Cryddit (OP)
Legendary
 Offline
Activity: 924
Merit: 1129
|
 |
April 08, 2014, 05:41:20 PM |
|
OpenSSL has been revealed to have a huge gaping hole. http://www.bbc.com/news/technology-26935905Those who have been securing communications using https (which is essentially all of us) should change all passwords they have used with those systems. Those who have used the same password in https that they have used to encrypt their wallets - yeah, you can figure that out, right? An attacker may have the old password. You should be using a different one. |
|
|
|
|
|
|
|
|
|
|
|
|
|
Remember that Bitcoin is still beta software. Don't put all of your money into BTC!
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
blacksails
|
|
April 08, 2014, 06:03:40 PM |
|
OpenSSL has been revealed to have a huge gaping hole. http://www.bbc.com/news/technology-26935905Those who have been securing communications using https (which is essentially all of us) should change all passwords they have used with those systems. Those who have used the same password in https that they have used to encrypt their wallets - yeah, you can figure that out, right? An attacker may have the old password. You should be using a different one. This is quite bad. That'd mean I'd have to change almost all of my passwords… Geez, that will take some time! At least my wallet is encrypted with a completely different password. |
|
|
|
|
|
bitcoiner49er
|
|
April 08, 2014, 06:04:44 PM |
|
Nevermind
|
Homo doctus is se semper divitias habet
|
|
|
bitpop
Legendary
Offline
Activity: 2912
Merit: 1060
|
|
April 08, 2014, 08:07:54 PM |
|
|
|
|
|
Bit_Happy
Legendary
Offline
Activity: 2100
Merit: 1040
A Great Time to Start Something!
|
|
April 08, 2014, 08:26:43 PM |
|
|
|
|
|
windpath
Legendary
Offline
Activity: 1258
Merit: 1027
|
|
April 08, 2014, 08:52:10 PM |
|
|
|
|
|
|
Bit_Happy
Legendary
Offline
Activity: 2100
Merit: 1040
A Great Time to Start Something!
|
|
April 08, 2014, 09:17:45 PM |
|
Next up is huge concern about the exchanges that have not updated. EDIT: The vulnerability does not affect the bitcoin protocol or wallet. It may affect auxilary usage of TLS in RPC-over-SSL and when fetching payment requests over HTTPS. Not a big deal, but we are going to release a 0.9.1 that updates OpenSSL (see pull #4023 if you want to test) and fixes some other minor issues from 0.9.0. |
|
|
|
Cryddit (OP)
Legendary
Offline
Activity: 924
Merit: 1129
|
|
April 08, 2014, 09:23:38 PM
Last edit: April 09, 2014, 02:47:40 AM by Cryddit |
|
As far as I can see, this bug affects bitcoind in the case that you use RPC over a network to access your wallet.
If you don't, I don't believe there's any vulnerability that this exposes. (This is a quick examination only; there could be something I missed). If you have, and someone who knew about this bug was paying attention at the time, then that person may have your password.
OTOH, I think this explains the widespread SSL break implied by the Snowden papers.
EDIT:
I had not looked at the new payment protocol stuff with the recent client. It is also exposed to this bug. So, if you have used the payment prototocol over the network, you have been exposed.
|
|
|
|
|
bitpop
Legendary
Offline
Activity: 2912
Merit: 1060
|
|
April 08, 2014, 09:34:42 PM |
|
This bug must be intentional
|
|
|
|
bitpop
Legendary
Offline
Activity: 2912
Merit: 1060
|
|
April 08, 2014, 09:45:24 PM |
|
|
|
|
|
turio
Newbie
Offline
Activity: 14
Merit: 0
|
|
April 08, 2014, 09:55:24 PM |
|
this is a serious concern and everyone should patch up
|
|
|
|
|
|
Robert Paulson
|
|
April 08, 2014, 09:56:51 PM |
|
SSL can now be considered as dead, this bug leaks the private SSL key of all the websites that use SSL.
even if they patch the server anyone who dumped enough of the server's memory would likely be able to recover the SSL private key of the server.
|
|
|
|
|
bitpop
Legendary
Offline
Activity: 2912
Merit: 1060
|
|
April 08, 2014, 09:58:31 PM |
|
SSL can now be considered as dead, this bug leaks the private SSL key of all the websites that use SSL.
even if they patch the server anyone who dumped enough of the server's memory would likely be able to recover the SSL private key of the server.
