Linux flaw may be Bitcoin security risk

During a recent audit of the cryptographic program GnuTLS, Red Hat analysts discovered a “critical” bug that would allow attackers to bypass secure sockets layer (SSL) and Transport Layer Security (TLS) protections. The flaw in the GnuTLS library allows attackers to eavesdrop on encrypted traffic, opening up the potential for stolen passwords and more damaging attacks. While that’s bad news for the estimated 200 Linux variations that use the GnuTLS library, it’s also a big problem for anyone storing their Bitcoin keys or wallets on vulnerable systems.

While the vulnerability has no direct impact on Bitcoin code, any third-party Bitcoin and other virtual currency applications use the Linux gnuTLS SSL library. That’s very bad news for Bitcoiners who use Red Hat, Ubuntu, Debian and other related distributions of Linux.

Speaking with CoinDesk, Bitcoin lead developer Jeff Garzik was quick to note that the impact on Bitcoin is likely to be limited.

The GnuTLS bug is pretty bad, but very few use gnuTLS in the bitcoin community. OpenSSL is standard.”

Garzik noted that other crypto libraries, such as Mozilla NSS and Crypto++, are not impacted by the security flaw.

At the moment, it’s possible that some Bitcoin exchanges are vulnerable to GnuTLS attacks. The GnuTLS team has already implemented a fix in their most recent update (version 3.2.12), but vulnerabilities will continue until users upgrade to the new version.