Hi, Thanks for the mail, even though I wasn't notified personally (yes, my bridge has a contact email). I can say that after the issue with OpenSSL occurred, I immediately installed the update provided by my distro, stopped Tor and removed all key and let it generate new ones. My bridge is an obfuscated one. Do I have to do anything else? I mean, since obfsproxy isn't linking to OpenSSL as it's written in Python, it should be safe, no? Or maybe Python itself links to OpenSSL but since I updated OpenSSL and restarted everything that was using its libs, I should be safe?
Thanks On Wed, Apr 23, 2014 at 8:32 AM, Matthew Finkel <matthew.fin...@gmail.com> wrote: > Hi All, > > Below is an email we sent last week to almost all of the bridge > operators who provided contact information for their bridge(s). For > those operators we missed and for those we couldn't contact, this > hopefully provides some useful information. > > All the best, > Matt > > ----------------------------------------------------------------------- > > Hi Tor Bridge Relay Operator! > > Unfortunately this email must begin with bad news, but it gets better. > > Due to the recent Heartbleed OpenSSL vulnerability that was disclosed > earlier this week, we are reaching out to you to ask that you install > an updated version of OpenSSL. The vulnerability has the potential to > decrease the security of your bridge as well as the anonymity of any > user connecting to your bridge. As a result of this, we also ask that > you generate a new identity key due to the possibility that your > current one was leaked. > > The process to upgrade your version of OpenSSL depends greatly on > your operating system. Please ensure you are using a version that was > released within the past four days, see the Heartbleed website[0] for > more details on the vulnerability and for which versions are affected. > Please do this before you regenerate your identity key. > > When this is done, you will need to restart Tor. At this point you can > ask us to retest your bridge to confirm that it is not vulnerable > anymore. > > Next, to regenerate your identity key simply stop Tor and delete the > current key. This is done by opening Tor's Data directory and removing > the contents in the keys/ directory. Tor's Data directory is located at > /var/lib/tor, by default. Let us know if you have trouble locating it. > When this is complete, start Tor and it will automatically create a new > identity for you. > > See the recent blog post for many more details: > https://blog.torproject.org/blog/openssl-bug-cve-2014-0160 > > Now that the bad news was said, we want to take this opportunity to > thank you, from the bottom of our hearts, for volunteering to run > a bridge relay. We know we do not say it often, but it is really > appreciated! Please let us know if you have any question, concerns, or > suggestions, especially related to how we communicate with you and how > bridge relay operators can be more involved. > > Lastly, if you are not already running the obfsproxy pluggable > transport[1] (i.e. obfs3) on your bridge, please follow the Debian > instructions[2] (for a Debian-based system) on the website and install > it. Your bridge is a great contribution to the Tor network, however as > censorship on the internet increases around the world users are forced > to use a pluggable transport. Tor does not understand how to > communicate with them by default, though. Therefore we are asking that > all bridge operators install obfsproxy and help as many users as > possible. > > In addition, also consider subscribing to the tor-relays mailing > list[3], if you are not already; we will be posting instructions on how > to maximize the contribution of your bridge on that list every now and > then. > > [0] http://heartbleed.com > [1] https://www.torproject.org/docs/pluggable-transports.html.en > [2] > https://www.torproject.org/projects/obfsproxy-debian-instructions.html.en#instructions > [3] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > > Again, thank you for running a bridge relay and sorry for the bad news. > > Let us know if you have any questions or if you have any suggestions. > > All the best, > Matt > The Tor Project > _______________________________________________ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays -- Yours truly _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
