What is this "heartbleed" bug I've been hearing about?

[precrime3]

It seems that its not just bitcoin, dashlane (password manager) emailed me about it. What exactly is it? How can it have such a wide range, all I gathered is it is a bug that has been exploited in OpenSSL.

[gweedo]

Openssl is a library that is shipped with a lot of OSes and basically allowed an attacker to dump 64Kb of your memory and it could do it in a loop this would allow access to entropy and store variable like SSL private keys. This is really an issue of putting too much trust in a single library.

[precrime3]

Openssl is a library that is shipped with a lot of OSes and basically allowed an attacker to dump 64Kb of your memory and it could do it in a loop this would allow access to entropy and store variable like SSL private keys. This is really an issue of putting too much trust in a single library.

Ahh okay, thanks for explaining it to me. So with this bug, they could steal your wallet private key?

[Klestin]

Openssl is a library that is shipped with a lot of OSes and basically allowed an attacker to dump 64Kb of your memory and it could do it in a loop this would allow access to entropy and store variable like SSL private keys. This is really an issue of putting too much trust in a single library.

Ahh okay, thanks for explaining it to me. So with this bug, they could steal your wallet private key?

The short answer is [redacted].

They could potentially steal any information posted to a web site which had the vulnerability.  In some cases, they could steal the server's certificate, which might allow them to impersonate the server (better phishing attacks).

Edit: It looks like 0.9.0 may have been vulnerable under certain circumstances. See posts by users smarter than I for details.

[precrime3]

Openssl is a library that is shipped with a lot of OSes and basically allowed an attacker to dump 64Kb of your memory and it could do it in a loop this would allow access to entropy and store variable like SSL private keys. This is really an issue of putting too much trust in a single library.

Ahh okay, thanks for explaining it to me. So with this bug, they could steal your wallet private key?

The short answer is no.

They could potentially steal any information posted to a web site which had the vulnerability.  In some cases, they could steal the server's certificate, which might allow them to impersonate the server (better phishing attacks).

Then why is it saying Bitcoin could be stolen? How des that work?

[gweedo]

Openssl is a library that is shipped with a lot of OSes and basically allowed an attacker to dump 64Kb of your memory and it could do it in a loop this would allow access to entropy and store variable like SSL private keys. This is really an issue of putting too much trust in a single library.

Ahh okay, thanks for explaining it to me. So with this bug, they could steal your wallet private key?

The short answer is no.

They could potentially steal any information posted to a web site which had the vulnerability.  In some cases, they could steal the server's certificate, which might allow them to impersonate the server (better phishing attacks).

Then why is it saying Bitcoin could be stolen? How des that work?

It affect the payment protocol.

If you are using the graphical version of 0.9.0 on any platform, you must update immediately. Download here. If you can't update immediately, shut down Bitcoin until you can. If you ever used the payment protocol (you clicked a bitcoin: link and saw a green box in Bitcoin Core's send dialog), then you should consider your wallet to be compromised. Carefully generate an entirely new wallet (not just a new address) and send all of your bitcoins there. Do not delete your old wallet.

[precrime3]

Alright, so basically it intercepts payments?

[Equate]

Alright, so basically it intercepts payments?

Through this bug , your information over the ssl sites are not encrypted.

[precrime3]

Alright, so basically it intercepts payments?

Through this bug , your information over the ssl sites are not encrypted.

Okay, thanks for the information guys!

[keelba]

Openssl is a library that is shipped with a lot of OSes and basically allowed an attacker to dump 64Kb of your memory and it could do it in a loop this would allow access to entropy and store variable like SSL private keys. This is really an issue of putting too much trust in a single library.

That's not quite technically accurate. The attacker cannot access your memory, it accesses the memory of the web server the attacker is connecting to. It can only grab what is in memory. Although the 64K of RAM it grabs is completely random, there is no limit to the number of times this random data could be requested and no way of knowing which data the server is giving out. It is possible that there could be a password or digital key in that random chunk of RAM (and keys are usually pretty easy to find because they fit a specific pattern). This would put you at risk because the attacker would now be able to access that site as you or he could use that key to put himself in the middle of you and the webserver and record everything you do from that point on. Changing your password on that site would only fix the problem if the administrators of that site have fixed the vulnerability. If they have not, then changing your password now could put you at even greater risk.

By now, most large institutions have fixed this issue. If you use LastPass, they have implemented a check to let you know if websites they store passwords for are still vulnerable. There are also other websites out there keeping track. It is a good idea, if you're very concerned about a particular website, to verify that they have fixed their servers before logging in yourself and putting yourself at more risk.

If you have not accessed a certain website in a very long time, then it is unlikely that you would be at risk on that website. However, this vulnerability has existed for up to two years before being publically discovered this week. So it is possible that some hacker out there has known about it for some time and has been exploiting it for many months.

There's a pretty good and simple illustration of how Heartbleed works here:
http://xkcd.com/1354/