In case you’ve been living in a cave, a major security flaw was found in the security software that powers more than two-thirds of the Internet’s secure websites. It’s been name “Heartbleed” and affects the open source OpenSSL library behind much of world’s secure software, including the widely used Apache and Nginx web servers.
It’s been interesting to watch how the industry has responded to this bug. Bitcoin exchanges have been on the ball - Hong Kong’s two major Bitcoin exchanges, ANX and Bitfinex reached out to customers and the community almost immediately to assure them that they either weren’t affect (ANX) or had already taken steps to remedy the situation (Bitfinex).
What about the banking industry? We haven’t heard much from them beyond some smug comments along the lines of “big banks don’t use free open source software like OpenSSL so they weren’t affected.” Right.
Ok then. Let’s take a look at just how good the security of banks’ SSL is versus that of Hong Kong’s Bitcoin Exchanges to see if that smugness is really justified.
Hong Kong’s Banks
Hong Kong’s Bitcoin Exchanges
Bitcoin exchanges are overachievers.
Hong Kong’s Bitcoin exchanges are using much more secure SSL implementations than Hong Kong’s banks. It’s clear that after the trust issues the Bitcoin suffered from amateurs at Mt.Gox, that exchanges are going out of their way to make sure their customer’s coins are secure.
The difference between Hong Kong’s banks’ SSL and Bitcoin exchanges’ SSL is actually a lot more pronounced than the grades issued by the diagnostic site would seem to indicate.
None of the three most famous banks in Hong Kong I tested supported Perfect Forward Secrecy. This means that if the private keys of any of the banks are ever compromised, by hackers, the NSA, a rogue employee leaving his unencrypted company laptop on the bus, etc., all historical traffic will be exposed. Imagine your loan history, payment details, banking passwords, credit card statements from months or years ago suddenly revealed to the world because your bank couldn’t be bothered to use best practice SSL security on their web sites.
But banks don’t have to worry. They’re licensed and regulated by the HKMA so if anything happens they can say “but we were compliant” and point their finger at the taxpayer and the government. After all, they’re the same people that use HKID numbers, home addresses and birthdays, which are public record and on Facebook, as the main security keys for customer accounts.
Is anyone really surprised that Hong Kong’s Bitcoin exchanges, operating in an intensely competitive global environment, without the comfort and plausible deniability offered by a government licensing scheme, are motivated to offer their customers better security than banks?