.exe (new file with this release) and
overwrite/add them to torchat /bin/Tor directory. as long as you come on line within
a few minutes you're connected, though other people may be offline.
Torchat is still broken.
Torchat is still broken. even with the newest tor files. It takes days to connect with other torchat users even though we are all online 24/7. I can reliably connect to 'myself' very quickly but that's all.
==>Is this a problem with Rendezvous Server related code?
hey, i have tor, but i dont
hey, i have tor, but i dont knoowhow to use the torchat, can anyone tell me how?
TorChat is still broken.
TorChat is still broken. When is there going to be an update?
We don't develop torchat.
We don't develop torchat. You should ask the torchat developers this question.
i have two copies of torchat
i have two copies of torchat running on the same computer in client mode. they both turn "green" and connect to the outside with tor 0.2.1.22
and the two accounts won't talk to one another. both sees the other as offline.
i guess the torchat developers are MIA.
if someone could explain to me conceptually what is the problem then i would be happy to fix the torchat code.
and connect to the outside
and connect to the outside with tor 0.2.1.22
and the two accounts won't talk to one another
if someone could explain to
if someone could explain to me conceptually what is the problem then i would be happy to fix the torchat code.
Perhaps someone can send an
Perhaps someone can send an email to the Torchat developer and request a Torchat update to fix all issues. Would be much appreciated
Just started as a relay. To
Just started as a relay. To check if it is working, should I be able to see myself on Tor Network Map..ie on the relay list?
Is it me, or is Torchat not
Is it me, or is Torchat not working with this update?
broken for me too
broken for me too