Bitcoin Forum
December 09, 2021, 07:12:53 AM *
News: Latest Bitcoin Core release: 22.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: OpenSSL 'heartbleed' bug exposes memory blocks - including passwords.  (Read 5151 times)
Cryddit
Legendary
*
Offline Offline

Activity: 924
Merit: 1071


View Profile
April 08, 2014, 05:41:20 PM
 #1

OpenSSL has been revealed to have a huge gaping hole.

http://www.bbc.com/news/technology-26935905

Those who have been securing communications using https (which is essentially all of us) should change all passwords they have used with those systems. 

Those who have used the same password in https that they have used to encrypt their wallets - yeah, you can figure that out, right?  An attacker may have the old password.  You should be using a different one.

1639033973
Hero Member
*
Offline Offline

Posts: 1639033973

View Profile Personal Message (Offline)

Ignore
1639033973
Reply with quote  #2

1639033973
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
blacksails
Sr. Member
****
Offline Offline

Activity: 294
Merit: 250


View Profile
April 08, 2014, 06:03:40 PM
 #2

OpenSSL has been revealed to have a huge gaping hole.

http://www.bbc.com/news/technology-26935905

Those who have been securing communications using https (which is essentially all of us) should change all passwords they have used with those systems. 

Those who have used the same password in https that they have used to encrypt their wallets - yeah, you can figure that out, right?  An attacker may have the old password.  You should be using a different one.


This is quite bad. That'd mean I'd have to change almost all of my passwords… Geez, that will take some time!
At least my wallet is encrypted with a completely different password.
bitcoiner49er
Sr. Member
****
Offline Offline

Activity: 457
Merit: 250



View Profile
April 08, 2014, 06:04:44 PM
 #3

Nevermind

Homo doctus is se semper divitias habet
bitpop
Legendary
*
Offline Offline

Activity: 2716
Merit: 1058



View Profile WWW
April 08, 2014, 08:07:54 PM
 #4

When will you know that https://"XYZ" has secured itself against this?

http://filippo.io/Heartbleed/

http://filippo.io/Heartbleed/#apicoin.io << my site is secured, I was one of the first since I saw this on a netsec newsletter last night.


https://apicoin.io/register/error1

Bit_Happy
Legendary
*
Offline Offline

Activity: 2002
Merit: 1020


A Great Time to Start Something!


View Profile
April 08, 2014, 08:26:43 PM
 #5

Thanks for posting a serious story.

What should a website operator do about the Heartbleed OpenSSL exploit?
http://security.stackexchange.com/questions/55076/what-should-a-website-operator-do-about-the-heartbleed-openssl-exploit
windpath
Legendary
*
Offline Offline

Activity: 1256
Merit: 1026


View Profile WWW
April 08, 2014, 08:52:10 PM
 #6

Gavin Andresen: Expect Bitcoin Core 0.9.1 Release Soon Because of Heartbleed OpenSSL Bug

http://newsbtc.com/2014/04/08/gavin-andresen-expect-bitcoin-core-0-9-1-release-soon-heartbleed-openssl-bug/
Bit_Happy
Legendary
*
Offline Offline

Activity: 2002
Merit: 1020


A Great Time to Start Something!


View Profile
April 08, 2014, 09:17:45 PM
 #7

Next up is huge concern about the exchanges that have not updated.


Gavin Andresen: Expect Bitcoin Core 0.9.1 Release Soon Because of Heartbleed OpenSSL Bug

http://newsbtc.com/2014/04/08/gavin-andresen-expect-bitcoin-core-0-9-1-release-soon-heartbleed-openssl-bug/

EDIT:
    The vulnerability does not affect the bitcoin protocol or wallet. It may affect auxilary usage of TLS in RPC-over-SSL and when fetching payment requests over HTTPS.

    Not a big deal, but we are going to release a 0.9.1 that updates OpenSSL (see pull #4023 if you want to test) and fixes some other minor issues from 0.9.0.
Cryddit
Legendary
*
Offline Offline

Activity: 924
Merit: 1071


View Profile
April 08, 2014, 09:23:38 PM
Last edit: April 09, 2014, 02:47:40 AM by Cryddit
 #8

As far as I can see, this bug affects bitcoind in the case that you use RPC over a network to access your wallet.

If you don't, I don't believe there's any vulnerability that this exposes.  (This is a quick examination only; there could be something I missed).  If you have, and someone who knew about this bug was paying attention at the time, then that person may have your password.  

OTOH, I think this explains the widespread SSL break implied by the Snowden papers.  

