"Heartbleed": Bitcoin also vulnerable

THIS APPLIES TO BOTH SERVERS AND CLIENTS

Howdy,

All services that implement the official Bitcoin Core and Electrum could also be susceptible to "heartbleed" as it also implements OpenSSL.

Any application that could potentially use or implement the vulnerable OpenSSL libraries is liable to being vulnerable to "heartbleed".

I highly urge everyone to update to the latest Bitcoin 0.9.1 core.

Anyone running Electrum from python source, please make sure your system is not using an affected OpenSSL package. For users running the Electrum binaries straight from Electrum, you are safe; the binaries are built with OpenSSL 0.9.8.

Everyone please be safe and check if your applications are using any of the OpenSSL libraries that the application itself is also not vulnerable.

https://bitcoin.org/en/release/v0.9.1

If there are any questions or feedback, please feel free to contact us on BlackBank at any time or share on our forums.

Cheers,
MDParity


Comments


[6 Points] the_avid:

note: all that the Bitcoin project done was download the latest version of openssl and re-build their downloads. If you are not using a statically linked version of Bitcoin then your system update would suffice

This is exactly why we have libraries and dynamic linking, so that when you need to upgrade you only have one place to do it rather than updating every. single. application.


[3 Points] Gabralkhan:

Thanks for the update, you are totally right.

It is done for me personnaly since the release of the new versions, but it is very useful to remind to people that missed it :

Bitcoin clients are also affected by heartbleed.

Anyway the real question is who used "heartbleed" for 2 years that the bug is existing in OpenSSL.

There are a lot of rumors that LE agencies like NSA could have used that secretly for a moment now and that it was even perhpas implemented and kept secret on purpose by developers compromised.

I ask myself for example if it could have been used against SR 1.0 and Ross Ulbricht, and hided under a Paralell construction like the govermental agencies like to use to cover their real means of investigation, it is just a wild hypothesis of course.

For sure it would seems strange that TAO Team of NSA or the Agent-1 Team of FBI were not aware of the security flaw and would not have used it.

The fact that the attack leave no traces on the server and can't be detected in the logs force to suppose a lot of things and we will probably never be able to confirm really how it was used.

I ask also myself of the possiblity of a link with the "NSA Quantum" Project (nothing about Quantum computers) that basically redirect users in a paralell environment filtered and managed by the NSA, these kind of flaw would fit very well with these methods I think.

In the end there are a lot of questions in this and the fact that the flaw is existing for 2 years is more than worrying about what could have been done with it during this time.


[1 Points] ostereje:

why do you call it hearbleed, when openssl own website calls it heartbeat?


[1 Points] aalewis____:

imagine how nice it would be to have been to be able to query all the bitcoin nodes and recover the private keys to one of those 10 btc wallets