Another OpenSSL Vulnerability Affecting Tor Users

Updated on:

Today an announcement on enlightened us on yet more vulnerabilities with the widely used software.

One in particular that is not quite as lethal as Heartbleed, but still puts Tor user’s anonymity at risk.

The vulnerability has been named as the “EarlyCCS” attack, but will probably get less media attention than Heartbleed due to its name not being nearly as terrifying.

As seen on Tor Project website, below is an overview of how the vulnerability can be exploited…

The impact on Tor is that an adversary in the position to run a MITM attack on a Tor client or relay could cause a TLS connection to be negotiated without real encryption or authentication.

This attack is possible if the connection initiator (client or relay) is running an unpatched OpenSSL, and if the relay is running an unpatched OpenSSL 1.0.1. If either party has upgraded, or if the relay is running a version before 1.0.1, the attack fails.

The circuit-layer crypto (which happens under the TLS layer) should still provide significant protection for user communications over Tor. But a MITM attack of this kind could still help traffic analysis, and likely other unexpected badness as well.

OpenSSL have released fixes for all of the discovered defects and lists the vulnerable versions (and patches) on their website.

This of course means that everyone is now being urged to upgrade their Tor browser bundle as soon as an update becomes available (which we have been told will be very soon).

Your TOR usage is being watched

If you are using Tor through an operating system bundle, you will also need to install the vendor updates as soon as they become available.

If you are looking for a more detailed explanation of the bug, see this post by Adam Langley.

People must also be aware that this bug does not just affect Tor users, but any applications or websites that use OpenSSL software. If the patches are applied promptly, all of these risks can be mitigated quickly and easily.

Write for us


The articles and content found on Dark Web News are for general information purposes only and are not intended to solicit illegal activity or constitute legal advice. Using drugs is harmful to your health and can cause serious problems including death and imprisonment, and any treatment should not be undertaken without medical supervision.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.