On Fri, Feb 07, 2014 at 02:14:28PM +0100, tor-admin wrote: > Sebastian, thanks for clarification. I remember there were some late changes > #9063, #9072, #9093, and #10169 which made it into 2.4.X because of the DOS > issues Rob Jansen described in https://blog.torproject.org/blog/new-tor- > denial-service-attacks-and-defenses. > > Would it not be better to bring relays to a version that have defenses > against > these new attacks?
Nick and I met yesterday for some ticket closing and dev work, and part of that ended up with the decision to un-recommend 0.2.2.39, mainly because of general insecurity but also because it includes a hack for hidden service reachability that we'd like to retire. And while we were doing that, we decided to un-recommend a few more. The 'recommended' versions list just controls whether a log message appears in your logs -- so it is a pretty special user indeed who will notice it. (In the past, the message also caused Vidalia to pop up a little window for you. But at this point, anybody running an old Vidalia bundle should probably upgrade.) The 0.2.2.39 version was only still in the list because Debian oldstable ships it and we didn't want to upset the Debian world; we will continue to keep compatibility for a few more months until Debian oldstable goes away. As usual it's a balance between crying wolf too often and keeping most of the network up-to-date. At this point most relays are on pretty recent versions (or on 0.2.3.25, but those are slowly disappearing). So long as much of the network is resistant to Rob's attacks, the few remaining relays that aren't don't pose that much of a threat. Also, 0.2.4.21 will be coming out pretty soon, and there's another patch coming to do the "exit stream" side of Rob's attacks. So I thought these steps would be the right balance for now. (And Sebastian, sorry for conspiring with tor26 to make these changes while you were asleep. :) I'm still half expecting some Ubuntu or something to be shipping one of the versions we un-recommended, and to start getting a flood of user complaints. At which point we could back out the changes until we'd made a better plan, or at least prepared better.) --Roger -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
