Tor developers vow to fix bug that can uncloak users (original) (raw)

He said the fix was complicated because the researchers didn't provide all the technical details when privately informing Tor officials of the vulnerability.

"We've been trying to find delicate ways to explain that we think we know what they did, but also it sure would have been smoother if they'd opted to tell us everything," he wrote. "The main reason for trying to be delicate is that I don't want to discourage future researchers from telling us about neat things that they find. I'm currently waiting for them to answer their mail so I can proceed."

In a previous e-mail, Dingledine said Tor developers "informally" received some materials related to the vulnerability. He went on to say Tor officials played no role in the cancellation of the Black Hat talk.

"We did not ask Black Hat or CERT to cancel the talk. We did (and still do) have questions for the presenter and for CERT about some aspects of the research, but we had no idea the talk would be pulled before the announcement was made," he wrote.

CMU is affiliated with CERT, which coordinates security disclosures between researchers and affected parties. A CMU spokesman contacted Monday didn't elaborate on the reasons for pulling the talk.