Critical Tor vulnerability: Attackers can deanonymize users. All users should upgrade

https://blog.torproject.org/blog/tor-02234-released-security-patches

Critical Tor vulnerability: Attackers can deanonymize users. All users should upgrade.

 

Wow. Thanks for the post. Have now upgraded my relay.

 

Thank you!

 

Thanks. Updated my exit node.
Anyone notice the recent blog posts there, specifically this one?
Plain Vidalia Bundles to be Discontinued (Dont-Panic!)

 

I saw it too yesterday. It's not a big issue for me, because I use the expert bundle in the rare cases I really need TOR. If they remove the Expert Bundle, I will compile TOR from source, and if they remove the source code I see no reason to use TOR anymore
The problem is that it's a matter of choice, and they seem to not understand that. I believe that they want to make sure that every user runs a relay or exit node, but I'd try to educate the users to do that, not force them.
Besides, the blog uses phrases like "This configures Tor to run as a non-exit relay by default" or "This configures Tor to run as an exit relay by default", so I am pretty sure that you will be able to edit torrc file in order to make it act as you want.

 

Tor is just a honeypot for the FBI, so unless you set up or rent your own private exit node it's worthless.

 

How about no. Tor is not nor has it ever been a "honeypot". To monitor the entire system, it would have to be a honeynet, or a honeyfarm which obviously it isn't. All that being said, there are tons of honeypots connected to Tor, and yes, the FBI along with every other agency has a presence. Tor is open source, which would make it damn near impossible to be one large FBI or any agency trap. It's also impossible because of jurisdictional issues..remember the world uses it...and the FBI doesn't have jurisdiction everywhere. The FBI isn't even capable of undertaking such an operation, what you're suggesting would be in the realm of the CIA or NSA.

 

The FBI may control a few of the exit nodes, as would just about every other government on the planet, but none of them control them all. That would be physically impossible. The exit node doesn't see the source IP of the traffic, only the previous relay it came through. It doesn't see the relay the user initially connects to. Unless the entire chain is compromised or both ends are being monitored and that specific traffic is being singled out, there's no way they can realistically track someone through the Tor network, unless the original users system is leaking data badly. If properly set up, your own browser won't know your internet IP and therefore can't leak it.