Can really the CLIENT KEYs be compromised by this bug?
What I have understand, its a bug in the OpenSSL Implementation of Heartbeat protocol of TLS 1.2, causing OpenSSL to leak contents of RAM in the server.
This means, the attack vector would be limited to:
impersonating a server and replacing a bitcoin adress in the payment protocol, by stealing the SERVER KEYs.
Thus any client-side wallets should be safe since those private keys are never transmitted or kept by the server? (except for webshops and online services running a server-side bitcoin client relying on a vulnerable OpenSSL)
The bitcoin core protocol (port 8333) is not using any form of SSL at all what I know?
If what the Bitcoin devs say is correct (that client keys can be compromised), would also mean that any website using SSL can steal RAM contents of client computers, which would mean my site can get my visitor's bank details, and that would make the security hole way more critical than it is today.
Bitcoin Core is considered a server / creates what would be considered a server in at least one of the cases highlighted by theymos.
And, even if it acted as a client in the other: This vulnerability also affects clients, which is basically why, if a browser you use uses OpenSSL (Android Browser, for example),
the server itself can attack you this way.
So yes, what you say in your final sentence is true (at least for browsers using OpenSSL).
Show Posts
