Post Heartbleed, Tor could significantly reduce capacity -- but is it enough?
It seems that there have been few big names left unaffected by the Heartbleed bug in OpenSSL. Google may have rushed to patch the flaw, but the number of websites and services that fell foul of the discovery is staggering. It seems that even stalwarts of security are finding themselves in troubled waters, and this includes anonymizing service Tor.
Put very simply (very, very simply!), Tor works by not only encrypting data that is transferred online, but also bouncing it around a number of servers, making it all but impossible to trace to a particular user or computer. It transpires that some of the Tor nodes that are used in the process are running versions of OpenSSL that are vulnerable to Heartbleed, and this has led to calls for the affected nodes to be closed down. Writing to the Tor mailing list, developer Roger Dingledine suggests that up to 12 percent of the network's capacity may be lost if all of the vulnerable nodes are taken offline.
Security and anonymity are at the very heart of Tor, so it is understandable that users would want steps to be taken to eradicate such a well-publicized flaw. Reducing capacity by an eighth would be a serious step to take, but Dingledine has already built up a list of nodes that should be rejected due to their vulnerable status. This is a list that is almost certain to grow: "I/we should add to this list as we discover other relays that come online with vulnerable openssl versions".
But the problem with Tor is the very fact that it is anonymous. It is something of an untamed beast, and while not quite running out in the wild, it is difficult to determine the exct size of the network or to work out exactly which areas of it are affected. It is a mammoth task to hunt down all of the nodes that are running Heartbleed-prone versions of OpenSSL. But there is also the fear that this could be a case of closing the stable door after the horse has bolted. If vulnerable nodes have already been discovered and exploited, the inner workings of Tor could have been investigated. It is very hard to tell whether any lasting damage has been done, but faith is likely to wane as a result, anyway.