More than a week after we first learned about the Heartbleed vulnerability in OpenSSL – the encryption that protects more than half of the Internet, according to Netcraft’s April 2014 Web Server Survey – it’s been revealed that large numbers of systems that run the anonymous Tor network remain unpatched. In order to protect Tor’s security, the Tor Project says its now flagged number of servers it believes are still vulnerable to Heartbleed, which means they’ll no longer be able to relay traffic across its network.
The Tor Project says the Heartbleed bug, which could allow cybercriminals to retrieve bits of data from the network, is still affecting around 10 percent of the gateways and relays that allow people to connect to it. Thus, there’s a risk that people’s passwords, encryption keys and even their IP addresses could be exposed.
A blog post from April 7 highlighted the threats to the Tor network, its relays, its bridge software, its “Hidden” darknet web services, and even its internal directory servers. In addition, Tor’s Orbot client for Android devices is also said to be at risk. Naturally the Tor Project has moved fast to patch its components, and the vast majority of its network has now been secured.
Even so, it says a large number of its relay servers, some of which route traffic to countries where the internet is heavily censored, are still unpatched. Many of these servers are provided by volunteers, and the Tor Project says there’s a good chance that some may be running unattended. According to the organization, some 586 relays were still vulnerable as of this Thursday, accounting for about ten percent of Tor’s total number of nodes.
The good news is that a significant majority of Tor’s guard and exit servers have now been patched, with just three servers still remaining vulnerable. This is important because the guard nodes direct incoming traffic from relays to a randomized course through the Tor network, before they reach an exit server. From the exit server, traffic is sent to its final destination, this keeping the location and identity of the user anonymous.