|
Title: Question! Post by: ones51 on July 21, 2011, 07:57:54 AM Is it dangerous to use tradehill, mtgox, etc.....on tor?
Title: Re: Question! Post by: johanatan on July 21, 2011, 08:45:59 AM Is it dangerous to use tradehill, mtgox, etc.....on tor? is isn't dangerous on tor but i've heard that it can be a beast on acid. Title: Re: Question! Post by: ones51 on July 21, 2011, 09:42:59 AM wtf? was that a joke? ???
Title: Re: Question! Post by: cryptoanarchist on July 21, 2011, 03:10:25 PM No. Why would it be?
It is, however, very difficult since most exit node IPs on the Tor network have been banned by those sites. Title: Re: Question! Post by: riceberry on July 21, 2011, 07:24:41 PM It's dangerous to go alone......
take this: 1rbgakDLF3nuErQtRTfpRUn1aYKXBJun2 Title: Re: Question! Post by: fitty on July 21, 2011, 09:13:35 PM Is it dangerous to use tradehill, mtgox, etc.....on tor? If it's https it's pretty secure. If it's http then it is possible for a tor node to sniff the data. Anything you send over http would be visible. Which means logging into a site that doesn't use https you'd expose your login/password. TradeHill, MtGox all use https so that's not a problem. Gmail is 100% https now I believe also. All banks are https. This forum only uses https for your login. Which means people could sniff your cookie while you browse/post. Anyway, as long as it's https then you're fine. Anything non-https is less secure then your internet connection at home. The odds of someone sniffing one of your exit nodes, is probably pretty slim. Title: Re: Question! Post by: error on July 22, 2011, 01:38:40 AM This forum only uses https for your login. Which means people could NOT sniff your cookie while you browse/post. Fixed. :) Title: Re: Question! Post by: makomk on July 23, 2011, 10:49:27 AM Fixed. :) Nope, fitty had it right the first time. The login is over https and this stops anyone sniffing your password (so long as you check it is actually https and not http before you enter it), but viewing topics and posting is done over unencrypted http. This means that the cookie used to authenticate you after you've logged in is also sent unencrypted over http and anyone who's sniffing your traffic can clone your cookie and gain access to your account. This is exactly what the infamous Firesheep (http://codebutler.com/firesheep) extension for Firefox allows an attacker to do; a lot of sites have this issue. Title: Re: Question! Post by: error on July 23, 2011, 05:34:53 PM Fixed. :) Nope, fitty had it right the first time. The login is over https and this stops anyone sniffing your password (so long as you check it is actually https and not http before you enter it), but viewing topics and posting is done over unencrypted http. This means that the cookie used to authenticate you after you've logged in is also sent unencrypted over http and anyone who's sniffing your traffic can clone your cookie and gain access to your account. This is exactly what the infamous Firesheep (http://codebutler.com/firesheep) extension for Firefox allows an attacker to do; a lot of sites have this issue. I don't know how you're doing that. Every single access I make to the forum is through https. Title: Re: Question! Post by: trentzb on July 23, 2011, 05:58:54 PM This forum only uses https for your login. Which means people could sniff your cookie while you browse/post. No need to sniff it, sometimes people just post their cookie publicly. http://forum.bitcoin.org/index.php?topic=31094.msg391155#msg391155 Title: Re: Question! Post by: fitty on July 24, 2011, 10:23:31 AM Fixed. :) Nope, fitty had it right the first time. The login is over https and this stops anyone sniffing your password (so long as you check it is actually https and not http before you enter it), but viewing topics and posting is done over unencrypted http. This means that the cookie used to authenticate you after you've logged in is also sent unencrypted over http and anyone who's sniffing your traffic can clone your cookie and gain access to your account. This is exactly what the infamous Firesheep (http://codebutler.com/firesheep) extension for Firefox allows an attacker to do; a lot of sites have this issue. I don't know how you're doing that. Every single access I make to the forum is through https. Because your bookmark is https. Google bitcoin forum. Click the http:// link. If you set "remember me" when you logged it, you're on the forum, logged in, on http. The only way to get https is by going through a https link back to the forum. The forum should force https plain and simple. With the amount of attacks, trojans, wallet stealers, it's a pretty simple fix. The extra load on the server is minor and it gives a lot of security. Global SSL cert is like 195 bucks a year. Crypto virtual currency network and the wallet/website are unencrypted. Title: Re: Question! Post by: makomk on July 27, 2011, 10:25:24 PM Because your bookmark is https. Exactly - if you start on http, all the links are to the http version, and if you start on https all the links are https. Which has a more subtle but nasty security issue: even if you consistently view the forum over https, an active attacker that can modify your network requests can inject content into the next http page you view so that it causes a http request to the forum (for example an img tag referencing http://forum.bitcoin.org) and obtain your unencrypted cookie from that request. This is well within the capabilities of some Tor exit node owners.Google bitcoin forum. Click the http:// link. If you set "remember me" when you logged it, you're on the forum, logged in, on http. The only way to get https is by going through a https link back to the forum. |