EDIT: 

I had not looked at the new payment protocol stuff with the recent client.  It is also exposed to this bug. So, if you have used the payment prototocol over the network, you have been exposed. 
bitpop
Legendary
*
Offline Offline

Activity: 2716
Merit: 1058



View Profile WWW
April 08, 2014, 09:34:42 PM
 #9

This bug must be intentional

bitpop
Legendary
*
Offline Offline

Activity: 2716
Merit: 1058



View Profile WWW
April 08, 2014, 09:45:24 PM
 #10

It's out https://bitcoin.org/bin/0.9.1/

turio
Newbie
*
Offline Offline

Activity: 14
Merit: 0


View Profile
April 08, 2014, 09:55:24 PM
 #11

this is a serious concern and everyone should patch up
Robert Paulson
Sr. Member
****
Offline Offline

Activity: 448
Merit: 250


View Profile
April 08, 2014, 09:56:51 PM
 #12

SSL can now be considered as dead, this bug leaks the private SSL key of all the websites that use SSL.
even if they patch the server anyone who dumped enough of the server's memory would likely be able to recover the SSL private key of the server.
bitpop
Legendary
*
Offline Offline

Activity: 2716
Merit: 1058



View Profile WWW
April 08, 2014, 09:58:31 PM
 #13

SSL can now be considered as dead, this bug leaks the private SSL key of all the websites that use SSL.
even if they patch the server anyone who dumped enough of the server's memory would likely be able to recover the SSL private key of the server.

Re keying is easy if the site cares

DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218
Merit: 1020


Gerald Davis


View Profile
April 08, 2014, 10:04:03 PM
 #14

SSL can now be considered as dead, this bug leaks the private SSL key of all the websites that use SSL.
even if they patch the server anyone who dumped enough of the server's memory would likely be able to recover the SSL private key of the server.

Generating a new key and cert as well as revoking the old cert takes less than an hour (honestly more like ten minutes but was being conservative).  Of course many website were completely unaffected as they didn't use the compromised version of OpenSSL.  BitSimple (among many other Bitcoin related sites) for example is unaffected.  
Bit_Happy
Legendary
*
Offline Offline

Activity: 2002
Merit: 1020


A Great Time to Start Something!


View Profile
April 08, 2014, 10:06:41 PM
 #15

Does anyone know if Cryptsy updated yet?
EDIT:
We have updated all of our OpenSSL servers and our DDOS provider has also updated.  More information here: http://blog.cryptsy.com


...or btc-e?
On April 6th
"We updated SSL certificate"
...That may have simply been expiring. Cannot tell what version of OpenSSL they are running.
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218
Merit: 1020


Gerald Davis


View Profile
April 08, 2014, 10:14:00 PM
 #16

Does anyone know if Cryptsy updated yet?
EDIT:
We have updated all of our OpenSSL servers and our DDOS provider has also updated.  More information here: http://blog.cryptsy.com


...or btc-e?
On April 6th
"We updated SSL certificate"
...That may have simply been expiring. Cannot tell what version of OpenSSL they are running.

I don't vouch for the accuracy of this test but it indicates no vulnerability
http://filippo.io/Heartbleed/#cryptsy.com
awesomeami
Member
**
Offline Offline

Activity: 98
Merit: 10



View Profile
April 08, 2014, 10:18:32 PM
 #17

https://bitcointalk.org/index.php?topic=562388.new#new
0.9.1 already released
update ASAP pls - just for sure

DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218
Merit: 1020


Gerald Davis


View Profile
April 08, 2014, 10:24:15 PM
Last edit: April 08, 2014, 10:49:02 PM by DeathAndTaxes
 #18

https://bitcointalk.org/index.php?topic=562388.new#new
0.9.1 already released
update ASAP pls - just for sure


Most users have absolutely no reason to upgrade.  SSL isn't used in the Bitcoin protocol.

Only users who use bitcoind RPC calls over SSL/TSL connection have any potential vulnerability.

Do you not use bitcoind RPC?  Then there is no urgent need to upgrade.
Do you use bitcoind RPC but don't use SSL? Then there is no urgent need to upgrade.
Do you use bitcoind RPC over SSL?  Then you should halt your bitcoind server and upgrade before restoring access.


On edit:  Bad information.  The payment protocol uses SSL any user could already be compromised if they used the new payment protocol "feature".  Upgrade now or if you can't shutdown the client and don't restart it until such time as you can upgrade. 
Bit_Happy
Legendary
*
Offline Offline

Activity: 2002
Merit: 1020


A Great Time to Start Something!


View Profile
April 08, 2014, 10:27:32 PM
 #19

Does anyone know if Cryptsy updated yet?
EDIT:
We have updated all of our OpenSSL servers and our DDOS provider has also updated.  More information here: http://blog.cryptsy.com


...or btc-e?
On April 6th
"We updated SSL certificate"
...That may have simply been expiring. Cannot tell what version of OpenSSL they are running.

I don't vouch for the accuracy of this test but it indicates no vulnerability
http://filippo.io/Heartbleed/#cryptsy.com

It says you need to know the hostname (i.e. server.domain.com) not just the domain name.
cryptsy tweeted about the update, but not sure about btc-e

turio
Newbie
*
Offline Offline

Activity: 14
Merit: 0


View Profile
April 08, 2014, 10:33:54 PM
 #20

https://bitcointalk.org/index.php?topic=562388.new#new
0.9.1 already released
update ASAP pls - just for sure


thank you I am updating now
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!