More than a week after the revelation of a fatal flaw in the most recent versions of the OpenSSL cryptographic library—the encryption at the heart of much of the Internet’s security—a large number of systems associated with the Tor anonymizing network remain unpatched and vulnerable to attack. To protect the security of the network, the Tor Project flagged relay servers still susceptible to the Heartbleed bug for rejection, meaning they would not be allowed to pass traffic to the core of the network.
The Heartbleed bug, which allows attackers to retrieve bits of memory from the encryption engine, still affects about 10 percent of the relays and gateways that allow users to connect to the network, which could expose the encryption keys and even the IP addresses of users.
In a blog post on April 7, the Tor Project alerted users of the bug, which affected the Tor client, relay, and bridge software; Tor’s “Hidden Service” darknet Web services; and even its internal directory servers. The Orbot client for Android was also vulnerable. The Tor Project team has been moving to provide patches for all of the components, and most of the core network was quickly secured.