Bitcoin Forum

I've noticed some web sites are publishing addresses on their sites for donations, etc. over unencrypted connections. I thought I'd point out, to anyone who doesn't realise it, that you are vulnerable to man in the middle attacks.

Any MITM can rewrite your address to theirs and receive all your payments! Especially tor exit nodes, which are known to engage in this behavior.

Any payment related pages should be treated the same as a credit card payment gateway, in security terms. That means use SSL!

is this kind of attack really that easy?

Yes, SSL is very important for Tor users.  Tor exit nodes have been caught doing shenanigans like stealing webmail passwords, and this is no more difficult for a malicious exit node.

I can envision all sorts of deceptions being applied to get people to send money to the wrong address. Variations of the things scamers use now. "Donate to the red cross to help flood victims: f6UG92n8k..."

It's sad we think so much about all this security stuff. :-\

AaronM and RodeoX are already breaking that rule...

huh ???
Because of the address in my sig? I was more thinking about how someone might misrepresent who's address it was. The one in my signature will change if I ever get an offer to "work for bitcoins". 

Know of any free hosts that have ssl for logging in and having my website in?

But it's posted on a non-HTTPS website, so potentially, it could be at risk for such attacks as the one described.  Not likely, but hey, you never know...

Also, a forum moderator/admin could change your signature to include their own address instead, and hope you don't notice, though I suppose that a risk inherent with any posts on any forums.

Just browse the forum using https. So according to me they didn't break the rule!  ;)

But of course a MITM is super easy for the Bitcoin forums, with that silly self-signed cert, 90% won't notice if it is replaced with a different one.

If I'm using TOR, what would be safer? using plain http and risking a MITM attack or risking one from the forum?

With plain http you got both risks, with ssl only the forum one

Your website is failing at life...

"Oops! Google Chrome could not find bitlotto.com"

Thanks. I shouldn't have touched those DNS settings...dang it. It will come back, I promise! At least I didn't do it on draw date!! :o

:P

At least you're not taking the money and running!

A MITM attack is only easy the first time you access bitcoin.org with HTTPS. After that, your browser will warn you about changes in the cert.

I was thinking that my login password here provides some protection. But your right, MITM attack would work and admins here might switch addresses. As a security check, try sending me 100BTC and I'll post here if I receive it.  ;D