In association with heise online

06 August 2007, 09:18

Update fixes vulnerability in Tor anonymisation service

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Version of the Tor anonymisation software fixes a security vulnerability which could have allowed remote manipulation of the user's configuration file (torrc). According to the developers, the vulnerability could compromise users' anonymity. Users running most configurations are affected, especially configurations which control Tor via graphical user interfaces such as Vidalia or TorK.

These graphical user interfaces control the local Tor service using Tor Control Protocol (TC), which accepts commands for the local anonymisation service on port 9051. Tor now closes such connections if authentication fails, and allows only one further login attempt. According to the release notes, Tor installations which have the ControlPort option disabled in the torrc file are not affected by this vulnerability. The developers urgently recommend updating to the new version, which is already available for download from the project's website.

A new version of Vidalia graphical user interface bundled with the Tor service is available for Mac OS X. The developers advise Windows users either to wait for a forthcoming Vidalia package or to install the latest version of Tor and the Vidalia interface separately.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit