Critical security alert issued for Tor

Summary:If you use Tor for anonymity/privacy on the Web, you might want to pay attention to this critical security announcement from project leader Roger Dingledine.According to the advisory, a known vulnerability in the Debian GNU/Linux distribution's OpenSSL package could allow an attacker to figure out private keys generated by these buggy versions of the OpenSSL library.

Critical security alert issue for Tor
If you use Tor for anonymity/privacy on the Web, you might want to pay attention to this critical security announcement from project leader Roger Dingledine.

According to the advisory, a known vulnerability in the Debian GNU/Linux distribution's OpenSSL package could allow an attacker to figure out private keys generated by these buggy versions of the OpenSSL library. Because Tor uses OpenSSL, all private keys generated by affected versions of OpenSSL must be considered to be compromised.

The skinny:

Due to a bug in Debian's modified version of OpenSSL 0.9.8, all generated keys (and other cryptographic material!) have a stunningly small amount of entropy. This flaw means that brute force attacks which are very hard against the unmodified OpenSSL library (e.g. breaking RSA keys) are very practical against these keys.

While we believe the v2 authority keys (used in Tor 0.1.2.x) were generated correctly, at least three of the six v3 authority keys (used in Tor 0.2.0.x) are known to be weak. This fraction is uncomfortably close to the majority vote needed to create a networkstatus consensus, so the Tor 0.2.0.26-rc release changes these three affected keys.

[ SEE: Hacker builds tracking system to nab Tor pedophiles ]

The alert applies to Tor 0.2.0.x and/or any Debian/Ubuntu/related system running any Tor version.

Dingledine warned that a  local attacker or malicious directory cache may be able to trick a client running 0.2.0.x into believing a false directory consensus, causing the client to create a path wholly owned by the attacker.

Topics: Security

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.