Today an announcement on www.openssl.org enlightened us on yet more vulnerabilities with the widely used software.
One in particular that is not quite as lethal as Heartbleed, but still puts Tor user’s anonymity at risk.
The vulnerability has been named as the “EarlyCCS” attack, but will probably get less media attention than Heartbleed due to its name not being nearly as terrifying.
As seen on Tor Project website, below is an overview of how the vulnerability can be exploited…
The impact on Tor is that an adversary in the position to run a MITM attack on a Tor client or relay could cause a TLS connection to be negotiated without real encryption or authentication.
This attack is possible if the connection initiator (client or relay) is running an unpatched OpenSSL, and if the relay is running an unpatched OpenSSL 1.0.1. If either party has upgraded, or if the relay is running a version before 1.0.1, the attack fails.
The circuit-layer crypto (which happens under the TLS layer) should still provide significant protection for user communications over Tor. But a MITM attack of this kind could still help traffic analysis, and likely other unexpected badness as well.
OpenSSL have released fixes for all of the discovered defects and lists the vulnerable versions (and patches) on their website.
This of course means that everyone is now being urged to upgrade their Tor browser bundle as soon as an update becomes available (which we have been told will be very soon).
If you are using Tor through an operating system bundle, you will also need to install the vendor updates as soon as they become available.
If you are looking for a more detailed explanation of the bug, see this post by Adam Langley.
People must also be aware that this bug does not just affect Tor users, but any applications or websites that use OpenSSL software. If the patches are applied promptly, all of these risks can be mitigated quickly and easily.
Latest posts by Tarquin (see all)
- How To Access The Dark Web - September 20, 2016
- Evolution Market Exit Scam - March 18, 2015
- Iran blacklists Tor network, knocking 75 percent of users offline - July 31, 2014