-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi,
After seeing the challenge done by CloudFlare, to setup a server open to the internet with that vulnerable OpenSSL version so everyone could try and get its private keys (to see if it's actually possible), after speaking earlier with people in #tor IRC channel, we think it's a good way to find out for sure if the Hidden Services could have been compromised or not. And if yes, make a more serious and visible banner to notify them. Because so far nobody has changed the Hidden Service address, from all the Hidden Services I am using. I don't want them to be exposed to risks and when something happens, yet another thing which will be blamed on Tor. So, to developers and special reference to arma, proposition: - -- Can we setup a Tor circuit, separate from the Tor network, or within it if it's better this way (if we can choose all the relays in a circuit via torrc), a circuit in which all the relays are running the vulnerable version of OpenSSL with heartbeats enabled? I have a server and offer it to be the Hidden Service and everyone can test and exploit the heartbleed vulnerability and prove if they managed to get the private key. If you think the experiment is worth it email me directly and let me know what do i have to do. I am sure many others will join. s7r -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) iQEcBAEBCAAGBQJTSQRiAAoJEIN/pSyBJlsRqe4H/3JB7136euT/3tQLJqMjHqZS OKyptAUFg6ZnOqGeOnacAqxz79XfNYXDDV8Bxh2erWpVvAIxQjzJFatKtUdjzGBG UKHQyNuDRifbaOSAoFcf93hfWvS387I3YMAhHWR5+yQjcucGpcECh8gmlOJNnsZD Zt1U1MjzQJfY6t9J5PXMvNDIYXhYE2DYtAmVXRDDNYKssX18Cc/qDid1s1t5OjGr wnWWK6lnZ64VJx+U8wsYutLYVUzrXOyp+POK6j8rM22vJlbrdbtGRGscCyaUGVTi L+cvFodxn16mL+x+7AjVa1ReHxu0KYXW+3l94Kil9qu2LiW0sPTG358zIOTb1as= =zrv8 -----END PGP SIGNATURE----- -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
