Computer security specialists and IT managers the world over have been racing to implement emergency fixes today for the “Heartbleed” security flaw in the popular OpenSSL cryptographic software library. The bug allows an attacker to gather data in 64 kilobyte blocks, slowly gathering a wealth of theoretically encrypted data. Although the most likely targets of these attacks are email and other sever-level systems (Apache, chat systems, VPN), some bitcoin services are still vulnerable.
Heartbleed attacks are particularly problematic, as a system can be completely compromised without leaving a trace an attack has ever occurred. An estimated 50% of all internet servers run some version of OpenSSL, making the threat level extremely high. An updated version, dubbed Fixed OpenSSL (or OpenSSL 1.0.1g), is widely available. New
Not surprisingly, the bitcoin community was fast to respond to the heartbleed threat. Following on the heels of the bitcoin-specific transaction malleability bug that appears to have played role in the failure of Mt.Gox, security issues have moved to the very center of the industry.
Within hours of the heartbleed flaw becoming known, Bitstamp had turned off all accregistration, login & all virtual currency withdrawal functions until it could verify there were no OpenSSL security leaks. (The company’s servers were already running the updated OpenSSL version.)
Bitfinex, BitCurex and Blockchain.info confirmed that they were running updated versions of OpenSSL, and were not vulnerable to the flaw. Other confirmations are expected across the bitcoin ecosystem in the coming days.