Heartbleed: Huge Internet Security Flaw Puts BTC Exchanges in Frenzy
It was discovered today that there is a two year old internet security flaw called “Hearbleed” that has exposed alarming security vulnerability across the internet. Heartbleed affects different versions of OpenSSL which encrypts and secures internet traffic. This includes protecting passwords, e-commerce, messages, virtual private networks (VPNs) and other identity sensitive data. OpenSSL is one of the most relied on methods to securing the sensitive data across internet. However, Heartbleed affects OpenSSL directly which has caused security admins around the world and many digital currency exchanges to review their security systems.
Heartbleed Affects the Internet
The security vulnerability known as Heartbleed was known to researchers since 2011. Heartbleed specifically attacks https websites which means that digital currency exchanges using the OpenSSL services are at risk; and the Bitcoin community needs assurance.
Filippo Valsorda, an Italian security expert has built a web-based test which allows people to enter any website to see if it has been affected by Heartbleed. Valsorda said,
“However almost everything public facing in the Bitcoin ecosystem is secured with TLS and potentially affected.”
When the news of the Heartbleed flaw came out, Bitcoin services like Blockchain, and Coinbase were safe. However, not every Bitcoin service was secure. In fact, Bitstamp, digital currency exchange, is taking extra precautionary steps to address this possible vulnerability. Bitstamp took to twitter to reassure their users that they are going to be addressing the issue at hand:
#Bitstamp turns off its accregistration, login & all virtual currency withdrawal functions as a precaution following recent OpenSSL news.
— Bitstamp (@Bitstamp) April 8, 2014
Why is Heartbleed Such a Problem?
Over half of internet services use OpenSSL and those internet services’ sensitive information could be at risk of exploitation. Attackers could use the Heartbleed flaw to access the RAM of the systems which allows them to obtain a system’s private keys through data injection. These keys are then used to encrypt and decrypt sensitive data.
As soon as the attackers get the keys, they can potentially impersonate users and services. The worst part of it all is that such attacks leave no trace behind. This means that even if a system had been hacked, there is no way to really tell.
The developer and chair of the Bitcoin Foundation’s Law and Policy Committee, Mike Hearn, said,
“I’m hoping the impact will be limited. Major sites will have to rotate their SSL keys after upgrading […] Most sites should have the private keys for their wallets in a different server process where the data cannot be extracted this way. However it will not surprise me if a few sites are not working this way for whatever reason and might suffer thefts.”
Other Digital Currency Companies React
Besides Bitstamp, other digital currency companies and websites like localbitcoins.com have taken quick action to address and resolve the Heartbleed issue.
We are up again, heartbleed bug fixed. http://t.co/OwP9Ft1dE7
— LocalBitcoins.com (@LocalBitcoins) April 8, 2014
Bitfinex, a Bitcoin trading platform, took to twitter to address the issue:
Heartbleed bug fixed on Bitfinex, withdrawals are disabled for now until we make sure everyone is safe
— Bitfinex.com (@bitfinex) April 8, 2014
What Does this all Mean?
All of this means that whether or not anyone wants to really think about it, over half of the internet has been at risk for years because of the Heartbleed flaw. This means that it would be better for everyone to change their passwords and user login credentials for data sensitive websites.
It also means that Bitcoin exchanges and services need to be on top of their game in order to deal with the problems that arise. No one wants another “Mt. Gox” happening.
I made the page at http://rehmann.co/projects/heartbeat/ to help diagnose the issue!
Timekoin is not affected by this SSL flaw, it is not based on bitcoin and the encryption used is implemented in a completely different way than bitcoin + clones. It is possible that all alt-coins based on the bitcoin source are also affected. Hopefully everyone can get their code up to date before any major exploits appear in the news.