IMPORTANT SECURITY ANNOUNCEMENT
Howdy,
BlackBank market has recently changed Onion addresses. If a moderator can change our addresses accordingly, it would be greatly appreciated.
As some of you recently have heard, there is a recent OpenSSL exploit that takes advantage of the Heartbeat function of OpenSSL which is used to check if a computer is still online. The exploit can expose 64kb of data in the memory of the server. During this time, that 64kb could contain various data being kept; this includes the possibility of containing the Tor Hidden Service key.
"Tor hidden services might leak their long-term hidden service identity keys to their guard relays. Like the last big OpenSSL bug, this shouldn't allow an attacker to identify the location of the hidden service, but an attacker who knows the hidden service identity key can impersonate the hidden service."
For more information: https://blog.torproject.org/blog/openssl-bug-cve-2014-0160
Simply updating the OpenSSL package will prevent future leaks, but if the Tor hidden service keys are already compromised, updating the OpenSSL package will not prevent an abuse of the hidden service keys to eavesdrop on the encrypted traffic. This means all Tor hidden services are susceptible to be monitored if the hidden service keys are not changed; as a Tor Onion address is explicitly linked to the Tor Hidden Service key, any services that are still using the same Onion address has a possibility of being compromised and eavesdropped. Although unlikely, it is always better to err in the side of caution. One of the reasons why this exploit is dangerous is the fact if the hidden service key was compromised, there would be no trace to show it was. Due to the uncertainty, it is safer to err in the side of caution and change all keys.
Please refer to the below for our new Onion addresses:
- Market: http://wztyb7vlfcw6l4xd.onion/
- Forum: http://kth2mwuwlkezwziy.onion/
For those who use OpenSSL in clearnet sites, please be wary as well. It will take a while for all clearnet websites to issue new certificates as each new certificate created will need to be registered with a certificate authority. As of now, several clearnet sites have shut down their SSL services until the keys can be updated.
I highly urge all markets to change the hidden service keys if any have been using OpenSSL builds between 1.0.1 through 1.0.1f.
If there are any questions or feedback, please feel free to contact us on BlackBank or share in our forums at any time.
Cheers,
MDParity
The links will be updated momentarily. Thanks for looking out for the security of your users! You should really sign this post, btw. Cheers.