An exploit has been identified in openssl that allows attackers (hackers) to potentially extract sensitive data; although the full effect on Bitcoin and alt coins does not seem to be as significant as the press are making out.
A bug in software used by millions of web servers could have exposed anyone visiting sites they hosted to spying and eavesdropping, say researchers.
The bug is in a software library used in servers, operating systems and email and instant messaging systems.
Called OpenSSL the software is supposed to protect sensitive data as it travels back and forth.
It is not clear how widespread exploitation of the bug has been because attacks leave no trace.
If you need strong anonymity or privacy on the internet, you might want to stay away from the internet entirely for the next few days while things settle, said a blog entry about the bug published by the Tor Project which produces software that helps people avoid scrutiny of their browsing habits.
A huge swathe of the web could be vulnerable because OpenSSL is used in the widely used Apache and Nginx server software. Statistics from net monitoring firm Netcraft suggest that about 500,000 of the webs secure servers are running versions of the vulnerable software.
Its the biggest thing Ive seen in security since the discovery of SQL injection, said Ken Munro, a security expert at Pen Test Partners. SQL injection is a way to extract information from the databases behind web sites and services using specially crafted queries.
Many firms were scrambling to apply patches to vulnerable programs and others had shut down services while fixes were being worked on, he said. Many were worried that with proof of concept code already being shared it would only be a matter of time before cyber thieves started exploiting the vulnerability.
I talked with Bitcoin devs about the openssl CVE-2014-0160 vulnerability that became public on April 7th, 2014. It is believed that Bitcoin 0.9.0 official binaries from bitcoin.org is exposed only with the payment protocol and RPC SSL. Bitcoin 0.8.x is exposed only with RPC SSL.
If the above is true, you are not vulnerable with Litecoin-Qt or litecoind 0.8.x under these circumstances:
You do not use RPC SSL as a client or server. This is not enabled by default, and very few people use this.If you built from source then you are probably dynamic linking to your systems openssl. So if your system openssl is fixed for CVE-2014-0160 then you are likely fine.
Furthermore in #bitcoin-dev Tuesday, the Bitcoin Core developers talked about trying to reproduce an attack on Bitcoin RPC SSL that tries to extract secrets from memory. In their attempts they were unable to extract anything different from a single 64KB chunk of memory that contained nothing important. It is possible they missed something, but given that this feature is used by almost nobody the risk to Litecoin 0.8.x seems to be negligible.
There is a lot of bad advice out there about emptying your old addresses. Doing so is harmless, but if the above analysis by the Bitcoin Developers is correct it is also useless.