|
Evilish
|
 |
April 09, 2014, 10:18:07 AM |
|
Does this only apply only for Bitcoin QT? Just wondering because I use BlockChain online wallet and MultiBit.
|
|
|
|
|
|
|
|
The block chain is the main innovation of Bitcoin. It is the
first distributed timestamping system.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
|
|
|
|
platorin
|
|
April 09, 2014, 10:38:58 AM |
|
Thank you for the info and the update. All best!
|
|
|
|
|
|
S4VV4S
|
|
April 09, 2014, 10:51:58 AM |
|
Could somebody describe how the attack would work when somebody had been using Bitcoin Core 0.9.0 and clicked on a "bitcoin:" link?
Would the wallet be considered compromised even if I generated the "bitcoin:" link myself and clicked it just to see how the new payment function worked? In that case, how the private keys would have been exposed?
Would the wallet be considered compromised if I clicked on a "bitcoin:" link but didn't go through the payment, and thus I did not sign any transaction?
I just cannot wrap my head around it yet.
+1 I would like to know this as well |
|
|
|
|
Rampion
Legendary
 Offline
Activity: 1148
Merit: 1018
|
|
April 09, 2014, 11:02:31 AM |
|
Could somebody describe how the attack would work when somebody had been using Bitcoin Core 0.9.0 and clicked on a "bitcoin:" link?
Would the wallet be considered compromised even if I generated the "bitcoin:" link myself and clicked it just to see how the new payment function worked? In that case, how the private keys would have been exposed?
Would the wallet be considered compromised if I clicked on a "bitcoin:" link but didn't go through the payment, and thus I did not sign any transaction?
I just cannot wrap my head around it yet.
+1 I would like to know this as well I've opened a dedicated thread in Technical Discussion for this purpose. |
|
|
|
5ick3uffalo
Legendary
Offline
Activity: 994
Merit: 1000
|
|
April 09, 2014, 11:14:40 AM |
|
i am using QT v8.0.6 beta, need to upgrade or i am safe and sound?
|
BTC: 1Dw9feZAGSeHvaiQ55T7C92VAAXB2nVKKk
|
|
|
Luke-Jr
Legendary
Offline
Activity: 2576
Merit: 1186
|
|
April 09, 2014, 11:16:54 AM |
|
i am using QT v8.0.6 beta, need to upgrade or i am safe and sound?
0.8.6 is only vulnerable if you use the -rpcssl options and expose RPC to the internet - which is vulnerable to other attacks even with this fixed. So probably not. |
|
|
|
5ick3uffalo
Legendary
Offline
Activity: 994
Merit: 1000
|
|
April 09, 2014, 11:17:57 AM |
|
i am using QT v8.0.6 beta, need to upgrade or i am safe and sound?
0.8.6 is only vulnerable if you use the -rpcssl options and expose RPC to the internet - which is vulnerable to other attacks even with this fixed. So probably not. Ok thank you  |
BTC: 1Dw9feZAGSeHvaiQ55T7C92VAAXB2nVKKk
|
|
|
Hyena
Legendary
Offline
Activity: 2114
Merit: 1013
|
|
April 09, 2014, 11:21:54 AM |
|
How do I install this for Linux Mint? On the previous version there was just a bitcoin-qt file which I could click on and run. Now the extracted folder contains several files, none of which are executable. I am stupid and know almost nothing about using the terminal, compiling libraries, etc. Can someone give me a simple explanation please?
Please. Almost sounds like you've downloaded a source archive. Are you sure you've downloaded https://bitcoin.org/bin/0.9.1/bitcoin-0.9.1-linux.tar.gz , 36MB in size? I had a quick look at this archive and the executables appear to be there: bin/32/bitcoin-qt bin/64/bitcoin-qt The file I downloaded from your link and the previous link is 47.5 MB. I tried it again with your link, but same result. Bitcoin-qt is not an executable, it is a "shared library (application/x-sharedlib)". I have no program that can execute this file. Fuck. Why didn't they just make an "executable (application/x-executable)" file like version 0.8.5? On Linux Mint 14 you can still launch your bitcoin-qt if you go to terminal and type " ./bitcoin-qt". If you want to start it without having it tied to your terminal window then type " (./bitcoin-qt -min &> /dev/null &)" |
|
|
|
|
mjosephs
|
|
April 09, 2014, 11:23:54 AM |
|
If you ever used the payment protocol (you clicked a bitcoin: link and saw a green box in Bitcoin Core's send dialog), then you should consider your wallet to be compromised.
