Tor infrastructure compromised. Upgrade now!

21 January 2010

A most disturbing announcement was posted to the or-talk mailing list by Roger Dingledine, one of the core developers of Tor. Earlier this month it was discovered that moria1 and gablemoo, two of the seven directory authorities of the Tor darknet were compromised along with a server added to the project's domain to track and serve metrics. One of the boxen was imaged for later analysis but all were reconstructed. New crypto keys were cut for the directory authorities due to the compromise, necessitating a new release of the software. Scarily, moria also hosted the Subversion and git repositories for the project, though the source code was audited and no malicious alterations were found. By all appearances, the crackers were looking for systems with lots of bandwidth and didn't pay much attention to the contents of the machines.

The directory authority servers exist to give any instance of Tor on the Net that asks for it a cryptographically signed list of all documented nodes in the darknet and their status, which are used to determine what nodes a given client can connect to and what state they're in. The idea is that a majority of the directory authorities have to have the same particular record to be considered valid, so if only two were compromised a faked consensus of network status could not be given. The public keys of the directory servers are hardcoded into Tor itself, which is why an emergency release had to be made.

The thing about being cracked is that it contained an archive of bridge descriptors dating back to 2009. While this in itself isn't critical to the security of the Tor darknet it does represent a significant list of otherwise undocumented entry points for clients into the darknet, which would make it easier for unscrupulous parties to make use of the darknet that much harder. Roger says that there is sufficient turnover of bridges that the impact won't be great.