It was revealed that there is a major flaw in the security of the WWW. No one really knows just how big this could really be but even Internet security firms are starting to show signs of anxiety.
The open-source software package known as OpenSSL that is widely used to secure Web communications through SSL/TLS encryption is reported to have a significant weak spot. This vulnerability could allow hackers to steal valuable information such as emails, instant messages, banking and e-commerce data as well as virtual private networks (VPNs).
In turn, this could have a negative impact on the Bitcoin economy and cryptocurrencies as a whole.
The Slovenia-based exchange, Bitstamp, has previously reported that it would shut down all transactions as a security precaution. The latest tweet from Bitstamp, however, shows that they are now back up and running.
The flaw has been named the “Heart Bleed Bug” and was discovered by a group of security engineers at Codenomicon and Neel Mehta of Google Security.
While the potential impact of the remains to be seen, security experts suggest that most Internet users are affected, either directly or indirectly. Hackers could take advantage of this “Achilles’ heel of the Internet” to steal private communications as well as other sensitive data such as credit card information and passwords.
A website dedicated to this freshly-discovered bug reads: “The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software.”
“This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.”
What’s worse is that when the security researchers tested this bug on their own services, the verdict concluded that the situation was indeed REALLY BAD.
“We have tested some of our own services from attacker’s perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.”
There is some good news however. HITBTC was the first to issue a fix among exchanges for the newly-discovered flaw.
The fixed OpenSSL has been released although it must be installed ASAP: experts say that the vulnerability will not go away until the flawed version of Open SSL remains on your computer.
An Italian security expert, Filippo Valsorda, has released an online vulnerability check
“in a frenzy” via Github
where you can go and see whether your server is vulnerable to an attack.
“As long as the vulnerable version of OpenSSL is in use it can be abused. Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.”
Apparently the bug has been present in OpenSSL for over 2 years (since December 2011, OpenSSL versions 1.0.1 through 1.0.1f) before it was publicly announced today. Even worse, it appears that exploiting this bug leaves no record in the server’s logs, so there’s no easy way for a system administrator to know if their servers have been affected.
The safest way to approach this is to assume that you are affected and then take the necessary steps to fix the situation. OpenSSL released an emergency patch for the bug along with a Security Advisory
Reactions from the Bitcoin Community
David Dahan, (PR manager, HITBTC): “Of course we cannot downplay the impact or the importance of the “Heartbleed” bug but our team reacted quickly to the news … Luckily, none of our customers were affected and we quickly stopped all automatic transaction processing until all our servers were updated and our SSL certificates renewed. It is unfortunate that during this period customers were unable to withdraw their funds, but we decided to take all possible precautions.”
“This event also put our security policy in perspective, in particular it has led us to add additional guidelines to our security policy. These include a constant monitoring of the OpenSSL website and various web-security related forums which will allow us to be on the frontlines and ready when these flaws surface. We also decided to stay ahead of the curve and hire additional experts whose tasks include testing our services and conduct research similar to the one carried out by Neel Mehta of Google Security who discovered this serious bug.”
Michael Yeung: “The newly-discovered flaw has no effect on the larger picture of Bitcoin although exchanges and services related to Bitcoin might be affected.”
Filipe Paz Rodrigues (Software Engineer at Hewlett-Packard): “Bad security is like an onion: we start to cry when we start to remove the layers and see what is underneath it.”
Saeed El-Darahali (CEO & President at SimplyCast): “The bug is been around for over 2 years and can't be traced in logs. Terrible!”
A. Traviss Corry (Managing Director at Bitcoin Decentral): "There is nothing as vital as addressing these bugs. The security of such must be at the highest level if their systems are to be accepted by the masses."