Pages:
Author

Topic: Bitcoin Core (Bitcoin-Qt) 0.9.1 released - update required - page 7. (Read 64172 times)

sr. member
Activity: 280
Merit: 250
I really like this new update. It has better functions then 0.9.0. I can't wait for the 1.0 release.
hero member
Activity: 812
Merit: 1022
No Maps for These Territories
What did they do?  They ignored common sense.

The bitcoin dev responsible for this idiocy is totally incompetent and should step down effective immediately.  Oh wait, that happened.

Carry on.
It's easy to cry "I told you so" in retrospect. But there could have been an exploit in any of the other dependencies. Or in the Bitcoin P2P or RPC network code itself. By no means is OpenSSL the only software that has bugs.

The only long-term sustainable solution to key theft would be to isolate the private keys and signing from the wallet in either a separate process, a trusted computing module or even a seperate device (in order of increased security).
full member
Activity: 129
Merit: 100
If you ever used the payment protocol (you clicked a bitcoin: link and saw a green box in Bitcoin Core's send dialog), then you should consider your wallet to be compromised.

At least two dozen people (and I was nowhere near the first one) told the devs that using the OpenSSL CA infrastructure for their "payment protocol" coin-tracking fantasies was a (a) crazy, (b) stupid, and (c) risky scheme that involved an utterly massive expansion of the attack surface to include all of SSL and the entire certificate authority ponzi-scheme.

What did they do?  They ignored common sense.

The bitcoin dev responsible for this idiocy is totally incompetent and should step down effective immediately.  Oh wait, that happened.

Carry on.
legendary
Activity: 2114
Merit: 1015
How do I install this for Linux Mint? On the previous version there was just a bitcoin-qt file which I could click on and run. Now the extracted folder contains several files, none of which are executable. I am stupid and know almost nothing about using the terminal, compiling libraries, etc. Can someone give me a simple explanation please?

Please.

Almost sounds like you've downloaded a source archive. Are you sure you've downloaded https://bitcoin.org/bin/0.9.1/bitcoin-0.9.1-linux.tar.gz , 36MB in size?

I had a quick look at this archive and the executables appear to be there:

bin/32/bitcoin-qt
bin/64/bitcoin-qt

The file I downloaded from your link and the previous link is 47.5 MB. I tried it again with your link, but same result. Bitcoin-qt is not an executable, it is a "shared library (application/x-sharedlib)". I have no program that can execute this file. Fuck. Why didn't they just make an "executable (application/x-executable)" file like version 0.8.5?

On Linux Mint 14 you can still launch your bitcoin-qt if you go to terminal and type "./bitcoin-qt". If you want to start it without having it tied to your terminal window then type "(./bitcoin-qt -min &> /dev/null &)"
legendary
Activity: 994
Merit: 1000
i am using QT v8.0.6 beta, need to upgrade or i am safe and sound?
0.8.6 is only vulnerable if you use the -rpcssl options and expose RPC to the internet - which is vulnerable to other attacks even with this fixed.
So probably not.

Ok thank you Smiley
legendary
Activity: 2576
Merit: 1186
i am using QT v8.0.6 beta, need to upgrade or i am safe and sound?
0.8.6 is only vulnerable if you use the -rpcssl options and expose RPC to the internet - which is vulnerable to other attacks even with this fixed.
So probably not.
legendary
Activity: 994
Merit: 1000
i am using QT v8.0.6 beta, need to upgrade or i am safe and sound?
legendary
Activity: 1148
Merit: 1018
Could somebody describe how the attack would work when somebody had been using Bitcoin Core 0.9.0 and clicked on a "bitcoin:" link?

Would the wallet be considered compromised even if I generated the "bitcoin:" link myself and clicked it just to see how the new payment function worked? In that case, how the private keys would have been exposed?

Would the wallet be considered compromised if I clicked on a "bitcoin:" link but didn't go through the payment, and thus I did not sign any transaction?

I just cannot wrap my head around it yet.

+1
I would like to know this as well

I've opened a dedicated thread in Technical Discussion for this purpose.
hero member
Activity: 1582
Merit: 502
Could somebody describe how the attack would work when somebody had been using Bitcoin Core 0.9.0 and clicked on a "bitcoin:" link?

Would the wallet be considered compromised even if I generated the "bitcoin:" link myself and clicked it just to see how the new payment function worked? In that case, how the private keys would have been exposed?

Would the wallet be considered compromised if I clicked on a "bitcoin:" link but didn't go through the payment, and thus I did not sign any transaction?

I just cannot wrap my head around it yet.

