If you’re using a bitcoin wallet or an online wallet or exchange, Heartbleed could be a very real problem for you and your BTC. Luckily, things have finally settled down after a few days of panic and there are a few very easy ways to ensure you’re protected.
First, understand that the core bitcoin protocol, which transfers bitcoin through the system, is unaffected. “Whilst the Bitcoin Core client will be updated to 0.9.1 to address the OpenSSL vulnerability, the core developers stress that the Bitcoin protocol itself is not affected by the Heartbleed bug,” wrote Venzen Khaosan on CryptocoinsNews.
That didn’t stop many exchanges from taking down some of their services just to be safe. Yesterday Bitstamp shut down “accregistration, login & all virtual currency withdrawal functions,” as it investigated the effect of Heartbleed on its servers. Anti-DDOS service Incapsula also had to update its servers to remain secure. Bitstamp has since restarted all functionality. The OpenSSL exploit essentially allows a dedicated hacker to methodically collect email addresses, keys, and log-ins from affected servers.
What about folks with wallets on their own machines? A bit of updating is in order. A new version of the Bitcoin Core, 0.9.1, just dropped, and it features improved security for wallets. Users should have openssl 1.0.1g or later. You can see your openssl version in the Help->Debug window in Bitcoin-Qt. Other wallets like Multibit have not updated (although they may not need to) but care should be taken to encrypt and password-protect your coins.
In short, update everything that touches your bitcoin and don’t trust exchanges that haven’t explicitly explained their position on the exploit. Want more bad news? You should assume that all your usernames and passwords used over the past two years are compromised. This means you should change everything, not just your bitcoin data. A clever hacker could socially engineer her way into your wallet simply by knowing a few things about your online habits.
“I’m hoping the impact will be limited. Major sites will have to rotate their SSL keys after upgrading […] Most sites should have the private keys for their wallets in a different server process where the data cannot be extracted this way. However it will not surprise me if a few sites are not working this way for whatever reason and might suffer thefts,” wrote Mike Hearn of the Bitcoin Foundation. All is not lost, but all is not great, either.