Re keying is easy if the site cares |
|
|
|
DeathAndTaxes
Donator
Legendary
Offline
Activity: 1218
Merit: 1079
Gerald Davis
|
|
April 08, 2014, 10:04:03 PM |
|
SSL can now be considered as dead, this bug leaks the private SSL key of all the websites that use SSL.
even if they patch the server anyone who dumped enough of the server's memory would likely be able to recover the SSL private key of the server.
Generating a new key and cert as well as revoking the old cert takes less than an hour (honestly more like ten minutes but was being conservative). Of course many website were completely unaffected as they didn't use the compromised version of OpenSSL. BitSimple (among many other Bitcoin related sites) for example is unaffected. |
|
|
|
|
Bit_Happy
Legendary
Offline
Activity: 2100
Merit: 1040
A Great Time to Start Something!
|
|
April 08, 2014, 10:06:41 PM |
|
Does anyone know if Cryptsy updated yet? EDIT: We have updated all of our OpenSSL servers and our DDOS provider has also updated. More information here: http://blog.cryptsy.com...or btc-e? On April 6th "We updated SSL certificate" ...That may have simply been expiring. Cannot tell what version of OpenSSL they are running. |
|
|
|
DeathAndTaxes
Donator
Legendary
Offline
Activity: 1218
Merit: 1079
Gerald Davis
|
|
April 08, 2014, 10:14:00 PM |
|
Does anyone know if Cryptsy updated yet? EDIT: We have updated all of our OpenSSL servers and our DDOS provider has also updated. More information here: http://blog.cryptsy.com...or btc-e? On April 6th "We updated SSL certificate" ...That may have simply been expiring. Cannot tell what version of OpenSSL they are running. I don't vouch for the accuracy of this test but it indicates no vulnerability http://filippo.io/Heartbleed/#cryptsy.com |
|
|
|
|
awesomeami
Member
Offline
Activity: 98
Merit: 10
|
|
April 08, 2014, 10:18:32 PM |
|
|
|
|
|
DeathAndTaxes
Donator
Legendary
Offline
Activity: 1218
Merit: 1079
Gerald Davis
|
|
April 08, 2014, 10:24:15 PM
Last edit: April 08, 2014, 10:49:02 PM by DeathAndTaxes |
|
Most users have absolutely no reason to upgrade. SSL isn't used in the Bitcoin protocol.
Only users who use bitcoind RPC calls over SSL/TSL connection have any potential vulnerability.
Do you not use bitcoind RPC? Then there is no urgent need to upgrade.
Do you use bitcoind RPC but don't use SSL? Then there is no urgent need to upgrade.
Do you use bitcoind RPC over SSL? Then you should halt your bitcoind server and upgrade before restoring access.On edit: Bad information. The payment protocol uses SSL any user could already be compromised if they used the new payment protocol "feature". Upgrade now or if you can't shutdown the client and don't restart it until such time as you can upgrade. |
|
|
|
|
Bit_Happy
Legendary
Offline
Activity: 2100
Merit: 1040
A Great Time to Start Something!
|
|
April 08, 2014, 10:27:32 PM |
|
Does anyone know if Cryptsy updated yet? EDIT: We have updated all of our OpenSSL servers and our DDOS provider has also updated. More information here: http://blog.cryptsy.com...or btc-e? On April 6th "We updated SSL certificate" ...That may have simply been expiring. Cannot tell what version of OpenSSL they are running. I don't vouch for the accuracy of this test but it indicates no vulnerability http://filippo.io/Heartbleed/#cryptsy.comIt says you need to know the hostname (i.e. server.domain.com) not just the domain name. cryptsy tweeted about the update, but not sure about btc-e |
|
|
|
turio
Newbie
Offline
Activity: 14
Merit: 0
|
|
April 08, 2014, 10:33:54 PM |
|
thank you I am updating now |
|
|
|
|
bitpop
Legendary
Offline
Activity: 2912
Merit: 1060
|
|
April 08, 2014, 11:00:18 PM |
|
Most users have absolutely no reason to upgrade. SSL isn't used in the Bitcoin protocol.
