|
Title: Bitcoinica - Security? Post by: Mushoz on January 12, 2012, 07:03:45 PM Zhoutong, I was wondering if there are any plans in the making involving added security for your site? Looking at the average daily volume that Bitcoinica produces, there must be quite a lot of funds in that place. The thing is, if someone manages to access your account, he can easily run off with BTC, because it's not reversible. I think a lot of people would appreciate a bit of added security for their accounts. I know I would. Could you please implement one of these two solutions?
1) SMS-authentication 2) Yubikey authentication Thank you very much! Title: Re: Bitcoinica - Security? Post by: incraft3817 on January 12, 2012, 07:07:42 PM He's too busy traveling and banging American girls to build security for his site. ;D
Title: Re: Bitcoinica - Security? Post by: Otoh on January 12, 2012, 07:16:18 PM yes agreed, as I'd already posted on his thread about this just a couple of hours ago
https://bitcointalk.org/index.php?topic=57291.msg687845#msg687845 even a 3 random chars drop down input for secondary verification from a long memorable phrase or paper hard copy of random chars would be good & easy enough to implement I'd imagine because in order to get maximum protection from a zhoutonging it's tempting to park a large portion of one's BTC holdings there atm rather than say at Goxed or in one's own secure storage wallet/coded key in the cloud ... PS I thought it was Australian girls atm btw Title: Re: Bitcoinica - Security? Post by: Koekiemonster on January 12, 2012, 07:29:48 PM I totally agree with the OP. I would really like some extra security.
Title: Re: Bitcoinica - Security? Post by: incraft3817 on January 13, 2012, 12:42:42 AM The only securities you need are chastity belt for your daughters. Because zhoutong is young and horny and he is going to be filthy rich in a couple years.
Title: Re: Bitcoinica - Security? Post by: teflone on January 13, 2012, 12:45:15 AM The only securities you need are chastity belt for your daughters. Because zhoutong is young and horny and he is going to be filthy rich in a couple years. lmao.. :D Title: Re: Bitcoinica - Security? Post by: arepo on January 13, 2012, 12:46:01 AM The only securities you need are chastity belt for your daughters. Because zhoutong is young and horny and he is going to be filthy rich in a couple years. lawl Title: Re: Bitcoinica - Security? Post by: Eveofwar on January 13, 2012, 12:48:10 AM What about forcing http -> https ? Just a suggestion.
Title: Re: Bitcoinica - Security? Post by: somestranger on January 13, 2012, 01:07:00 AM What about forcing http -> https ? Just a suggestion. It already is. Dual authentication like SMS is a much needed security feature in case of keyloggers, etc. that https isn't going to protect against.Title: Re: Bitcoinica - Security? Post by: Eveofwar on January 13, 2012, 01:20:45 AM What about forcing http -> https ? Just a suggestion. It already is. Dual authentication like SMS is a much needed security feature in case of keyloggers, etc. that https isn't going to protect against.Looks like you can browse on http all the way up to the login page, which is also http. Once logged in, you're redirected to an https site. This would mean that username/password is sent unencrypted. Title: Re: Bitcoinica - Security? Post by: somestranger on January 13, 2012, 01:26:30 AM What about forcing http -> https ? Just a suggestion. It already is. Dual authentication like SMS is a much needed security feature in case of keyloggers, etc. that https isn't going to protect against.Looks like you can browse on http all the way up to the login page, which is also http. Once logged in, you're redirected to an https site. This would mean that username/password is sent unencrypted. I tried in both Firefox and Chrome typing "bitcoinica.com" and both redirect to https. Not sure why it is different for you. Title: Re: Bitcoinica - Security? Post by: sgbett on January 13, 2012, 02:38:31 AM What about forcing http -> https ? Just a suggestion. It already is. Dual authentication like SMS is a much needed security feature in case of keyloggers, etc. that https isn't going to protect against.Looks like you can browse on http all the way up to the login page, which is also http. Once logged in, you're redirected to an https site. This would mean that username/password is sent unencrypted. https://i.imgur.com/Rpcbl.jpg Title: Re: Bitcoinica - Security? Post by: the joint on January 13, 2012, 02:42:36 AM Use the same two-factor authentication that TradeHill uses (Duo-Security). I love it. It's so 21st century.
