Rather than risk data mining because of Heartbleed, Tor might dump some servers

Apr 18, 2014 12:56 GMT  ·  By

Secure networking service Tor isn’t faring very well after the Heartbleed encryption disaster. The service may, in fact, be forced to shut down an eighth of its capacity.

Tor helps people browse the Internet without leaving any traces and without having to worry about security. It runs on a network of donated servers that bounce encrypted data between them before returning them back to the open web.

This makes it impossible for anyone to track down which traffic is coming from which computers, and that’s how the anonymity element that TOR promises is delivered.

Unfortunately, however, some of those particular servers that people have donated are running OpenSSL versions affected by Heartbleed, which makes them vulnerable to attacks. This means that hackers could exploit said servers and find information that Tor promised would be impossible to find.

One of the initial developers of Tor, Roger Dingledine, has suggested that perhaps it’s a good idea to kick off the network nodes running the faulty OpenSSL versions.

“I also thought for a while about trying to keep my list of fingerprints up-to-date (i.e. removing the !reject line once they've upgraded their OpenSSL), but on the other hand, if they were still vulnerable as of yesterday, I really don't want this identity key on the Tor network even after they've upgraded their OpenSSL. If the other directory authority operators follow suit, we'll lose about 12% of the exit capacity and 12% of the guard capacity,” he said.

Heartbleed is an OpenSSL vulnerability that was exposed last week after affecting various versions of the software over the past two years. A patch has already been issued, as well as ways to fix the bug manually, but there are still sites and servers affected by it, which makes the Internet less safe.

Hackers could exploit the vulnerability quite easily and demand that the server reveal more information than it should, which poses a threat to data encryption. Basically, the passing data is not safe at any time of an attack, even if the servers are supposedly protected by encryption.

The worst part is that exploiting Heartbleed leaves no traces behind, which means that there is no way to tell whether hackers or spy agencies knew about the vulnerability before or not, if there have been any attacks or what data could have been stolen.

For this reason, users have been advised to change their passwords even for services run by companies such as Google, Facebook or Yahoo.