Just a reminder: if you're operating a relay, you should make sure
that your operating system is giving you updates for openssl, and you
are applying them.
There was an update today about bugs in Thursday's OpenSSL releases.
For the security advisory, see here:
https://www.openssl.org/news/seca
Hi, awesome relay operators!
About two weeks ago, we put out 0.2.9.9, to fix a significant problem
in our build process that led to an easy remote crash attack:
o Major bugfixes (security):
- Downgrade the "-ftrapv" option from "always on" to "only on when
--enable-expensive-hardening
Hi!
This is a reminder that we will not be making new releases for the
0.2.4, 0.2.6, or 0.2.7 release series after 1 August 2017. If you are
running one of those series, please make a plan to upgrade some time
before then!
0.2.5 will still be supported until 1 May 2018.
0.2.9 support will conti
On Tue, Jun 6, 2017 at 8:08 PM, Felix wrote:
> Hi everybody
>
> Can somebody please help me understand the change log for 3.1.x: "Support
> for these algorithms requires that tor is built with the libzstd and/or
> liblzma libraries available." Is it AND or OR or something whatever
> different ?
On Sun, Jun 25, 2017 at 7:58 AM, nusenu wrote:
>
>
> Sebastian Urbach:
>> I could not find anything wrong and checked:
>>
>> https://metrics.torproject.org/torperf.html
>>
>> Is it just me or does that looks like a major Performance Downgrade for
>> the whole Network since 0.3.0.x was introduced ?
On Mon, Jun 5, 2017 at 9:01 AM, Nick Mathewson wrote:
> Hi!
>
> This is a reminder that we will not be making new releases for the
> 0.2.4, 0.2.6, or 0.2.7 release series after 1 August 2017. If you are
> running one of those series, please make a plan to upgrade some tim
On Wed, Aug 16, 2017 at 11:59 AM, Alan wrote:
> Up until now i've relied on updating Tor using yum update but the version
> on the repos is currently 0.2.9.10 . Arm reports this as unrecommended, so
> compiling from source looks to be the only option.
>
> I pulled down 0.3.0.10, untarred and ran .
[TROVE-2017-008. CVE-2017-0380. Severity: medium]
Hello!
We have found a possible problem with the code that reports an error
during the construction of an introduction point circuit. Because
of this bug, it is possible that some hidden services will sometimes
write sensitive informatio
On Mon, Sep 18, 2017 at 1:19 PM, Toralf Förster wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> On 09/18/2017 03:41 PM, Nick Mathewson wrote:
>> This bug can only happen when the SafeLogging option is disabled,
>> and SafeLogging is enabled by default.
I'm sending this message to announce that we will be releasing new
stable and versions of Tor tomorrow, to fix 5 security bugs. I
apologise for the short notice; we've had to move up our intended
release date in order to try to match with release deadlines for
downstream projects.
We have classif
Hi!
This coming week, we'll be putting out new stable releases for 0.2.9
and later supported branches to fix a few security bugs. The
highest-severity bug to be fixed is severity "medium". (See
https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/SecurityPolicy
for information abo
Hi!
There are new security releases today. The official announcement just
went to tor-announce, but I want to make sure that people on this list
see it too.
In brief:
* Directory authorities should upgrade.
* Relays running 0.3.2.1-alpha through 0.3.2.9 should upgrade.
* Relays running 0.3
Hello, relay operators!
There's one important bugfix in the 0.2.5.9-rc release that relay
operators should know about. If you have a version of OpenSSL that
came out last week (like 1.0.1j, 1.0.0, ) and if your version of
openssl is built with the "no-ssl3" flag, then it's possible to crash
your T
On Mon, Oct 20, 2014 at 10:43 PM, Nick Mathewson wrote:
> Hello, relay operators!
[...]
> best wishes,
Oh, darn it. I knew I'd forget something if I hit send then.
Thanks to everybody who helped find, diagnose, fix, and test fixes for
this bug, including Yawning, asn, weasel,
Hi, all!
I just sent a release announcement to the tor-announce mailing list.