Only users who use bitcoind RPC calls over SSL/TSL connection have any potential vulnerability.
Do you not use bitcoind RPC? Then there is no urgent need to upgrade.
Do you use bitcoind RPC but don't use SSL? Then there is no urgent need to upgrade.
Do you use bitcoind RPC over SSL? Then you should halt your bitcoind server and upgrade before restoring access.On edit: Bad information. The payment protocol uses SSL any user could already be compromised if they used the new payment protocol "feature". Upgrade now or if you can't shutdown the client and don't restart it until such time as you can upgrade. Isn't ssl used at the merchant? How's this effect our wallet? |
|
|
|
DeathAndTaxes
Donator
Legendary
Offline
Activity: 1218
Merit: 1079
Gerald Davis
|
|
April 08, 2014, 11:05:38 PM |
|
Most users have absolutely no reason to upgrade. SSL isn't used in the Bitcoin protocol.
Only users who use bitcoind RPC calls over SSL/TSL connection have any potential vulnerability.
Do you not use bitcoind RPC? Then there is no urgent need to upgrade.
Do you use bitcoind RPC but don't use SSL? Then there is no urgent need to upgrade.
Do you use bitcoind RPC over SSL? Then you should halt your bitcoind server and upgrade before restoring access.On edit: Bad information. The payment protocol uses SSL any user could already be compromised if they used the new payment protocol "feature". Upgrade now or if you can't shutdown the client and don't restart it until such time as you can upgrade. Isn't ssl used at the merchant? How's this effect our wallet? SSL is used as both ends of the connection. I don't know enough about the new payment protocol "feature" to provide guidance on the scope and severity of a compromise. Since this is money we are talking about it is likely a good idea to be overly cautious. |
|
|
|
|
cr1776
Legendary
Offline
Activity: 4032
Merit: 1299
|
|
April 08, 2014, 11:10:02 PM |
|
This bug must be intentional
My thoughts too. Some three letter agency slipped it in. |
|
|
|
|
awesomeami
Member
Offline
Activity: 98
Merit: 10
|
|
April 08, 2014, 11:13:26 PM |
|
https://www.openssl.org/news/secadv_20140407.txtbest article about this bug http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.htmlChange ALL YOUR PASSWORDS on banking systems, gmail, FB, this forum, all httpS ...(most paranoic - do it twice a day next 2 weeks - and don't forget them  ) Its 2 yo bug!! http://heartbleed.com/How to stop the leak?
As long as the vulnerable version of OpenSSL is in use it can be abused. Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use What versions of the OpenSSL are affected?
Status of different versions:
OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable
Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
|
|
|
|
gweedo
Legendary
Offline
Activity: 1498
Merit: 1000
|
|
April 08, 2014, 11:15:50 PM |
|
Most users have absolutely no reason to upgrade. SSL isn't used in the Bitcoin protocol.
Only users who use bitcoind RPC calls over SSL/TSL connection have any potential vulnerability.
Do you not use bitcoind RPC? Then there is no urgent need to upgrade.
Do you use bitcoind RPC but don't use SSL? Then there is no urgent need to upgrade.
Do you use bitcoind RPC over SSL? Then you should halt your bitcoind server and upgrade before restoring access.On edit: Bad information. The payment protocol uses SSL any user could already be compromised if they used the new payment protocol "feature". Upgrade now or if you can't shutdown the client and don't restart it until such time as you can upgrade. Isn't ssl used at the merchant? How's this effect our wallet? SSL is used as both ends of the connection. I don't know enough about the new payment protocol "feature" to provide guidance on the scope and severity of a compromise. Since this is money we are talking about it is likely a good idea to be overly cautious. Basically they are saying that SSL certificate could be compromised, which in turn could allow an attack slip his address into the payment protocol and you wouldn't know. |
|
|
|
|
mullick
Legendary
Offline
Activity: 1064
Merit: 1002
|
|
April 09, 2014, 01:28:54 AM |
|
Does anyone know if Cryptsy updated yet? EDIT: We have updated all of our OpenSSL servers and our DDOS provider has also updated. More information here: http://blog.cryptsy.com...or btc-e? On April 6th "We updated SSL certificate" ...That may have simply been expiring. Cannot tell what version of OpenSSL they are running. I don't vouch for the accuracy of this test but it indicates no vulnerability http://filippo.io/Heartbleed/#cryptsy.comIt says you need to know the hostname (i.e. server.domain.com) not just the domain name. cryptsy tweeted about the update, but not sure about btc-e We patched it about 13 hours ago now  Tweet was put out after the update was complete |
|
|
|
|
Bit_Happy
Legendary
Offline
Activity: 2100
Merit: 1040
A Great Time to Start Something!
