Title: MTGox security was flawed Post by: harmen on June 20, 2011, 11:37:11 AM MTGox security was flawed: the API instructions where send using cleartext passwords in the URL.
With such security sense it was a matter of time. Some unusual tips for creating very strong and very easily to remember passwords from grc.com: https://www.grc.com/%5Chaystack.htm (https://www.grc.com/%5Chaystack.htm) It is not about randomness, it is about length and potential complexity. Cheers! Title: Re: MTGox security was flawed Post by: adamncsu on June 20, 2011, 01:48:43 PM thanks. there can never be too many posts about password security. so many people are under-educated in the subject.
Title: Re: MTGox security was flawed Post by: ribuck on June 20, 2011, 03:26:18 PM ...the API instructions where send using cleartext passwords in the URL... Over https.Title: Re: MTGox security was flawed Post by: SomeoneWeird on June 20, 2011, 03:28:32 PM ...the API instructions where send using cleartext passwords in the URL... Over https.HTTPS Doesn't mean squat. (http://www.thoughtcrime.org/software/sslstrip/) Title: Re: MTGox security was flawed Post by: dan_a on June 20, 2011, 03:39:22 PM ...the API instructions where send using cleartext passwords in the URL... Over https.HTTPS Doesn't mean squat. (http://www.thoughtcrime.org/software/sslstrip/) That attack will only work if you have control of a network between MTGOX and their customers. Title: Re: MTGox security was flawed Post by: zzyyxx on June 20, 2011, 04:03:28 PM http://forum.bitcoin.org/index.php?topic=15364.msg231115#msg231115
am I the only one who finds the Mt Gox hack, and this site going up/coming down... on top of that the whole process in general, to be suspect? Title: Re: MTGox security was flawed Post by: vampire on June 20, 2011, 04:07:03 PM Mt. Gox looked like an amateur site, for some reason I question why should an auditor get a copy of their database?
Title: Re: MTGox security was flawed Post by: EyeRis on June 20, 2011, 04:14:36 PM ...the API instructions where send using cleartext passwords in the URL... Over https.So that means the data is encrypted the URL is not. Title: Re: MTGox security was flawed Post by: dan_a on June 20, 2011, 04:20:36 PM http://forum.bitcoin.org/index.php?topic=15364.msg231115#msg231115 am I the only one who finds the Mt Gox hack, and this site going up/coming down... on top of that the whole process in general, to be suspect? There's been a big jump in interest in bitcoin in a very short time - it's not surprising that some sites would go up and down as they sort out an appropriate level of hosting. Title: Re: MTGox security was flawed Post by: Xenland on June 20, 2011, 05:41:57 PM HTTPS Doesn't mean squat. (http://www.thoughtcrime.org/software/sslstrip/) This attack does not apply as long as you browse completely over HTTPS. So just bookmark the https://www.mtgox.com/ url, use only that bookmark, and you'll be fine.Quote So that means the data is encrypted the URL is not. HTTPS encrypts also the URL and other request details. |