[2014-10-16] CD: Open-Source Tool Identifies Weak Bitcoin Wallet Signatures

[LiteCoinGuy]

Open-Source Tool Identifies Weak Bitcoin Wallet Signatures


The developer behind a program that checks for the Heartbleed vulnerability, Filippo Valsorda, has created a new tool that he says tracks down poorly secured bitcoin transactions.

...

Not everyone agrees with the conclusions, however. Armory’s CEO and founder Alan C Reiner told CoinDesk:

    “Valsorda is criticizing the globally standardized use of ECDSA, which is implemented and applied properly in our software. Since ECDSA was created, it has always required a random number generator and all software that implements it should use a random number generator. That’s part of its specification.”

...

CoinDesk also spoke to Blockchain about Valsorda’s claims. A spokesperson said:

    “This issue first came to our engineering team’s attention in August 2013. We took steps then to patch the vulnerability created by a small minority of users relying on old out-of-date web browser versions.

    Blockchain’s My-Wallet tool relies on, not one, but three sources of entropy to generate ECDSA signing keys: the browser-based RNG, mouse movement & keyboard interaction, and a server-side RNG. This protects users from out-of-date browsers with weak RNGs while maintaining the ability run a fully client-side, non-custodial wallet that is easy to use across your desktop and mobile devices.”

...

Valsorda has made his code freely available to other developers by posting it on GitHub and has called on fellow developers to address the issue, taking care in their choice of random number generators.


http://www.coindesk.com/open-source-tool-identifies-weak-bitcoin-wallet-signatures/

[1713981625]

1713981625

[1713981625]

1713981625

[botany]

This is the kind of news that scares the layman. 

[TraderTimm]

Basically its a nerd pissing contest over whose implementation has the best entropy, or randomness. The Armory guys have always been up front about their software, and they even include tools to determine if your chosen phrase is easily cracked. I don't get what this guy has to prove, except to push his own stuff.

[Lethn]

This is the kind of news that scares the layman.  

What? Because it exposes how bad they are at computer security? I think this kind of stuff is always good no matter who's it from, it'd be great to get serious competition on keeping wallets secure. Anyone who has an objective look at Bitcoin will see why this is needed because you can double check your security with stuff like this, I'd feel reassured. That said, I don't think password tools that measure password strength aren't very accurate I have my own system I use which has served me well these past couple of years since I've used it, never had any problems with accounts suddenly getting hacked.

[Stifler]

This is the kind of news that scares the layman. 

Better get used to it because bitcoin is going to be the victim of more and more propganda and fear-mongering attacks designed to scare off newbies or laymen etc.

[Kprawn]

I also think, we should welcome anyone, who might shine a light on vulnerabilities in online wallet software.

The more people working on making this more secure, the better for the reputation of crypto currencies, as the whole.

I implement different strategies to distribute the risk of losing everything in one hack. Use several methods of cold storage and keep small quantities online.

There are people out there, trying constantly to hack any service related to any money. {FIAT / Credit cards / Debit cards / PayPal} so Bitcoin is not unique. 

[lihuajkl]

Good. Some vulnerable issues were  found before hackers exploit them to cause large damage.