The Tor Project has removed from its network this week more than 800 servers that were running outdated and end-of-life (EOL) versions of the Tor software.
The removed servers represent roughly 13.5% of the 6,000+ servers that currently comprise the Tor network and help anonymize traffic for users across the world.
Roughly 750 of the removed servers represent Tor middle relays, and 62 are exit relays — where users exit the Tor network onto the world wide web after having their true location hidden through the Tor network.
The organization said it plans to release a Tor software update in November that will natively reject connections with EOL Tor server versions by default, without any intervention from the Tor Project staff.
“Until then, we will reject around 800 obsolete relays using their fingerprints,” the Tor Project said in a statement this week.
The Tor team said it banned these servers because of security reasons, as the outdated Tor relays were now vulnerable to various attacks, or lacked security features added in more recent versions of the Tor server software.
Some Tor server admins updated, some didn’t
Plans to blackball outdated servers were set in motion at the beginning of September. Initially, the Tor Project team had plans to remove 1,276 Tor servers running EOL versions; however, after Tor developers sent out email notifications to some server owners, the number went down to the 800+ servers removed this week.
“I applaud the Tor Project’s decision on this, it will leave the Tor network in a better state,” Lunar, Lead Researcher of Security at TorWorld, an organization that maintains Tor servers, told ZDNet in an interview today.
“It’s incredibly important to install security updates, even for Tor, as they’re constantly improving their daemon.
“I believe these relay operators are simply neglecting their servers,” Lunar added. “I see this all too often in the hosting industry,” Lunar added. “The majority of people leave their servers running end of life operating systems and ancient software.
“Most people don’t do anything until something goes wrong or something goes down. It’s most likely that the majority of these operators are just paying the bills and never touching their relays.
“Unfortunately, people neglect their infrastructure most of the time,” Lunar told ZDNet. “This is where automation is really the savior. I would recommend operators learn Ansible and use Nusenu’s ansible-relayor. Otherwise, setting up something like unattended-upgrades on Linux relays is important.”