The Heartbleed OpenSSL Bug and How It Affects You

To sum it up as simply as possible, Heartbleed is a bug that exists in OpenSSL that allows someone to access the memory of SSL servers, so they can see all the usernames and passwords of people who have recently logged into accounts. Any site using the OpenSSL software library is at risk, if it hasn’t been properly patched, this includes Bitcoin sites as well as other sites such as banking, email, and VPNs. If you go to filippo.io/Heartbleed/ you can see if an individual site is at risk or if they are safe from this exploit. It appears that Coinbase, Blockchain.info, Bitpay, and Coinkite are safe. BTC-China just tweeted that they patched their system and Bitstamp is currently working on a fix. Any sites that are at risk are expected to be patching their systems as we speak. Original blog post describing Heartbleed bug can be found here..

That being said, according to ArsTechnica, “The bug, which has resided in production versions of OpenSSL for more than two years, could make it possible for people to recover the private encryption key at the heart of the digital certificates used to authenticate Internet servers and to encrypt data traveling between them and end users. Attacks leave no traces in server logs, so there's no way of knowing if the bug has been actively exploited.”

Since the bug has been in the wild for over two years, we should treat all of our usernames and passwords as compromised and change them as soon as possible.

A lot of people on the internet have been suggesting https://lastpass.com/ as a way to securely store long alpha numeric passwords that are unique to each site they have an account with. Proponents of Lastpass argue that all data is encrypted client side, so Lastpass doesn’t have access to your passwords, but since it isn’t open source there is no way to confirm that. With the Lavabit case, it came to our attention that the US government uses secret court orders to compel US based companies to provide backdoors to otherwise secure systems while issuing gag orders to prevent the exposure of the backdoor to the public. Since Lastpass is a US based company, this is a real possibility, and I strongly suggest not to use them. You are essentially putting all of your eggs(passwords and usernames) in one basket that is easily accessible to the US government and its allies.

People who truly value their security and privacy should use KeePass instead. It is essentially Lastpass but it is open source so the code can be inspected for backdoors by the community. You can download it here http://keepass.info/ . Conveniently, Keepass is included in the Tails live linux operating system, which is a privacy focused OS that is intended to leave no trace on any computer you use it on. You can download Tails and find more info on it here: https://tails.boum.org/ .

Last but not least, you should be using two factor authentication on any site that offers it. If you are using the Google Authenticator or Authy smartphone apps for this purpose, make sure that you save a copy of the QR code that is generated when you first setup the 2FA. It will act as a backup just in case you lose your phone. Make sure you keep those QR codes somewhere safe because if someone has access to them they can bypass your 2FA.

TL;DR change usernames/passwords and make sure they are unique to each site you use, use KeePass to store them, use 2FA whenever available.

Disclaimer: This post is intended solely to provide information. As I have no knowledge of individual circumstances, goals, and/or portfolio concentration or diversification, readers are expected to complete their own due diligence before purchasing or selling anything mentioned or recommended.