The exploitation of this heartbeat causes memory leaks to be transmitted bi-directionally and in-the-clear between client and server. OpenSSL’s transport layer security protocol implements a heartbeat between the client and server ends of the connection. The bug (in OpenSSL 1.0.1) was first introduced in March 2012 and has been out in the wild for two years until it was discovered and fixed on 7 April 2014. The Heartbleed Bug ( CVE-2014-0160) allows anyone snooping on a connection protected by vulnerable OpenSSL versions, to obtain leaked session keys and to, therefore, eavesdrop on communications, obtain data (including usernames and passwords) and to impersonate users and services. SSL/TLS encryption provides secure and private communication between users and web-based services such as websites, email, instant messaging (IM), and virtual private networks (VPNs), including Tor. Whilst the Bitcoin Core client will be updated to 0.9.1 to address the OpenSSL vulnerability, the core developers stress that the Bitcoin protocol itself is not affected by the Heartbleed bug. New functionality introduced in version 0.9.0 is the ability to fetch payment requests via https and this feature is, therefore, currently insecure. Discovery of a memory leak bug in OpenSSL means that each and every internet user is likely to have been affected either directly or indirectly.ĭubbed the “Heartbleed Bug”, this vulnerability allows stealing of information that usually would be encrypted by a secure SSL/TLS session over the internet.Įveryday Bitcoin client operation does not directly use OpenSSL, however, the Bitcoin Core 0.9.0 (and each prior version) uses OpenSSL for remote procedure calls (RPC) via https.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |