I’m glad to see that Tor has finally fixed the bug about the HSDir cache. Last year, a paper published at the WWW conference exploited this vulnerability to implement a denial-of-service attack on the Onion service. The attack can stealthily attack any onion service and requires very little spending.
I am happy to help Tor find and test vulnerabilities in the protocol. And I recommend that the Tor team pay attention to the teams working on Tor, such as the team working on this paper. Keeping up with the latest research is good for making Tor more secure.
Hi @everydayisoks, we appreciate responsible disclosure and encourage researchers to contact security@torproject.org as far as possible in advance. This allows the Tor Project to collaborate on improving the quality and accuracy of their research, verify findings, and work on mitigating potential vulnerabilities before they become public.
We can offer assurances of confidentiality, and correct handling of pre-print papers that are either under submission or review. Many researchers follow this approach, leading to more productive and fruitful collaborations and stronger security for the Tor network.
If you know the authors, please share this comment with them. Thank you!
There’s still no updated package for Debian stable in deb.tpo.org repos after 2 weeks? If there’s not going to be updates anymore at all, this could leave some public relays using outdated versions.
Getting this error when trying to update tor in Ubuntu 22.04 LTS, similar error in 24.04 LTS using sudo apt update… Just started in the last day or so.
No. Do not use the packages in Ubuntu’s universe. In the past they have not been reliably updated. That means you could be missing stability and security fixes. Instead, please use Tor Debian repository.
I want to remind that issue is about disappearance of Tor’s Ubuntu repositories and Tor website argues against using stock Ubuntu packages from universe.
I understand that the Ubuntu repository issue is being worked on, but can something be done in the interim to fix apt update besides expecting thousands of people to temporarily disable the repository and then re-enable it later?
Maybe put the previous version back where it was, or put a placeholder/empty Release file so apt update won’t get a 404 and bomb out?