The Heartbleed vulnerability that has people busy changing their passwords for many effected popular websites may be a welcome change of conversation about cyber-security in the Bitcoin community.
Before the flaw in the OpenSSL encryption method used on an estimated two-thirds of all websites became the Internet security story being discussed endlessly in mainstream media, Bitcoin was in the spotlight. At least, crypto-currency exchanges like Mt. Gox that saw hackers successfully break-in and steal bitcoins and other crypto-coins from user accounts. For a digital currency that’s been associated with the black market and has come under criticism from several governments around the world, it was unwanted by those invested in the community of services that’s arisen around the emerging economy.
So to have the media suddenly pivot away from the fledgling crypto-currency world and back to the Internet security concerns around the personal information people keep on social networks and in email accounts comes as a relief. Even more than that, it’s an opportunity for those creating Bitcoin exchanges and wallets to demonstrate their security chops as they were somewhat immune to the Heartbleed fallout.
At Toronto’s Bitcoin Expo, a panel discussed how the Heartbleed vulnerability necessitated a response from some Bitcoin services, and also explained how having proper security provisions in place helped to mitigate negative effects of Heartbleed.
“Heartbleed was one of the biggest things to happen to the Internet in the past decade,” says Michael Perklin, director of the Bitcoin Alliance of Canada. The flaw could have resulted in private account details on effected Bitcoin exchanges, those sites would have to patch the flaw and then follow up on the potential exploit window that existed.
“Any secret that was ever used on that server, you have to regenerate that because you don’t know who used this exploit on you yesterday,” he says. “You have to go back and regenerate every bitcoin private key on that service.”
That’s exactly what CAVirtex, Canada’s largest Bitcoin exchange did as soon as it learned about the vulnerability. Its security team worked to patch the flaw before the mainstream media was even on the story, says Reed Holmes, business development manager at CAVirtex. It then informed its customers about the steps it was taking in response to Heartbleed, and recommended that users update their passwords. But those password resets would be done with the attitude its best to exert an abundance of caution, not a panic-driven reaction.
“We were very proactive on it,” he says. “We told our customers, we kept them up to speed to let them know we were doing everything we can to combat this bug and if you feel at all uncomfortable, go in and change your password.”
Having taken a proper security approach in the first place minimized the impact of Heartbleed on sites like CAVirtex and Coinkite, a cryptocurrency wallet, according to Peter Gray, the chief technology officer at Coinkite. Both services use two-factor authentication, meaning that even if a hacker was able to glean a password from the Heartbleed vulnerability, they’d still need access to a secondary piece of information to access a private account. Often, services send a user a text message with a temporary secret code to type in to access an account.
“Two factor authentication is pretty good protection against Heartbleed,” he says. “It’s a one time code and if it were to be leaked to Heartbleed, you wouldn’t need to worry because it’s going to change again tomorrow.”
CAVirtex and Coinkite are also both users of Cloudflare, a content delivery service that sits between websites and the end user to optimize content delivery and stop potential threats before they hit the web server. The service had advance warning of Heartbleed, Gray says, and had fixes in place ahead of the story being picked up by mainstream news.
Panelists agreed that while service providers must be vigilant when it comes to ensuring customer security, the end user also has a role to play in ensuring their own security. Amber Scott, the founder of Outlier Solutions says that consumers should educate themselves about the security practices of companies they deal with and take advantage of all the tools offered to them to improve their security.