Hi, all! There's a bug in openssl 1.0.1d that breaks Tor (and lots of other programs) if you have a CPU with aesni support.
If you have aesni support on your CPU, and you're using the openssl 1.0.1 series, and you decide that you simply _must_ upgrade OpenSSL before 1.0.1e can be released (soon, I hope), then see the link below for a patch that will make Tor work around the bug in question. For more information on the openssl bug, see https://trac.torproject.org/projects/tor/ticket/8179 . (Incidentally, because one or two people have asked: Tor itself isn't affected by the new Lucky-13 attack against TLS CBC implementations. In order to do plaintext recovery, the attack requires that the same secret be sent in a large number of encrypted TLS sessions. This can happen with HTTPS (where an attacker can force many connections to happen with Javascript, each of which will contain a cookie that the attacker is trying to steal). Tor, on the other hand, will send the same secret encrypted the same way more than once. This doesn't mean that Tor users couldn't be affected, though. TorBrowser is a web browser based on Firefox, after all, and therefore is potentially affected by any attack affecting HTTP. Once there's a new version of Firefox out, I hope that we'll have an updated browser released soon afterwards. For more information on the attack and its impact, see http://www.isg.rhul.ac.uk/tls/ .) best wishes, -- Nick _______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