If you're not on that mailing list, you should subscribe; it is very
low-volume.
https://lists.torproject.org/pipermail/tor-announce/2014-October/96.html
Synopsis: There is a new stable out. Some packages are up-t
And please forgive me or sending one more email, please let me call
your attention to these bits of the Tor 0.2.5.10 release notes:
This release marks end-of-life for Tor 0.2.3.x; those Tor versions
have accumulated many known flaws; everyone should upgrade.
o Deprecated versions:
- Tor
On Fri, Oct 31, 2014 at 4:18 AM, Rafael Rodriguez wrote:
> Hello fellows,
>
> Where can we contribute (post a guide) to deploy Tor in Windows without the
> extras unneeded stuff? I was looking for a Tor Server installation guide on
> Windows to run Tor as a service. I did not wanted to install all
On Wed, Dec 10, 2014 at 2:31 AM, Roger Dingledine wrote:
> On Sun, Dec 07, 2014 at 01:43:46PM +0100, Logforme wrote:
>> To me it looks like an attacker that ramped up over a 6 hour period and
>> then stopped building new circuits. Since the tor process still uses all
>> available memory (more than
On Mon, Dec 22, 2014 at 5:54 PM, Seth wrote:
> On Sat, 22 Nov 2014 17:33:59 -0800, Seth wrote:
>>
>> Thanks for the information. I was able to get the latest git version of
>> Tor build against the libressl-2.1.1 pkg in a fresh FreeBSD 9x jail using
>> the following steps:
>>
>> pkg install libre
On Tue, Dec 23, 2014 at 12:00 PM, Seth wrote:
> On Tue, 23 Dec 2014 06:33:44 -0800, Nick Mathewson
> wrote:
>>
>> What version of Tor are you using here? I think we have this fixed in
>> 0.2.6.1-alpha with this commit:
>>d1fa0163e571913b8e4972c5c8a2d
On Wed, Dec 24, 2014 at 5:15 PM, Seth wrote:
> On Tue, 23 Dec 2014 09:16:56 -0800, Nick Mathewson
> wrote:
>>
>> Strange! There is code in git master that is supposed to prevent
>> this.
>
>
> Yes, I thought it had been fixed by your commit from this tic
Hi, all!
While looking into a bug report, I noticed that an exit node was using
one of Google's well-known public DNS servers for its own DNS server.
No disrespect to the operators of Google's fine public DNS service,
but my sense is that using it for a Tor exit node might not be the
greatest ide
Hi, all!
There's a project going on to try to add instructions for hardening a
Tor relay for security:
https://trac.torproject.org/projects/tor/ticket/13703
The idea is that Tor could ship with some basic recommendations, and
links to places to find more advice?
Recently, "mmcc" has uploaded
On Fri, Feb 20, 2015 at 9:50 AM, Christian Sturm wrote:
> Hello,
>
>
> I noticed on my Tor relay that deploying 0.2.6.3 resulted in the
> bandwidth going up an down a lot which can be seen here:
>
> https://globe.torproject.org/#/relay/CE75BF0972ADD52AF8807602374E495C815DB304
>
> It looks like I a
On Wed, Mar 4, 2015 at 5:26 AM, wrote:
> Cipher-downgrade CVE-2015-0204 fixed in OpenSSL 1.0.1k.
>
> usual sensational write-up courtesy of El-Reg
>
> http://theregister.co.uk/security
I believe this doesn't affect Tor relays or clients, because we have
never supported export ciphers or generate
On Wed, Mar 25, 2015 at 4:26 AM, skyhighatrist wrote:
> Hello List,
> I am wondering if anyone has had their relay randomly crash in the past
> week or so. Three of mine (I run 6, nonexits) have fallen over. One of
> them ~5 days ago, one of them ~4 days ago, and one of them earlier today
> .
>
>
Also, if you can possibly avoid it, it would be a good idea to stop
using the OpenSSL 0.9.8 series entirely. It's old and crufty and is
missing many security improvements in later versions. OpenSSL 0.9.8
will not be supported in Tor 0.2.7.2-alpha or later.
best wishes, and many thanks!
--
TL;DR: Stable non-exit relays can help tor clients use the Tor
network. Please opt-in!
We want to run a trial of fallback directory mirrors (fallbacks) in
Tor. Tor clients contact fallbacks to download the consensus during
initial bootstrap, before they contact the directory authorities.
Fallback
On Thu, Nov 3, 2011 at 11:28 AM, Teun Nijssen wrote:
> Hi,
>
> on 2011-11-03 15:11 Klaus Layer wrote the following:
>> Hi,
>>
>> since 0.2.3.6-alpha the logs of my instances are full of these messages:
>>
>> 14:56:23 [WARN] (certificate lifetime runs from Nov 3 16:15:34 2011 GMT
>> through Nov 2
On Thu, Nov 3, 2011 at 10:11 AM, Klaus Layer wrote:
> Hi,
>
> since 0.2.3.6-alpha the logs of my instances are full of these messages:
>
> 14:56:23 [WARN] (certificate lifetime runs from Nov 3 16:15:34 2011 GMT
> through Nov 2 16:15:34 2012 GMT. Your time is Nov 03 13:56:23 2011 GMT.)