|
|
April 09, 2014, 01:50:00 AM |
|
Does anyone know if Cryptsy updated yet? EDIT: We have updated all of our OpenSSL servers and our DDOS provider has also updated. More information here: http://blog.cryptsy.com...or btc-e? On April 6th "We updated SSL certificate" ...That may have simply been expiring. Cannot tell what version of OpenSSL they are running. I don't vouch for the accuracy of this test but it indicates no vulnerability http://filippo.io/Heartbleed/#cryptsy.comIt says you need to know the hostname (i.e. server.domain.com) not just the domain name. cryptsy tweeted about the update, but not sure about btc-e We patched it about 13 hours ago now Tweet was put out after the update was complete Good you had a fast response. This one was really serious, thanks. |
|
|
|
Hyena
Legendary
Offline
Activity: 2114
Merit: 1011
|
|
April 09, 2014, 11:37:10 AM |
|
http://filippo.io/Heartbleed/Can this site also do localhost:8332 to check if your bitcoin RPC is affected?
|
|
|
|
dserrano5
Legendary
Offline
Activity: 1974
Merit: 1029
|
|
April 09, 2014, 12:20:45 PM |
|
That made me lol  . Well, no it can't. |
|
|
|
|
|
Robert Paulson
|
|
April 09, 2014, 12:44:31 PM |
|
SSL can now be considered as dead, this bug leaks the private SSL key of all the websites that use SSL.
even if they patch the server anyone who dumped enough of the server's memory would likely be able to recover the SSL private key of the server.
Generating a new key and cert as well as revoking the old cert takes less than an hour (honestly more like ten minutes but was being conservative). Of course many website were completely unaffected as they didn't use the compromised version of OpenSSL. BitSimple (among many other Bitcoin related sites) for example is unaffected. revoking doesn't work with default settings (at least in firefox).  notice the second checkbox is false by default, meaning all an attacker needs to do to man in the middle an SSL session with a stolen certificate is to send firefox an RST packet when it tries to reach the OCSP server. which is why as it stands today SSL can be considered broken. |
|
|
|
|
windpath
Legendary
Offline
Activity: 1258
Merit: 1027
|
|
April 09, 2014, 01:10:35 PM |
|
Checking your Bitcoin Core version of OpenSSLMenu -> Help -> Debug Window 
|
|
|
|
|
kokojie
Legendary
Offline
Activity: 1806
Merit: 1003
|
|
April 09, 2014, 03:00:33 PM |
|
How did this bug happen? how CAN this type of bug happen? it's inexcusable. Using non-https in the case, was more secure than using https (with openssl). Is this a joke to the openssl programmers? the person responsible should commit Seppuku already if he were Japanese.
|
btc: 15sFnThw58hiGHYXyUAasgfauifTEB1ZF6
|
|
|
|
Arksun
|
|
April 09, 2014, 05:50:29 PM |
|
Can anyone confirm whether Blockchain.info website was affected and whether passwords for that site need changing?
|
|
|
|
DeathAndTaxes
Donator
Legendary
Offline
Activity: 1218
Merit: 1079
Gerald Davis
|
|
April 09, 2014, 05:54:58 PM |
|
Can anyone confirm whether Blockchain.info website was affected and whether passwords for that site need changing?
http://filippo.io/Heartbleed/#blockchain.infoThe site is not vulnerable at the current time however this tool can't determine if it was ever vulnerable. Only the site operator can advise that. Since there is a chance passwords could have been compromised it may be a good idea to change them. Although for any site which has real time access to Bitcoins I have to imagine if your password was compromised your coins would already be gone. |
|
|
|
|
|
|
|
Arksun
|
|
April 09, 2014, 05:57:37 PM |
|
Sounds like I dont need to change the passwords then, great! |
|
|
|
|
