2006-12-17: Tor 0.1.1.26 fixes HttpProxyAuthenticator privacy flaw
Tor 0.1.1.26 fixes a serious privacy bug for people who use the HttpProxyAuthenticator config option: Tor would send your proxy auth directly to the directory server when you're tunnelling directory requests through Tor. Specifically, this happens when publishing or accessing hidden services, or when you have set FascistFirewall or ReachableAddresses and you're accessing a directory server that's not reachable directly.
If you use HttpProxyAuthenticator, we recommend you switch to 0.1.1.26 or stop using it for now. The upcoming 0.1.2.5-alpha (not yet finished) will have this bugfix too. For people running 0.1.0.x who absolutely cannot upgrade, here's your patch:
Changes in version 0.1.1.26 - 2006-12-14
- Security bugfixes:
- Stop sending the HttpProxyAuthenticator string to directory servers when directory connections are tunnelled through Tor.
- Clients no longer store bandwidth history in the state file.
- Do not log introduction points for hidden services if SafeLogging is set.
- Minor bugfixes:
- Fix an assert failure when a directory authority sets AuthDirRejectUnlisted and then receives a descriptor from an unlisted router (reported by seeess).
last edited 2019-06-15
Latest News Headlines
- Git v2.23.0 is released and available
- Fedora 31 is branched: Here are the high-lights in the next Fedora version
- Creating Worms exploiting Windows Remote Desktop Vulnerabilities knock on port 3389
- Happy Birthday Debian
- AMD finally submits kernel patch for broken RDRAND on older AMD APUs
- Tor Snowflake launched as a censorship countermeasure for the The Onion Router network
- Treasure-trove of internal Google documents showing censorship and bias leaked by insider
- Linux Kernel 5.3-rc4 released
- Xfce 4.14 Released
See the more archive for news headlines