Topic: Bitcoin Core (Bitcoin-Qt) 0.9.1 released - update required - page 7. (Read 64104 times)
I really like this new update. It has better functions then 0.9.0. I can't wait for the 1.0 release.
What did they do? They ignored common sense.
The bitcoin dev responsible for this idiocy is totally incompetent and should step down effective immediately. Oh wait, that happened.
Carry on.
It's easy to cry "I told you so" in retrospect. But there could have been an exploit in any of the other dependencies. Or in the Bitcoin P2P or RPC network code itself. By no means is OpenSSL the only software that has bugs.The bitcoin dev responsible for this idiocy is totally incompetent and should step down effective immediately. Oh wait, that happened.
Carry on.
The only long-term sustainable solution to key theft would be to isolate the private keys and signing from the wallet in either a separate process, a trusted computing module or even a seperate device (in order of increased security).
If you ever used the payment protocol (you clicked a bitcoin: link and saw a green box in Bitcoin Core's send dialog), then you should consider your wallet to be compromised.
At least two dozen people (and I was nowhere near the first one) told the devs that using the OpenSSL CA infrastructure for their "payment protocol" coin-tracking fantasies was a (a) crazy, (b) stupid, and (c) risky scheme that involved an utterly massive expansion of the attack surface to include all of SSL and the entire certificate authority ponzi-scheme.
What did they do? They ignored common sense.
The bitcoin dev responsible for this idiocy is totally incompetent and should step down effective immediately. Oh wait, that happened.
Carry on.
How do I install this for Linux Mint? On the previous version there was just a bitcoin-qt file which I could click on and run. Now the extracted folder contains several files, none of which are executable. I am stupid and know almost nothing about using the terminal, compiling libraries, etc. Can someone give me a simple explanation please?
Please.
Almost sounds like you've downloaded a source archive. Are you sure you've downloaded https://bitcoin.org/bin/0.9.1/bitcoin-0.9.1-linux.tar.gz , 36MB in size?
I had a quick look at this archive and the executables appear to be there:
bin/32/bitcoin-qt
bin/64/bitcoin-qt
The file I downloaded from your link and the previous link is 47.5 MB. I tried it again with your link, but same result. Bitcoin-qt is not an executable, it is a "shared library (application/x-sharedlib)". I have no program that can execute this file. Fuck. Why didn't they just make an "executable (application/x-executable)" file like version 0.8.5?
On Linux Mint 14 you can still launch your bitcoin-qt if you go to terminal and type "./bitcoin-qt". If you want to start it without having it tied to your terminal window then type "(./bitcoin-qt -min &> /dev/null &)"
i am using QT v8.0.6 beta, need to upgrade or i am safe and sound?
0.8.6 is only vulnerable if you use the -rpcssl options and expose RPC to the internet - which is vulnerable to other attacks even with this fixed.So probably not.
Ok thank you
i am using QT v8.0.6 beta, need to upgrade or i am safe and sound?
0.8.6 is only vulnerable if you use the -rpcssl options and expose RPC to the internet - which is vulnerable to other attacks even with this fixed.So probably not.
i am using QT v8.0.6 beta, need to upgrade or i am safe and sound?
Could somebody describe how the attack would work when somebody had been using Bitcoin Core 0.9.0 and clicked on a "bitcoin:" link?
Would the wallet be considered compromised even if I generated the "bitcoin:" link myself and clicked it just to see how the new payment function worked? In that case, how the private keys would have been exposed?
Would the wallet be considered compromised if I clicked on a "bitcoin:" link but didn't go through the payment, and thus I did not sign any transaction?
I just cannot wrap my head around it yet.
Would the wallet be considered compromised even if I generated the "bitcoin:" link myself and clicked it just to see how the new payment function worked? In that case, how the private keys would have been exposed?
Would the wallet be considered compromised if I clicked on a "bitcoin:" link but didn't go through the payment, and thus I did not sign any transaction?
I just cannot wrap my head around it yet.
+1
I would like to know this as well
I've opened a dedicated thread in Technical Discussion for this purpose.
Could somebody describe how the attack would work when somebody had been using Bitcoin Core 0.9.0 and clicked on a "bitcoin:" link?
Would the wallet be considered compromised even if I generated the "bitcoin:" link myself and clicked it just to see how the new payment function worked? In that case, how the private keys would have been exposed?
Would the wallet be considered compromised if I clicked on a "bitcoin:" link but didn't go through the payment, and thus I did not sign any transaction?
I just cannot wrap my head around it yet.
Would the wallet be considered compromised even if I generated the "bitcoin:" link myself and clicked it just to see how the new payment function worked? In that case, how the private keys would have been exposed?
Would the wallet be considered compromised if I clicked on a "bitcoin:" link but didn't go through the payment, and thus I did not sign any transaction?
I just cannot wrap my head around it yet.
+1
I would like to know this as well
Thank you for the info and the update. All best!
Does this only apply only for Bitcoin QT? Just wondering because I use BlockChain online wallet and MultiBit.
