Over a week after the revelation of a fatal flaw in the most recent versions of the OpenSSL cryptographic library—the encryption at the heart of much of the Internet’s security—a large number of systems associated with the Tor anonymizing network remain unpatched and vulnerable to attack. To protect the security of the network, the Tor Project flagged relay servers still susceptible to the Heartbleed bug for rejection, meaning they would not be allowed to pass traffic to the core of the network.
The Heartbleed bug, which allows attackers to retrieve bits of memory from the encryption engine, still affects about 10 percent of the relays and gateways that allow users to connect to the network, which could expose the encryption keys and even the IP addresses of users.
Read more at Ars Technica