Making Blockchain Safe and Secure, a Balancing Act That Never Ends
blockchain technology has become synonymous with privacy and security, but those very characteristics have been put to the test over the past decade. With historical roots embedded in cryptography, many blockchain and cryptocurrency projects purport to offer unbridled security and privacy measures. The industry is split between public blockchain platforms like Bitcoin and private or permissioned blockchains focused on enterprise use.
Cointelegraph has previously explored the ins and outs of privacy concerns around blockchain technology, but the security of these systems is a major consideration on its own. In the years since Bitcoin's (BTC) inception, a multitude of cryptocurrencies has been created, along with numerous blockchain projects in the private and public sphere.
The sheer number of working parts and industry participants means that vulnerabilities have been identified and exploited over the years. This is despite the best efforts of those involved to create the most secure blockchains, cryptocurrencies and exchanges.
This article will shine a spotlight on public blockchains and cryptocurrencies like Bitcoin, permissioned blockchains that offer enterprise solutions to mainstream corporate companies as well as privacy coins to delve into the different considerations of their perceived and actual levels of security.
Is Bitcoin secure for the average user?
Given that the use of cryptocurrencies primarily began with individual users and adoption by bigger entities such as financial institutions has been slow, a major concern is the security of blockchain or cryptocurrencies being used by individuals. In order to get an understanding of what makes these systems secure, Cointelegraph reached out to blockchain and cryptocurrency analysis firm CipherTrace.
John Jefferies, who is the company's chief financial analyst, identified and separated the different categories that are needed to fully understand the level of security of an open blockchain or cryptocurrency like Bitcoin:
“There are three levels of security to consider: personal, platform and technology. Blockchains provide the technology layer, but the average user must trust the security of the particular wallet or exchange they are using. A well-validated, open-source blockchain built using known, trusted encryption, such as the Bitcoin blockchain, provides the level of security to assure the average user that their transaction data has not been tampered with.”
When asked whether open blockchain systems have provided trusted security and privacy to users, Jefferies outlined two key elements of Bitcoin's system that answered long-standing problems plaguing earlier digital currency projects. First of all, the Blockchain technology proved to be a major advancement, as it solved the double-spend issue in peer-to-peer transactions.
Another vital protocol that ensured security was the basis of Bitcoin's consensus protocol, as Jefferies explained, the blockchain technology also deals with the Byzantine Generals Problem, where a messenger sharing information between generals can deliver false information. However, if all parties receive information that is verified by the majority, the corrupt messengers will be discovered. While these two elements provide robust security to the overall Bitcoin system, Jefferies makes a clear distinction between the security of the protocol and the privacy afforded to users:
“It is a common misconception that Bitcoin was designed to be anonymous, but in actuality, the Bitcoin blockchain is pseudonymous, meaning transactions are publicly visible yet the individual users associated with transactions are not. Satoshi's white paper only discusses privacy in two paragraphs. If privacy was the goal, it would have been designed differently.”
Cointelegraph also reached out to Stanford University Ph.D. student Florian Tramèr, who recently managed to discover vulnerabilities in privacy coins Monero (XMR) and Zcash (ZEC). A remote side-channel assault would enable an attacker to recover a user's IP addresses, thereby destroying any semblance of anonymity and privacy of the users in a transaction.
Tramèr weighed in on the level of security that open blockchain networks, like Bitcoin, offered the average user. He highlighted in a comment to Cointelegraph that Bitcoin's consensus protocol has proved its efficacy on its own, but the development of numerous third-party applications, like exchanges, has added a number of vulnerabilities to the overall ecosystem:
“The general idea of consensus via proof-of-work definitely seems to be standing the test of time — in terms of security at least, not so much in terms of scalability. […] On the security side, we've seen countless examples of vulnerabilities in smart contracts, wallets, exchanges, etc. From the privacy side, there have also been many studies showing that cryptocurrency transactions are relatively easy to trace and de-anonymize, even in systems, such as Monero and Zcash — mostly because actually achieving good privacy requires a lot of extra care on the user's side.”
Permissioned blockchains and privacy coins
Private, or permissioned, blockchains have become a go-to solution for big companies and corporates that are looking for distributed ledger solutions for various business challenges. It goes without saying that bigger conglomerates will take no chances when it comes to security and so they turn to permissioned blockchains that are tailor-made and managed by specialist tech companies.
Prime examples are Microsoft Azure Blockchain Service and IBM's Blockchain platform, which is powered by the Linux foundation's Hyperledger Fabric. Microsoft Azure Blockchain Service performs a similar function, allowing users to build and operate blockchain networks that scale. IBM Blockchain is aimed at large businesses and corporations and has a variety of existing blockchain platforms that companies can join. Clients can also build and launch their own platforms that can be programmed to carry out specific functions.
When asked if permissioned blockchains are more secure than open networks, CipherTrace's Jefferies offered an argument suggesting that these platforms aren't inherently more secure:
“No, they are simply attacked less because they do not move money and are not widely deployed. If anything, they could be more susceptible to hacks and security breaches because by nature of being permissioned, private blockchains are more centralized.”
Tramèr's take was similar to that of Jefferies about how permissioned blockchains would contrast the security of open blockchains:
“The threat model is certainly different. Yet, some issues, such as smart-contract bugs, key management, etc., would also be a problem in a permissioned or private system.”
While companies may turn to permissioned blockchains to operate closed-off ledger systems and other financial tasks, at the other end of the spectrum, there are privacy coins that aim to offer complete anonymity to users. Considering Tramèr's research into perceived privacy and security offered by privacy coins, he insisted that assessing the actual degree of privacy and anonymity offered is not a clear-cut conversation:
“On the one hand, Zcash and Monero use some fairly advanced and very recent developments in cryptography to offer, in principle, high degrees of privacy and anonymity for transactions. On the other hand, cryptography is only one part of a large distributed system implemented by these projects. And measuring privacy, or the lack thereof, at a systems level is very hard. There can be subtle implementation bugs and a variety of usage patterns or side-channel leaks that might reveal much more than the cryptography intends.”
A balancing act
A key takeaway is that security concerns in the blockchain and cryptocurrency space transcend individual systems. One cannot label a single platform or cryptocurrency as insecure due to the fact that there are numerous systems that plug into one another. Tramèr offered a comparison between traditional financial systems and the emergence of blockchain-based cryptocurrencies where no system is “unhackable” and that security concerns also come down to usability issues:
“You shouldn't have to be an expert to use these cryptocurrencies in the most secure way possible. At the same time, striving for an ‘unhackable' system is not necessarily the right goal. If you look at the banking system for instance, things are clearly not ‘unhackable.' People get their credit cards and account logins stolen all the time; banks get hacked; there's a lot of fraud; and most of this gets handled by the legal framework and insurance. A similar framework for seamlessly and gracefully handling security breaches and losses in the cryptocurrency space doesn't exist yet.”
In the decade following Bitcoin's creation and the emergence of numerous altcoins, blockchain platforms, cryptocurrency exchanges and a multitude of other projects have sprung up. This inevitably included teething problems and hacks; fraud and security breaches were rife, particularly among cryptocurrency exchanges.
Meanwhile, technologists and developers have begun leveraging blockchain technology and cryptography to build secure and robust systems. The exploration of the capabilities continues today, and Jefferies believes that the technology will continue to drive the development of more secure systems across a wide range of industries:
“Yes, there has been a lot of experimentation looking for use cases where blockchain provides benefits beyond traditional technology. […] We are seeing companies and countries pursuing digital currencies because of the enhanced efficiency and control enabled by digitalization. In the next 10 years, every major economy will have their own Central Bank Digital Currency.”