If your on Ubuntu Saucy you can type,
apt-cache showpkg --names-only openssl
in a terminal to find out what version you have installed.
Package: openssl
Versions:
1.0.1e-3ubuntu1.2
more info here http://www.ubuntu.com/usn/usn-2165-1/
apt-cache showpkg --names-only openssl
in a terminal to find out what version you have installed.
Package: openssl
Versions:
1.0.1e-3ubuntu1.2
more info here http://www.ubuntu.com/usn/usn-2165-1/
Thanks for info. Is electrum compromised as well?
Could somebody describe how the attack would work when somebody had been using Bitcoin Core 0.9.0 and clicked on a "bitcoin:" link? Would the wallet be considered compromised even if I generated the "bitcoin:" link myself and clicked it just to see how the new payment function worked? In that case, how the private keys would have been exposed?
I just cannot wrap my head around it yet.
In this case, the risk is only if you were MITM'd...I just cannot wrap my head around it yet.
But who could have MITM'd me? A malicious node? How can my priv keys be exposed just by clicking a "bitcoin:" link that I generated myself, especially if I did not go through the transaction and thus I didn't sign and broadcasted it?
Could somebody describe how the attack would work when somebody had been using Bitcoin Core 0.9.0 and clicked on a "bitcoin:" link? Would the wallet be considered compromised even if I generated the "bitcoin:" link myself and clicked it just to see how the new payment function worked? In that case, how the private keys would have been exposed?
I just cannot wrap my head around it yet.
In this case, the risk is only if you were MITM'd... I just cannot wrap my head around it yet.
If you are using the graphical version of 0.9.0 on any platform, you must update immediately.
If you are using packages from your Linux distro (Ubuntu PPA included), 0.9.1 has no changes for you.Instead, you must upgrade to a fixed OpenSSL version.
link for others :- http://www.ubuntu.com/usn/usn-2165-1/
Could somebody describe how the attack would work when somebody had been using Bitcoin Core 0.9.0 and clicked on a "bitcoin:" link?
Would the wallet be considered compromised even if I generated the "bitcoin:" link myself and clicked it just to see how the new payment function worked? In that case, how the private keys would have been exposed?
Would the wallet be considered compromised if I clicked on a "bitcoin:" link but didn't go through the payment, and thus I did not sign any transaction?
I just cannot wrap my head around it yet.
Would the wallet be considered compromised even if I generated the "bitcoin:" link myself and clicked it just to see how the new payment function worked? In that case, how the private keys would have been exposed?
Would the wallet be considered compromised if I clicked on a "bitcoin:" link but didn't go through the payment, and thus I did not sign any transaction?
I just cannot wrap my head around it yet.
If you are using the graphical version of 0.9.0 on any platform, you must update immediately.
If you are using packages from your Linux distro (Ubuntu PPA included), 0.9.1 has no changes for you.Instead, you must upgrade to a fixed OpenSSL version.
If you are using the graphical version of 0.9.0 on any platform, you must update immediately.
If you are using packages from your Linux distro (Ubuntu PPA included), 0.9.1 has no changes for you.Instead, you must upgrade to a fixed OpenSSL version.
Memorized private keys, the safest way to own bitcoin.
Memorized private keys are in fact one of the least secure ways to own bitcoin.Can really the CLIENT KEYs be compromised by this bug?
What I have understand, its a bug in the OpenSSL Implementation of Heartbeat protocol of TLS 1.2, causing OpenSSL to leak contents of RAM in the server.
This means, the attack vector would be limited to:
impersonating a server and replacing a bitcoin adress in the payment protocol, by stealing the SERVER KEYs.
Thus any client-side wallets should be safe since those private keys are never transmitted or kept by the server? (except for webshops and online services running a server-side bitcoin client relying on a vulnerable OpenSSL)
The bitcoin core protocol (port 8333) is not using any form of SSL at all what I know?
If what the Bitcoin devs say is correct (that client keys can be compromised), would also mean that any website using SSL can steal RAM contents of client computers, which would mean my site can get my visitor's bank details, and that would make the security hole way more critical than it is today.
The vulnerability is bidirectional. The server (or anyone MITMing it!) can get the client to leak information too, which could include private wallet data. What I have understand, its a bug in the OpenSSL Implementation of Heartbeat protocol of TLS 1.2, causing OpenSSL to leak contents of RAM in the server.
This means, the attack vector would be limited to:
impersonating a server and replacing a bitcoin adress in the payment protocol, by stealing the SERVER KEYs.
Thus any client-side wallets should be safe since those private keys are never transmitted or kept by the server? (except for webshops and online services running a server-side bitcoin client relying on a vulnerable OpenSSL)
The bitcoin core protocol (port 8333) is not using any form of SSL at all what I know?
If what the Bitcoin devs say is correct (that client keys can be compromised), would also mean that any website using SSL can steal RAM contents of client computers, which would mean my site can get my visitor's bank details, and that would make the security hole way more critical than it is today.
Jump to: