June 27th, 2008

Critical security alert issued for Tor

Posted by Ryan Naraine @ 12:14 pm

Categories: Arbitrary Code Execution, Browsers, Complex Attacks, Malware, Passwords, Patch Watch, Privacy, Vulnerability research

Tags: OpenSSL, Security Alert, Tor, Ssl/Tls, Security, Ryan Naraine

If you use Tor for anonymity/privacy on the Web, you might want to pay attention to this critical security announcement from project leader Roger Dingledine.

According to the advisory, a known vulnerability in the Debian GNU/Linux distribution’s OpenSSL package could allow an attacker to figure out private keys generated by these buggy versions of the OpenSSL library. Because Tor uses OpenSSL, all private keys generated by affected versions of OpenSSL must be considered to be compromised.

The skinny:

Due to a bug in Debian’s modified version of OpenSSL 0.9.8, all generated keys (and other cryptographic material!) have a stunningly small amount of entropy. This flaw means that brute force attacks which are very hard against the unmodified OpenSSL library (e.g. breaking RSA keys) are very practical against these keys.

While we believe the v2 authority keys (used in Tor 0.1.2.x) were generated correctly, at least three of the six v3 authority keys (used in Tor 0.2.0.x) are known to be weak. This fraction is uncomfortably close to the majority vote needed to create a networkstatus consensus, so the Tor 0.2.0.26-rc release changes these three affected keys.

[ SEE: Hacker builds tracking system to nab Tor pedophiles ]

The alert applies to Tor 0.2.0.x and/or any Debian/Ubuntu/related system running any Tor version.

Dingledine warned that a  local attacker or malicious directory cache may be able to trick a client running 0.2.0.x into believing a false directory consensus, causing the client to create a path wholly owned by the attacker.