[tor-talk] Yet another OpenSSL vulnerability

Hi, all! There's another OpenSSL vulnerabilty. This one is less terrible than heartbleed, but it's still quite bad. People have taken to calling it the "EarlyCCS" attack: it will probably get less media attention than heartbleed because its name is insufficiently scary. The impact on Tor is that an adversary in the position to run a MITM attack on a Tor client or relay could cause a TLS connection to be negotiated without real encryption or authentication. This attack is possible if the connection initiator (client or relay) is running an unpatched OpenSSL, and if the relay is running an unpatched OpenSSL 1.0.1. If either party has upgraded, or if the relay is running a version before 1.0.1, the attack fails. The circuit-layer crypto (which happens under the TLS layer) should still provide significant protection for user communications over Tor. But a MITM attack of this kind could still help traffic analysis, and likely other unexpected badness as well. Because of this, I'd strongly recommend that everybody should upgrade. If you're using Tor packages from our website, please update to the latest versions as soon as they're available; I hope that will be very soon. If your Tor is built against an OpenSSL provided by your operating system distribution, please install the vendor updates as soon as they're available. Here's the official OpenSSL security advisory: https://www.openssl.org/news/secadv_20140605.txt Here's a good write-up by Adam Langley, explaining this bug in detail: https://www.imperialviolet.org/2014/06/05/earlyccs.html Here's a post from the original discoverer of the bug. http://ccsinjection.lepidum.co.jp/blog/2014-06-05/CCS-Injection-en/index.html And here's the vulnerability's website (since all vulnerabilities have a website), complete with scary logo: http://ccsinjection.lepidum.co.jp/ (As a side-note, you should also be concerned about OpenSSL-based applications that you're using that _aren't_ Tor. Tor is comparatively resilient to having one layer of crypto removed; but most protocols aren't. Fortunately, Firefox/TorBrowser is using NSS for its TLS crypto.) (As a final side-note: today's OpenSSL releases fix some other bugs too. If you run other programs that use OpenSSL -- particularly ones that do DTLS -- you should upgrade for that reason too.) cheers, -- Nick