Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Tor to Reject End-of-Life Relays by Default

Starting with its next stable release, Tor (The Onion Router) browser will reject End-Of-Life relays by default, the Tor Project has announced.

Starting with its next stable release, Tor (The Onion Router) browser will reject End-Of-Life relays by default, the Tor Project has announced.

There are over 6,000 relays in the Tor network at the moment, some running software released going all the way back to the 0.2.4.x series, released on December 10, 2013. There are also 85 different Tor versions in use by relays today.

The decision to reject End-Of-Life relays was driven by the fact that they have a negative impact on the network, mainly affecting its stability and security, but also preventing the rollout of new features.

“One example is the Denial of Service defenses that we rolled out at the start of 2018 as an emergency reaction to a large scale attack on the network. Unfortunately, that defense is only available for relays running supported versions,” Tor says.

The Tor circuit padding defense, which was introduced in version 0.4.1.x to better hide client onion service requests from network observers, was also impacted, and it would only work for circuits that have a 0.4.1.x (or later) relay as their middle hop.

Moreover, a bug in the 0.3.2.x series causes some out-of-date relays to increase latency and add overall network load.

Thus, Tor has decided to remove End-Of-Life relays from the network, and has already taken steps to contact relay operators with valid ContactInfo fields to ask them to upgrade. The Tor relay community was informed on this change in early September.

At the moment, the End-Of-Life relays make up around 12% of the total bandwidth, or roughly 750 relays. Only 62 are exit relays, with only 1.68% of the total exit traffic going through them.

“We expect a minor impact on the size of the network, and a small drop in the Metrics graph,” Tor says.

Starting this week, the 9 directory authorities will begin to refuse End-Of-Life relays.

Expected sometime in November, the next stable Tor release will reject End-Of-Life relays by default, but, until then, the Tor Project plans on rejecting around 800 obsolete relays based on their fingerprints.

Obsolete bridges will only be rejected later this year, after the Tor software change is deployed.

Relay operators will be able to re-join the network upon upgrading to a version that is still supported. Those who upgrade will be able to keep their relay keys by emailing the bad relay list to ask them to stop rejecting their fingerprint.

“Support from relay operators is essential to keep the network healthy. Operators must keep their relays and machines up to date. Relays are the backbone of all software that relies on Tor, and each operator helps immensely in providing people with privacy and freedom online around the world. We cannot thank them enough,” the Tor Project notes.

Related: Tor Raises $86K to Smash Bugs

Related: Attacking Tor: What it Takes to Disrupt the Popular Onion Routing Network

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Risk Management

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.

Management & Strategy

Microsoft making a multiyear, multibillion dollar investment in the artificial intelligence startup OpenAI, maker of ChatGPT and other tools.

Risk Management

CISA has published a report detailing the cybersecurity risks to the K-12 education system and recommendations on how to secure it.

Funding/M&A

Twenty-one cybersecurity-related M&A deals were announced in December 2022.