At least two dozen people (and I was nowhere near the first one) told the devs that using the OpenSSL CA infrastructure for their "payment protocol" coin-tracking fantasies was a (a) crazy, (b) stupid, and (c) risky scheme that involved an utterly massive expansion of the attack surface to include all of SSL and the entire certificate authority ponzi-scheme. What did they do? They ignored common sense. The bitcoin dev responsible for this idiocy is totally incompetent and should step down effective immediately. Oh wait, that happened. Carry on. |
|
|
|
|
wumpus
|
|
April 09, 2014, 11:33:42 AM |
|
What did they do? They ignored common sense.
The bitcoin dev responsible for this idiocy is totally incompetent and should step down effective immediately. Oh wait, that happened.
Carry on.
It's easy to cry "I told you so" in retrospect. But there could have been an exploit in any of the other dependencies. Or in the Bitcoin P2P or RPC network code itself. By no means is OpenSSL the only software that has bugs. The only long-term sustainable solution to key theft would be to isolate the private keys and signing from the wallet in either a separate process, a trusted computing module or even a seperate device (in order of increased security). |
Bitcoin Core developer [PGP] Warning: For most, coin loss is a larger risk than coin theft. A disk can die any time. Regularly back up your wallet through File → Backup Wallet to an external storage or the (encrypted!) cloud. Use a separate offline wallet for storing larger amounts. |
|
|
|
Kenshin
|
|
April 09, 2014, 11:36:00 AM |
|
I really like this new update. It has better functions then 0.9.0. I can't wait for the 1.0 release.
|
|
|
|
|
|
Lucko
|
|
April 09, 2014, 11:52:59 AM |
|
Grate. About 2 hours before this showed up I lost 1,6 something BTC to this... And it took only about 2 hours of running application... So it is not that impossible... Well I think it was this since I have no clue what else could it be... Is there any trace left so I can be sure?
|
|
|
|
|
ShadesOfMarble
Donator
Hero Member
Offline
Activity: 543
Merit: 500
|
|
April 09, 2014, 11:56:32 AM |
|
Grate. About 2 hours before this showed up I lost 1,6 something BTC to this... And it took only about 2 hours of running application... So it is not that impossible... Well I think it was this since I have no clue what else could it be... Is there any trace left so I can be sure?
I guess wallet stealing trojans exists almost as long as Bitcoin, so your loss could have many (other) causes. First, scan your computer. Second, did you click on any "bitcoin:"-link? |
|
|
|
Hyena
Legendary
Offline
Activity: 2114
Merit: 1013
|
|
April 09, 2014, 11:57:56 AM |
|
If you ever used the payment protocol (you clicked a bitcoin: link and saw a green box in Bitcoin Core's send dialog), then you should consider your wallet to be compromised.
At least two dozen people (and I was nowhere near the first one) told the devs that using the OpenSSL CA infrastructure for their "payment protocol" coin-tracking fantasies was a (a) crazy, (b) stupid, and (c) risky scheme that involved an utterly massive expansion of the attack surface to include all of SSL and the entire certificate authority ponzi-scheme. What did they do? They ignored common sense. The bitcoin dev responsible for this idiocy is totally incompetent and should step down effective immediately. Oh wait, that happened. Carry on. 0.9 introduced a bunch of bullshit. How the hell can bitcoin magnet link be vulnerable?! If they continue introducing unwanted bullshit features, bloating the bitcoin official client then bitcoin will be dead for me. This has already gone too far. The protocol specifies flawless security (except quantum computing vulnerability). WHY on earth has this flawless security be ruined by eager developers adding features that are not essential to bitcoin protocol? |
|
|
|
IIOII
Legendary
Offline
Activity: 1153
Merit: 1012
|
|
April 09, 2014, 12:05:02 PM |
|
That's exactly what all those three letter organizations doing within the Bitcoin Foundation, introducing vulnerabilities to the protocol.