> 14:56:23
On Mon, Jan 23, 2012 at 2:27 PM, Geoff Down wrote:
> Can anyone help with this please?
>
> % sudo ./configure --with-libevent-dir=/opt/local/lib/ && make && make
> install
> -> checking for libevent directory... configure: WARNING: We found the
> libraries for libevent, but we could not find the C
On Sat, Mar 31, 2012 at 9:04 AM, Steve Snyder wrote:
> I am attempting to load-balance DNS resolution requests.
>
> Suppose, in Linux, you have a /etc/resolv.conf with this contents:
>
> nameserver aaa.bbb.ccc.ddd
> nameserver eee.fff.000.111
> nameserver 222.333.444.555
>
> How does a Tor exit
Hi, all!
If you are using any version of openssl 1.0.1, 1.0.1a, or 1.0.1b, you
should know that it's affected by a recent security advisory:
https://www.openssl.org/news/secadv_20120510.txt
If I am reading the diffs for this bug right, it looks like it would
attacker to crash a server remotely.
On Sat, Jun 23, 2012 at 7:38 PM, Christian
wrote:
> Hi dear fellows,
>
> I'm sorry to use again this way of addressing my problem as in Vol 17,
> Issue 5. It will be the last time. Promise.
>
> I can't find any solution on the web.
> When starting tor, it always reads "Failed to parse/validate con
On Fri, Jun 29, 2012 at 8:00 PM, Steve Snyder wrote:
> Attention Tor developers:
>
> Now that v0.2.3 is at Release Candidate status, can we get get some guidance
> for those relay operators that have not kept up with development?
Hoo boy! That's a big topic. I'm not going to try to do a full summ
On Sun, Jul 8, 2012 at 4:19 AM, Scott Bennett wrote:
> While testing my torrc with 0.2.3.18-rc, I tried adding the
> IsolateDestAddr flag to the SocksPort line, as in
>
> SocksPort 9050 IsolateDestAddr
>
> A "tor --verify-config" claimed that I was trying to specify more
> than one port on th
On Tue, Jul 17, 2012 at 12:07 AM, Scott Bennett wrote:
> Hi Nick,
> On Wed, 11 Jul 2012 11:33:52 -0400 Nick Mathewson
> wrote:
>>On Sun, Jul 8, 2012 at 4:19 AM, Scott Bennett wrote:
>>> While testing my torrc with 0.2.3.18-rc, I tried adding the
>>
On Tue, Sep 11, 2012 at 1:52 PM, Steve Snyder wrote:
> On Tuesday, September 11, 2012 1:12pm, "Jacob Appelbaum"
> said:
> [snip]
>> It seems that there are two issues - one is that a guard is failing to
>> build circuits, the other is that you can't seem to exclude them. I have
>> to admit, I'm
On Tue, Sep 11, 2012 at 1:12 PM, Jacob Appelbaum wrote:
> Hi Scott,
>
> It is nice to see you posting again, I had wondered where you had gone.
>
> Scott Bennett:
>> I know this really belongs on tor-talk, but I haven't been subscribed
>> to it for a long time now. Sorry if posting this here
On Tue, Sep 11, 2012 at 4:48 PM, Jacob Appelbaum wrote:
> Nick Mathewson:
>> On Tue, Sep 11, 2012 at 1:12 PM, Jacob Appelbaum wrote:
>>> Hi Scott,
>>>
>>> It is nice to see you posting again, I had wondered where you had gone.
>>>
>>> Scot
On Sun, Nov 4, 2012 at 9:55 PM, Steve Snyder wrote:
> In the Tor v0.2.2.x series it was said that it was pointless to set
> NumCPUs to a value greater than 2. Due to poor scaling, I guess.
>
> Is that still the case with v0.2.3.24+ ? Would NumCPUs value of 4 or 8
> (on systems with that many CP
On Fri, Jan 25, 2013 at 8:12 AM, Samuel Walker
wrote:
> Hi,
>
> I've started receiving this message on my relay (non-exit, non-hidden-serivce)
>
>> [warn] Tried to establish rendezvous on non-OR or non-edge circuit.
>
> I've had a look in the bug tracker, and it looks like it was previously noted
On Thu, Apr 25, 2013 at 8:37 AM, Konstantinos Asimakis
wrote:
> https://atlas.torproject.org/#details/A84D7DF9D58E0FAFF8CCC06A6A49DD96BD1DFC13
> https://atlas.torproject.org/#details/12404BB1BB4F09CA65B76D77F347BC0D79CB7BA3
>
> How is this possible? I though that if you try to take the name of an
On Mon, Aug 12, 2013 at 4:34 AM, Gordon Morehouse wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> I still have the really weird circuit creation storms going on. I'm
> trying to figure out how to *eliminate* the possibility with some kind
> of iptables throttling, but limiting SYNs
On Mon, Sep 2, 2013 at 1:28 PM, Gordon Morehouse wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> So in the documentation:
>
> UserspaceIOCPBuffers 0|1
> If IOCP is enabled (see DisableIOCP above), setting this option to 1
> will tell Tor to disable kernel-space TCP buffers, in order
On Fri, Jan 24, 2014 at 4:49 AM, Alexander Dietrich
wrote:
> Hello,
>
> a relay I'm running is currently at about 0.80 load average. It has a
> dual-core CPU and I have configured "NumCPUs 2". I'm still in the process of
> finding the bandwidth limit.
>
So, others have answered pretty well, but I
On Mon, Jan 27, 2014 at 9:10 AM, Sebastian Urbach wrote:
> Hi,
>
> May i ask when the NTor handshake is going to be recommended by the majority
> of the directory authorities ?
I believe it's recommended now by a majority of the authorities voting
on it.. Looking at a recent microdesc consensus,
On Fri, Feb 21, 2014 at 10:46 PM, Zenaan Harkness wrote:
> Occasionally (such as just now) I have seen these two errors in arm:
>
> │ 13:21:25 [WARN] crypto error while checking RSA signature: padding
> check failed (in rsa routines:-
> │ RSA_EAY_PUBLIC_DECRYPT)
> │ 13:21:25 [WARN] crypto err
On Thu, Apr 10, 2014 at 11:53 PM, wrote:
> I updated the patch to
>
> 1) have AS close /proc
>
> 2) enable core dump files
>
> One should add
>
>/proc /chroot_tor/proc none noauto,bind 0 0
>
> to /etc/fstab (note the 'noauto').
> Then the 'tor' startup script does a
>
>mount /chroot_tor/p
On Fri, Apr 25, 2014 at 5:17 AM, Oliver Baumann wrote:
> On 04/24/14, Lance Hathaway wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA512
>>
>> Apologies if this would be better addressed in a different list...
>>
>> I know there are a couple of people here who are working on making the
>>
On Mon, May 15, 2023 at 5:21 AM Matt Palmer wrote:
>
> On Sat, May 13, 2023 at 12:55:17PM -0400, denny.obre...@a-n-o-n-y-m-e.net
> wrote:
> > This has probably been addressed before but why isn't the MyFamily value
> > just a single, unique ID?
> >
> > If I have the relays with the fingerprints "
On Wed, May 24, 2023 at 8:54 PM David Fifield wrote:
[...]
>
> What are the risks of not rotating onion keys? My understanding is that
> rotation is meant to enhance forward security; i.e., limit how far back
> in time past recorded connections can be attacked in the case of key
> compromise. http
Hi, folks!
You should know that there is a compatibility issue between Tor and
OpenSSL 1.1.1a, when TLS 1.3 is in use. Only OpenSSL 1.1.1a is
affected; other OpenSSL versions are not. The effect here is that Tor
relays using this version of OpenSSL will not be able to negotiate TLS
1.3 connectio
On Sat, Dec 1, 2018 at 8:40 PM Paul wrote:
>
> I have run into this issue just now and iam curious if i can "just"
> downgrade back or if there is any other way to workaround?
>
I think that it's okay to downgrade to 1.1.1 for Tor's purposes: the
two security vulnerabilities fixed in 1.1.1a are ab
On Mon, Jan 28, 2019 at 9:52 PM Alexander Nasonov wrote:
>
> I recently tried updating one of my relays to Tor 0.4.0.1 compiled
> with NSS (and without OpenSSL) but it failed to start, see the logs
> below. I wonder if this configuration is supported at all and
> whether I should try running a bra
On Thu, Jan 31, 2019 at 6:58 PM Alexander Nasonov wrote:
>
> Matthew Finkel wrote:
> > I opened #29241 for this (because I didn't see anyone else open it).
>
> Thank you! I couldn't submit because trac doesn't accept my password
> anymore.
>
FYI, I think I finally figured this one out, though it
On Thu, Nov 21, 2019 at 5:03 AM Logforme wrote:
[...]
>
> Should I open a ticket?
Very interesting! Yes, a ticket would be welcome. Actually, this
_might_ be the same as #16423 , which stalled a while ago due to
difficulty reproducing. But I'm not quite sure: that ticket is very
old, and the
-- Forwarded message -
From: Nick Mathewson
Date: Mon, Mar 16, 2020 at 1:25 PM
Subject: Upcoming Tor security releases to fix a denial-of-service issue
To:
Hello!
Some time this week, we currently plan to put out a set of security
updates for all supported versions of Tor
On Fri, Jul 24, 2020 at 1:36 PM David Goulet wrote:
>
> On 24 Jul (13:30:31), David Goulet wrote:
> >
> > The new list has been generated and can be found here:
>
> Apology, clarification needs to be made:
>
> >
> > https://gitlab.torproject.org/tpo/core/fallback-scripts/-/blob/master/fallback_off
On Fri, Jul 24, 2020 at 9:08 PM Ralph Seichter wrote:
>
> * nusenu:
>
> > https://github.com/nusenu/ContactInfo-Information-Sharing-Specification
> > This is an effort that started in 2017 as you can see on github.
>
> In section "Defined fields" you write:
>
> Non-ASCII characters are not suppo
On Mon, Jul 27, 2020 at 2:05 PM nusenu wrote:
>
> >> In section "Defined fields" you write:
> >>
> >> Non-ASCII characters are not supported.
> >>
> >> I'm not sure if this applies only to keys or also to values? With the
> >> availability of IDN (https://unicode.org/faq/idn.html) in email
> >>
On Mon, Aug 10, 2020 at 9:55 AM tor-operator-sahara-it
wrote:
>
> Hello.
>
> On Tails:
> Today i found that my jabber messenger (with server in *.onion) use onion
> circuit with three nodes, and two times from two exit-nodes were very strange.
>
> https://metrics.torproject.org/rs.html#details/92
On Sat, Aug 8, 2020 at 5:41 PM wrote:
>
> An important piece of mental furniture that I never needed to know until
> months later when a relay stopped working is right here in Step 7: Check IPv6
> Availability of page
> https://community.torproject.org/relay/setup/post-install/
> "If you enable
Hi, all!
There is a new version of OpenSSL out today, with a security advisory
that affects Tor. The vulnerability is CVE-2021-3449, as described on
https://www.openssl.org/news/secadv/20210325.txt . It affects OpenSSL
versions 1.1.1 through 1.1.1j. OpenSSL 1.1.1k is the first version
with a fi
Hello, relay operators!
I'm hoping to get some feedback from relay operators, particularly
those who use the MyFamily option, about the best way to deploy
proposal 321. You can read the proposal at:
https://gitlab.torproject.org/tpo/core/torspec/-/blob/master/proposals/321-happy-families.md
The
On Sat, Nov 6, 2021 at 10:36 AM Nick Mathewson wrote:
> Hello, relay operators!
>
> I'm hoping to get some feedback from relay operators, particularly
> those who use the MyFamily option, about the best way to deploy
> proposal 321. You can read the prop
On Sun, Nov 7, 2021 at 1:36 AM Scott Bennett wrote:
>
>
> Because the obvious incentive for cheaters is in the direction of
> trying
> to get clients' route selectors to choose routes through more than a single
> relay operated by a given cheater, rather than the other way around, this
> loo
On Sat, Nov 6, 2021 at 10:36 AM Nick Mathewson wrote:
> Hello, relay operators!
>
> I'm hoping to get some feedback from relay operators, particularly
> those who use the MyFamily option, about the best way to deploy
> proposal 321. You can read the prop
On Tue, Dec 14, 2021 at 1:07 PM nusenu wrote:
> Nick Mathewson:
> > 1) The proposal currently limits each relay to no more than 3 families.
> > Is that a reasonable upper bound?
>
> Yes, 3 is a reasonable limit.
>
> > 2) We hadn't been planning to implemen
On Tue, Dec 14, 2021 at 12:55 PM Toralf Förster
wrote:
> On 12/14/21 17:06, Nick Mathewson wrote:
> >
> > A relay operator has asked me, offline, if it is possible under this
> > proposal for a relay to belong to more than one family. (For example,
> > if there were t
On Sun, Mar 23, 2025 at 6:11 AM Toralf Förster via tor-relays
wrote:
>
> On 3/22/25 10:55 PM, boldsuck via tor-relays wrote:
> > Copy the MyFamilyKey.secret_family_key file into the KeyDir of _every_
> > _one_ of your relay.
>
> FWIW:
>
> Twe identifier "MyFamilyKey" is free of choice.
> But once
71 matches
Mail list logo
