Re: [Tails-dev] [tor-talk] heartbleed: ETA for tor release(s…

Delete this message

Reply to this message
Author: Nick Mathewson
Date:  
To: anonym
CC: tor-talk@lists.torproject.org, The Tails public development discussion list, tor-dev
Subject: Re: [Tails-dev] [tor-talk] heartbleed: ETA for tor release(s) that blacklist affected directory authority keys? (#11464)
On Wed, Apr 23, 2014 at 12:46 PM, anonym <anonym@???> wrote:
[...]
> Given the planned release date for Tails 1.0, this actually doesn't look
> too bad a compromise. I had a quick look at the other tickets tagged
> `024-backport` and nothing seemed very important.


For future reference, don't just look at 024-backport -- that's for
tickets that are currently in 0.2.5 or later but which should (maybe!)
get backported to 0.2.4 after a fix. Also look at the tickets in
milestone "Tor: 0.2.4.x-final": those include ones that were never
marked as backportable when they were in 0.2.5, but which, after
resolving them, somebody decided we should consider for backport
anyway.

(It doesn't make a difference in this case, IMO, but it's something to
be aware of.)

>     However, before
> deciding on this, I'd really appreciate a confirmation from any of you
> Tor devs that, as it looks now, the next 0.2.4 release will have no
> other important security fixes affecting *Linux* *clients*. So, will it?


It depends what you consider a "fix" versus a "feature", and what you
think is "important".

The only ones I'd consider to maybe meet your criteria are:
#9386
#11438

-- those two will make clients significantly more resistant to using
bad cryptography at the TLS layer.

Also -- since you're asking for a solid confirmation here -- I need to
insert the disclaimer that this is only based on what I know about
today. I might be forgetting something, and we might learn about
something tomorrow that would change all of this. In other words,
it's a prediction, not a promise. ;)

best wishes,
--
Nick