Yeah that's a risk that should not be disregarded lightly. As far as I understand the main vulnerability was introduced in Bitcoin Core 0.9.0 by the payment protocol's reliance on OpenSSL. If I understand correctly the payment protocol was first introduced with Core 0.9.0 (I think Gavin was doing this). I think (and mentioned this in the past) that the payment protocol is an entirely optional feature that is not essential for Bitcoin and should not be included. It can be substituted by third parties. The added security risk by reliance on (more) external libraries is much more relevant than providing a somehow useful, but non-essential feature. |
|
|
|
|
IIOII
Legendary
Offline
Activity: 1153
Merit: 1012
|
|
April 09, 2014, 12:06:30 PM |
|
If you ever used the payment protocol (you clicked a bitcoin: link and saw a green box in Bitcoin Core's send dialog), then you should consider your wallet to be compromised.
At least two dozen people (and I was nowhere near the first one) told the devs that using the OpenSSL CA infrastructure for their "payment protocol" coin-tracking fantasies was a (a) crazy, (b) stupid, and (c) risky scheme that involved an utterly massive expansion of the attack surface to include all of SSL and the entire certificate authority ponzi-scheme. What did they do? They ignored common sense. The bitcoin dev responsible for this idiocy is totally incompetent and should step down effective immediately. Oh wait, that happened. Carry on. 0.9 introduced a bunch of bullshit. How the hell can bitcoin magnet link be vulnerable?! If they continue introducing unwanted bullshit features, bloating the bitcoin official client then bitcoin will be dead for me. This has already gone too far. The protocol specifies flawless security (except quantum computing vulnerability). WHY on earth has this flawless security be ruined by eager developers adding features that are not essential to bitcoin protocol? +1 Funny... you posted this.. while I was still typing my reply. |
|
|
|
|
|
Lucko
|
|
April 09, 2014, 12:07:08 PM
Last edit: April 09, 2014, 12:27:59 PM by Lucko |
|
Grate. About 2 hours before this showed up I lost 1,6 something BTC to this... And it took only about 2 hours of running application... So it is not that impossible... Well I think it was this since I have no clue what else could it be... Is there any trace left so I can be sure?
I guess wallet stealing trojans exists almost as long as Bitcoin, so your loss could have many (other) causes. First, scan your computer. Second, did you click on any "bitcoin:"-link? It runs only wallet and no I just installed it... I used Ufasoft coin till now but it really runs bad with current blockchain size so I migrate keys. I do have antivirus and malware bits on... So I don't think it is that. It also has own firewalled subnet... EDIT: Scan completed. Noting found by AVG or Malwarebits |
|
|
|
|
|
wumpus
|
|
April 09, 2014, 12:22:03 PM |
|
The protocol specifies flawless security (except quantum computing vulnerability). WHY on earth has this flawless security be ruined by eager developers adding features that are not essential to bitcoin protocol?
Right, in principle, wallet functionality isn't needed at all to maintain the Bitcoin P2P network, the reason for Bitcoin Core's existence. This is why --disable-wallet mode was introduced in 0.9.0. It allows you to build without the wallet, which removes quite a few dependencies (OpenSSL however is still required as we also use it for ECDSA at this point, and for RPC SSL support, but this could change after merging sipa's ECDSA library). In the long run there are two options: either we remove the wallet, or we keep it and try to keep up with features of other wallets. Keeping up includes the payment protocol. If payment protocol was not supported people would be complaining about lack of support for the new merchant integration methods. |
Bitcoin Core developer [PGP] Warning: For most, coin loss is a larger risk than coin theft. A disk can die any time. Regularly back up your wallet through File → Backup Wallet to an external storage or the (encrypted!) cloud. Use a separate offline wallet for storing larger amounts. |
|
|
IIOII
Legendary
Offline
Activity: 1153
Merit: 1012
|
|
April 09, 2014, 12:41:13 PM |
|
If payment protocol was not supported people would be complaining about lack of support for the new merchant integration methods.
Who did complain? If payment protocol is distributed with Core, it should be an optional thing, which the user can decide to activate (by checkbox, whatever). Security is much more important. Edit. imho the dialog introduced in 0.9.0 which replaced the receiving addresses field is not an improvement. It makes things more awkward. (An example of a really good improvement is coincontrol and wallet file selection.) |
|
|
|
|
|
fryarminer
|
|
April 09, 2014, 12:43:57 PM |
|
Memorized private keys, the safest way to own bitcoin. Memorized private keys are in fact one of the least secure ways to own bitcoin. Dang it! I was sitting here trying to memorize private keys! |
|
|
|
|
|
