“Note that this bug affects way more programs than just Tor – expect everybody who runs an https webserver to be scrambling,” the Tor Project said in a blog. “If you need strong anonymity or privacy on the internet, you might want to stay away from the internet entirely for the next few days while things settle.”
Independent investigator Collin Mulliner decided to further examine Heartbleed’s effect on Tor, and pulled a list of about 5,000 nodes to examine. Using a proof-of-concept exploit, he found 1,045 of the 5,000 nodes to be vulnerable, or about 20%. The vulnerable Tor exit nodes leak plain text user traffic, he said, meaning that hackers can lift host names, downloaded web content, session IDs and so on.
"The Heartbleed bug basically allows anyone to obtain traffic coming in and out of Tor exit nodes (given that the actual connection that is run over Tor is not encrypted itself),” Mulliner explained. “Of course a malicious party could run a Tor exit node and inspect all the traffic that passes through it, but this requires running a Tor node in the first place. Using the Heartbleed bug, anyone can query vulnerable exit nodes to obtain Tor exit traffic.”
To fix the issue, Tor is in the process of updating vulnerable nodes. In the meantime, it can create a blacklist of vulnerable Tor nodes and avoid them – something that it’s started to do. It’s a process that could lead to the network losing about 12% of its exit capacity, Tor noted.
The majority of the vulnerable Tor nodes are located in Germany, Russia, France, the Netherlands, the UK and Japan, Mulliner found.