Title: Re: Bitcoinica - Security? Post by: Eveofwar on January 13, 2012, 03:09:19 AM What about forcing http -> https ? Just a suggestion. It already is. Dual authentication like SMS is a much needed security feature in case of keyloggers, etc. that https isn't going to protect against.Looks like you can browse on http all the way up to the login page, which is also http. Once logged in, you're redirected to an https site. This would mean that username/password is sent unencrypted. I tried in both Firefox and Chrome typing "bitcoinica.com" and both redirect to https. Not sure why it is different for you. What about forcing http -> https ? Just a suggestion. It already is. Dual authentication like SMS is a much needed security feature in case of keyloggers, etc. that https isn't going to protect against.Looks like you can browse on http all the way up to the login page, which is also http. Once logged in, you're redirected to an https site. This would mean that username/password is sent unencrypted. https://i.imgur.com/Rpcbl.jpg Firefox 3.6.25 and IE 8 on 3 different computers. Type www.bitcoinica.com and press enter -> http://www.bitcoinica.com -> click Login -> http://www.bitcoinica.com/login -> enter email/pass and login -> https://www.bitcoinica.com/trading From Wireshark: 21 1.613423 <myip> 50.56.4.62 HTTP 956 POST /sessions HTTP/1.1 (application/x-www-form-urlencoded) Line-based text data: application/x-www-form-urlencoded utf8=%E2%9C%93&authenticity_token=<obscured>&login=email%40host.com&password=mycleartextpassword&commit=Log+in Highly unlikely I'm the only one....anyone else care to try ? Title: Re: Bitcoinica - Security? Post by: somestranger on January 13, 2012, 04:57:28 AM Firefox 3.6.25 and IE 8 on 3 different computers. Type www.bitcoinica.com and press enter -> http://www.bitcoinica.com -> click Login -> http://www.bitcoinica.com/login -> enter email/pass and login -> https://www.bitcoinica.com/trading From Wireshark: 21 1.613423 <myip> 50.56.4.62 HTTP 956 POST /sessions HTTP/1.1 (application/x-www-form-urlencoded) Line-based text data: application/x-www-form-urlencoded utf8=%E2%9C%93&authenticity_token=<obscured>&login=email%40host.com&password=mycleartextpassword&commit=Log+in Highly unlikely I'm the only one....anyone else care to try ? Without the www it redirects to https. With it, it's http. Title: Re: Bitcoinica - Security? Post by: Eveofwar on January 13, 2012, 05:16:07 AM let's just hope he's actually getting laid Not sure how that's relevant in helping with Bitcoinica security flaws ? Anyways... Firefox 3.6.25 and IE 8 on 3 different computers. Type www.bitcoinica.com and press enter -> http://www.bitcoinica.com -> click Login -> http://www.bitcoinica.com/login -> enter email/pass and login -> https://www.bitcoinica.com/trading From Wireshark: 21 1.613423 <myip> 50.56.4.62 HTTP 956 POST /sessions HTTP/1.1 (application/x-www-form-urlencoded) Line-based text data: application/x-www-form-urlencoded utf8=%E2%9C%93&authenticity_token=<obscured>&login=email%40host.com&password=mycleartextpassword&commit=Log+in Highly unlikely I'm the only one....anyone else care to try ? Without the www it redirects to https. With it, it's http. With or without the www, still http :'( Sounds like it's time to bookmark the HTTPS login page lulz. Title: Re: Bitcoinica - Security? Post by: M4v3R on January 13, 2012, 06:52:55 AM As for two-factor auth, I'd reccomend Google Two-factor auth mechanism. It's great, because it utilizes app on your phone as auth mechanism, which works offline, and it also provides fallback in case you lose your phone.
Link: http://code.google.com/p/google-authenticator/ (http://code.google.com/p/google-authenticator/) Title: Re: Bitcoinica - Security? Post by: zhoutong on January 13, 2012, 07:45:26 AM As for two-factor auth, I'd reccomend Google Two-factor auth mechanism. It's great, because it utilizes app on your phone as auth mechanism, which works offline, and it also provides fallback in case you lose your phone. Link: http://code.google.com/p/google-authenticator/ (http://code.google.com/p/google-authenticator/) LOL. It's such a coincidence! I have started working on Google Authenticator two hours ago (1 hour earlier than your post). It's going to be up in 10 minutes! Stay tuned! Title: Re: Bitcoinica - Security? Post by: zhoutong on January 13, 2012, 07:59:57 AM As for two-factor auth, I'd reccomend Google Two-factor auth mechanism. It's great, because it utilizes app on your phone as auth mechanism, which works offline, and it also provides fallback in case you lose your phone. Link: http://code.google.com/p/google-authenticator/ (http://code.google.com/p/google-authenticator/) LOL. It's such a coincidence! I have started working on Google Authenticator two hours ago (1 hour earlier than your post). It's going to be up in 10 minutes! Stay tuned! It's LIVE! Two-factor authentication! Announcement: https://bitcointalk.org/index.php?topic=58522.0 (https://bitcointalk.org/index.php?topic=58522.0) Title: Re: Bitcoinica - Security? Post by: sgbett on January 13, 2012, 10:25:07 AM You know what, if there was ever any doubt about zhoutongs age, it has to be a fact!
I remember when I was 17, and someone was like "oh you need your thing to do X" and you could just sit down and bang out code and have it done in hours. It's like your brain just ebbed code and your fingers just did the best they could to keep up! Unfortunately I never had the fortune that my hero coding actually turned into much cold hard cash (still, what's a coder gonna do otherwise.. not code!? you just keep doing it cos you love coding!) ;) Oh yeah, course I am jealous, but I don't begrudge you anything Mr Z. I love the work you guys are doing. I'm sure in 20 years time, as you pump out the code in a much more sedentary manner (or more likely stroll along a sunny beach) you'll look back on these good times and think, how the hell did I pull that off. Those all-nighters just get harder and harder! ;) |
