[Tor-BSD] Hardened Tor

Shawn Webb shawn.webb at hardenedbsd.org
Sat Jan 27 12:02:35 EST 2018

Hey All,

The HardenedBSD 12-CURRENT/amd64 package build just finished, applying
retpoline to the entirety of the ports tree/package repo. Applying
retpoline helps mitigate one of the Spectre variants.

This means that Tor on HardenedBSD 12-CURRENT/amd64 is compiled with:

1. PIE
3. CFI (with the cfi-icall scheme disabled)
4. SafeStack
5. Retpoline

All of these layers are going to make life very difficult for an
attacker attempting to exploit the tor daemon itself. If you have any
further suggestions on hardening the tor daemon, please let me know.


Shawn Webb
Cofounder and Security Engineer

Tor-ified Signal:    +1 443-546-8752
GPG Key ID:          0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.nycbug.org/pipermail/tor-bsd/attachments/20180127/0e899f0f/attachment.bin>

More information about the Tor-BSD mailing list