Open-Source Tool Identifies Weak Bitcoin Wallet SignaturesThe developer behind a program that checks for the Heartbleed vulnerability, Filippo Valsorda, has created a new tool that he says tracks down poorly secured bitcoin transactions.
...
Not everyone agrees with the conclusions, however. Armory’s CEO and founder Alan C Reiner told CoinDesk:
“Valsorda is criticizing the globally standardized use of ECDSA, which is implemented and applied properly in our software. Since ECDSA was created, it has always required a random number generator and all software that implements it should use a random number generator. That’s part of its specification.”
...
CoinDesk also spoke to Blockchain about Valsorda’s claims. A spokesperson said:
“This issue first came to our engineering team’s attention in August 2013. We took steps then to patch the vulnerability created by a small minority of users relying on old out-of-date web browser versions.
Blockchain’s My-Wallet tool relies on, not one, but three sources of entropy to generate ECDSA signing keys: the browser-based RNG, mouse movement & keyboard interaction, and a server-side RNG. This protects users from out-of-date browsers with weak RNGs while maintaining the ability run a fully client-side, non-custodial wallet that is easy to use across your desktop and mobile devices.”
...
Valsorda has made his code freely available to other developers by posting it on GitHub and has called on fellow developers to address the issue, taking care in their choice of random number generators.
http://www.coindesk.com/open-source-tool-identifies-weak-bitcoin-wallet-signatures/