+1
I would like to know this as well
sr. member
Activity: 392
Merit: 250
Thank you for the info and the update. All best!
hero member
Activity: 882
Merit: 563
Bitcoin to the moon!
Does this only apply only for Bitcoin QT? Just wondering because I use BlockChain online wallet and MultiBit.
sr. member
Activity: 257
Merit: 250
If your on Ubuntu Saucy you can type,

apt-cache showpkg --names-only openssl

in a terminal to find out what version you have installed.

Package: openssl
Versions:
1.0.1e-3ubuntu1.2

more info here http://www.ubuntu.com/usn/usn-2165-1/
sr. member
Activity: 392
Merit: 265
Thanks for info. Is electrum compromised as well?
legendary
Activity: 1148
Merit: 1018
Could somebody describe how the attack would work when somebody had been using Bitcoin Core 0.9.0 and clicked on a "bitcoin:" link? Would the wallet be considered compromised even if I generated the "bitcoin:" link myself and clicked it just to see how the new payment function worked? In that case, how the private keys would have been exposed?

I just cannot wrap my head around it yet.
In this case, the risk is only if you were MITM'd...

But who could have MITM'd me? A malicious node? How can my priv keys be exposed just by clicking a "bitcoin:" link that I generated myself, especially if I did not go through the transaction and thus I didn't sign and broadcasted it?
legendary
Activity: 2576
Merit: 1186
Could somebody describe how the attack would work when somebody had been using Bitcoin Core 0.9.0 and clicked on a "bitcoin:" link? Would the wallet be considered compromised even if I generated the "bitcoin:" link myself and clicked it just to see how the new payment function worked? In that case, how the private keys would have been exposed?

I just cannot wrap my head around it yet.
In this case, the risk is only if you were MITM'd...
sr. member
Activity: 1316
Merit: 254
Sugars.zone | DatingFi - Earn for Posting
If you are using the graphical version of 0.9.0 on any platform, you must update immediately.
If you are using packages from your Linux distro (Ubuntu PPA included), 0.9.1 has no changes for you.
Instead, you must upgrade to a fixed OpenSSL version.
So if libssl1.0.0 has been updated then all is good and we can still use 0.9.0 ?   Cool
Just be sure it's updated to a fixed version.
Looks good  Smiley
link for others :-   http://www.ubuntu.com/usn/usn-2165-1/
legendary
Activity: 1148
Merit: 1018
Could somebody describe how the attack would work when somebody had been using Bitcoin Core 0.9.0 and clicked on a "bitcoin:" link?

Would the wallet be considered compromised even if I generated the "bitcoin:" link myself and clicked it just to see how the new payment function worked? In that case, how the private keys would have been exposed?

Would the wallet be considered compromised if I clicked on a "bitcoin:" link but didn't go through the payment, and thus I did not sign any transaction?

I just cannot wrap my head around it yet.
legendary
Activity: 2576
Merit: 1186
If you are using the graphical version of 0.9.0 on any platform, you must update immediately.
If you are using packages from your Linux distro (Ubuntu PPA included), 0.9.1 has no changes for you.
Instead, you must upgrade to a fixed OpenSSL version.
So if libssl1.0.0 has been updated then all is good and we can still use 0.9.0 ?   Cool
Just be sure it's updated to a fixed version.
sr. member
Activity: 1316
Merit: 254
Sugars.zone | DatingFi - Earn for Posting
If you are using the graphical version of 0.9.0 on any platform, you must update immediately.
If you are using packages from your Linux distro (Ubuntu PPA included), 0.9.1 has no changes for you.
Instead, you must upgrade to a fixed OpenSSL version.
So if libssl1.0.0 has been updated then all is good and we can still use 0.9.0 ?   Cool
legendary
Activity: 2576
Merit: 1186
Memorized private keys, the safest way to own bitcoin.
Memorized private keys are in fact one of the least secure ways to own bitcoin.

Can really the CLIENT KEYs be compromised by this bug?

What I have understand, its a bug in the OpenSSL Implementation of Heartbeat protocol of TLS 1.2, causing OpenSSL to leak contents of RAM in the server.
This means, the attack vector would be limited to:
impersonating a server and replacing a bitcoin adress in the payment protocol, by stealing the SERVER KEYs.

Thus any client-side wallets should be safe since those private keys are never transmitted or kept by the server? (except for webshops and online services running a server-side bitcoin client relying on a vulnerable OpenSSL)

The bitcoin core protocol (port 8333) is not using any form of SSL at all what I know?

If what the Bitcoin devs say is correct (that client keys can be compromised), would also mean that any website using SSL can steal RAM contents of client computers, which would mean my site can get my visitor's bank details, and that would make the security hole way more critical than it is today.
The vulnerability is bidirectional. The server (or anyone MITMing it!) can get the client to leak information too, which could include private wallet data.
Pages:
Jump to: