The internet world has been gripped over the last few days by a flaw in OpenSSL software, also known as the “Heartbleed” bug. Reuters has quoted experts as saying that the bug “is one of the most serious security flaws uncovered in recent years.” It even prompted the U.S. Department of Homeland Security to advise businesses to check if they may be affected.
The bug poses a real risk now that its existence has been made public. Major websites around the world have temporarily shut down their secure services and/or added patches to remedy their vulnerability.
Following are some useful things to know about “Heartbleed”, much of which is courtesy of heartbleed.com (ironically, an earlier attempt at accessing a “similar” site was blocked by Google Chrome as potentially insecure):
Q: What is OpenSSL?
A: It is an open-source software that implements SSL and TLS encryption protocols, which essentially cryptographically secure information sent over the internet so that it cannot be accessed by unauthorized parties.
Q: What is the bug and why the name?
A: There is a memory-handling defect that allows up to 64 kb of memory data to be revealed within each “heartbeat”.
Q: Why is it so bad?
A: A large number of private keys, passwords and other sensitive is effectively available on the internet for anyone with the right know-how to take. Other bugs which pop up from time to time have not occurred in such vulnerable areas.
Q: How likely is it for someone to be affected?
A: Not unlikely. Most web servers use OpenSSL.
Q: If information was compromised, is the breach traceable?
A: No. There are no traces of abnormal activity in the logs. You only know afterwards when for example, something harmful is done with the information. It is not well known at this time how much real damage has been done with the exploit.
Q: Which versions of OpenSSL are affected?
A: Interestingly, only later versions from 1.01 to 1.01f. The bug was “introduced” into the software in its update post-December 31, 2011. Earlier versions are unaffected.
Q: Is this being fixed?
A: Probably. Version 1.01g will be worked on by OpenSSL experts for a proper solution. Barring this, patches can be employed.
What’s Happening with Bitcoin?
All this should have sweeping implications for Bitcoin, the “currency of the internet”. Indeed, yesterday saw exchanges scramble to prevent potential damage from the flaw. Bitstamp disabled account creations, logins and bitcoin withdrawals for several hours. They have since reactivated these services, telling clients:
ACY Securities Supports ASIC’s Product Intervention OrderGo to article >>
Dear Bitstamp clients,
“After reported vulnerabilities in OpenSSL, we applied necessary patches to our system. Incapsula, our DDOS mitigation provider is still working patching their system.
In order to provide required security, both system need to be patched. We are in constant contact with Incapsula and are working with them to complete necessary procedures. Until then Bitstamp has decided to temporally deactivate:
-account registration, -account login -and all virtual currency withdrawal functions
We will keep you updated on the progress.
Thank you for understanding.
Bitfinex also tweeted: “Withdrawals will be disabled for 10 hours. Please change your Bitfinex credentials as soon as possible.” Security-intensive Vault of Satoshi sent an update to clients, saying that “third-party load balancing server has been patched, and account logins are once again active.” They have dropped their old SSL certificate and are running a new one.
Gavin Andresen, chief scientist at Bitcoin Foundation, tweeted the following:
Bitcoin is still celebrated by some as occupying a higher place than the internet, even though it depends on it, at least for now. Some Bitcoiners enthusiastically declare the “death of the internet”, usually in some connection with commentary on how so many of our systems (e.g. financial) are outdated.
Crypto vs. Fiat? Who’s Better Equipped?
The question becomes: in light of this bug, how well does Bitcoin stack up against fiat when accounting for interaction through the internet? Is an online bill payment, for example, more or less secure than a bitcoin transfer?
There are pros and cons to both sides. On the one hand, if both are equally affected by the bug, then the Bitcoin world still has all of the other potential exploits (malleability, DDoS and possibly more discovered in the future) to deal with, whereas a technology like online banking doesn’t have to deal with these on the same scale.
On the other hand, the Bitcoin community, which makes their living off of cryptography, may be more nimble and in a better position to react quickly and effectively to such threats, or even pre-empt them in the future.
However, while both worlds face this risk, it would seem that the Bitcoin world faces a greater risk of derailment in a worst case scenario. For fiat, yes, there can be destructive consequences arising from the online side, but this will not make much of a dent in the overall system of money.
Furthermore, because the system is managed by 3rd parties, a variety of protective measures can be put in place and law enforcement has greater visibility and tools at their disposal.
How has this affected Bitcoin and crypto prices? Technical threats in the past, such as transaction malleability, DDoS attacks and other forms of hacking, have taken turns driving prices lower. Depending on who you ask, Bitcoiners are either getting tired of, or used to, what seems to be a constant barrage of technical issues.
Over the past 72 hours though, the price of Bitcoin has been its flattest since before the MtGox implosion (update: there has been some volatility in the last 2 hours. BTC dropped by $14, its biggest drop in 3 days). Perhaps traders are taking comfort in this being a shared problem with the rest of the internet.