More than a week after the revelation of a fatal flaw in the most recent versions of the OpenSSL cryptographic library—the encryption at the heart of much of the Internet’s security—a large number of systems associated with the Tor anonymizing network remain unpatched and vulnerable to attack. To protect the security of the network, the Tor Project flagged relay servers still susceptible to the Heartbleed bug for rejection, meaning they would not be allowed to pass traffic to the core of the network.

The Heartbleed bug, which allows attackers to retrieve bits of memory from the encryption engine, still affects about 10 percent of the relays and gateways that allow users to connect to the network, which could expose the encryption keys and even the IP addresses of users.

In a blog post on April 7, the Tor Project alerted users of the bug, which affected the Tor client, relay, and bridge software; Tor’s “Hidden Service” darknet Web services; and even its internal directory servers. The Orbot client for Android was also vulnerable. The Tor Project team has been moving to provide patches for all of the components, and most of the core network was quickly secured.

However, a significant percentage of the relay servers, many of which serve countries with heavy Internet censorship, have remained unpatched. These systems are operated by volunteers and may run unattended. As of Thursday evening, 586 relays were still susceptible to Heartbleed, according to an ongoing census by Red Team—making up about 10 percent of the network’s relay nodes.

However, the vast majority of the core network’s guard and exit nodes had been secured by Thursday evening, with only three exit servers still susceptible. Guard servers route incoming client traffic from relays on a randomized course across the network to an exit server before traffic is sent to its destination, anonymizing the location and identity of the user.