Tor Network Attack: Key Compromise Response

TL;DR

Someone has stolen private keys for some important Tor nodes. This means they could try to track users or disrupt the network. We need to quickly identify affected nodes, revoke those keys, and update our software. This guide explains how.

Steps to Respond to a Tor Network Attack (Key Compromise)

1. Confirm the Breach:
• Check official Tor Project security announcements on the Tor Project website and mailing lists for confirmation of the key compromise.
• Monitor relevant cybersecurity news sources and forums (e.g., Reddit’s /r/Tor) for reports.
2. Identify Affected Nodes:
• The Tor Project will publish a list of compromised node fingerprints. Obtain this list. This is usually in the form of a text file or on their website.
• Use tools like tor-fingerprint (part of the tor package) to verify the fingerprint of your own nodes if you run any. Example:

  tor-fingerprint

3. Revoke Compromised Keys:
• The Tor Project will provide instructions on how to revoke compromised keys. This usually involves updating your torrc configuration file.
• Add the following line to your torrc file, replacing fingerprint with the actual fingerprint of the compromised key:

  ExcludeNodes {fingerprint},auto

• Restart Tor after making changes to the torrc file. Example (systemd):

  sudo systemctl restart tor

4. Update Tor Client and Relay Software:
• Download and install the latest version of the Tor Browser Bundle or Tor relay software from the official Tor Project download page. Newer versions will likely include protections against these compromised keys.
• If you’re running a custom build, apply any security patches released by the Tor Project immediately.
5. Check for Suspicious Activity:
• Monitor your network traffic for unusual patterns or connections to known malicious sites.
• Review Tor logs for unexpected errors or warnings. The log location varies depending on your operating system (e.g., /var/log/tor/log).
6. Consider Using Bridge Relays:
• If you suspect widespread monitoring, switch to using Tor bridges. Bridges are unlisted relays that can help bypass censorship and make it harder for attackers to track your connection. You can request bridges from the Tor Project’s bridge page.
7. Report the Incident:
• If you discover any further compromised keys or suspicious activity, report it to the Tor Project security team.
8. Long-Term Security Measures:
• Implement strong access controls for your Tor nodes (if you operate any).
• Regularly audit your node configurations and software dependencies.
• Keep your systems up to date with the latest security patches.