Agora Marketplace Changes Url Due to Heartbleed SSL Bug
Posted by: DeepDotWeb
April 12, 2014
20 Comments</span> </p>
Update: Market is back up and running at the new url: http://agorahooawayyfoe.onion/register/Gc2h4eoFAE
Agora Marketplace was taken down by its admins due to the Heartbleed bug – to move it servers and change the sites url, if you try to browse the old site you will now get the below message, listing the new urls – they say that the site will be back till the end of the week (but you know how it is – can easily take longer than expected) we have received some info stating that once the site will be back up – change of passwords and pins will be needed and most likely even enforced once the site goes live again.
Message from te old url:
===Start Quote===
Agora Announcement 2014-04-11
Earlier this week the details of a serious bug in the OpenSSL library were made public. This bug, which affected a large number of web servers and devices was popularly referred to as ‘Heartbleed’. The bug allows anybody connecting to a vulnerable service to reveal the contents of memory on the server – and thus reveal secret keys, user information, passwords, etc.
There is more information about the bug and the versions of OpenSSL that are affected at the website setup for the bug:
http://heartbleed.com/
Agora is a hidden service served on the Tor network, and while Agora itself does not use the vulnerable library, the Tor software that makes up the network was affected by this bug in some instances since it integrates the OpenSSL library. The Tor project wrote a blog post about how this bug affects various aspects of the Tor service:
https://blog.torproject.org/blog/openssl-bug-cve-2014-0160
For users of the Tor Browser Bundle you should upgrade to the latest release version immediately, as the bundled version of Tor is vulnerable to the attack. Get the latest Tor Browser Bundle version from http://torproject.org
For Agora as a hidden service, we have investigated the possibilities of exploitation and to our current best knowledge, the most an attacker could hope to gain in a hypothetical situation of successful exploitation, is the ability to impersonate the hidden service.
The Tor blog post on this subject states:
“Like the last big OpenSSL bug, this shouldn’t allow an attacker to identify the location of the hidden service, but an attacker who knows the hidden service identity key can impersonate the hidden service.”
At this time even an attack like that is looking unlikely and we haven’t seen any signs of it being successfully executed. However, since the underlying bug is very serious and has been in the wild for an unclear amount of time, we will be taking the necessary precautions and shall hereby recycle all our previously used hidden service keys.
Effectively this means that we need to change the address of the market.
Additionally we have decided to take the market down for some time so we can fully investigate the effects and change all servers used by it in order to fully protect ourselves from any hypothetical damage or information leaks. We estimate that this process will be complete by the end of the week. We do understand that this is a big inconvenience for many of you, but please understand that we do this for the sake of your anonymity as well.
The new address to be used from now on to access Agora when it’s available will be:
http://agorahooawayyfoe.onion
The address to access Agora Forums is:
http://lacbzxobeprssrfx.onion
We are constantly vigilant about new threats and the security of our market and users and are taking these steps as a precaution.
===End Quote===
Taking Agora, as its the #1 market today is most likely a big inconvenience for many people, so we only hope this will be sorted soon and the site will be back up, we will keep following and updating as needed.
</div>
Updated: 2014-04-12