As suggested by Steven M. Bellovin:

Add a note reminding users to manually set up EntryNodes in order to
prevent an information disclosure vulnerability in this version of tor.

1 files changed, 17 insertions, 1 deletions

diff --git a/net/tor/MESSAGE b/net/tor/MESSAGE
index 0a196f75107..b52d3e2f933 100644
--- a/net/tor/MESSAGE
+++ b/net/tor/MESSAGE
@@ -1,5 +1,5 @@
 ===========================================================================
-$NetBSD: MESSAGE,v 1.2 2005/08/04 10:55:31 drochner Exp $
+$NetBSD: MESSAGE,v 1.3 2006/01/16 16:52:31 jschauma Exp $
 
 You probably want to install www/privoxy to torify your browsers.  Please
 see http://tor.eff.org/cvs/tor/doc/tor-doc.html for details.
@@ -13,3 +13,19 @@ If you wish to chroot tor, you may find the following URLs helpful:
   http://wiki.noreply.org/wiki/TheOnionRouter/TorInChroot
 
 ===========================================================================
+
+Security Note:
+
+If you offer a Tor hidden service, an adversary who can run a fast Tor server
+and who knows some basic statistics can find the location of your hidden
+service in a matter of minutes to hours.
+
+See http://archives.seul.org/or/announce/Jan-2006/msg00001.html
+for details.
+
+To prevent this information disclosure, manually configure a half dozen
+EntryNodes.
+
+See http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#ChooseEntryExit
+
+===========================================================================