SSL implementation is not a simple process. Getting a signed certificate, implementing security across the site and filtering for non-essential services such as the LuckyBit Community Hub are not a quick-switch option. These things take time and money that aren't justified by a "potential" threat that hasn't been realized and can be easily avoided by customers. Most of our players don't even depend on the site to provide the addresses; the information is available elsewhere and the majority of wallets also provide address-book services that would make this attack ineffective.
tl;dr: not worth the effort for an attacker, not worth the effort for us
For a website which claims to have more than 94000 BTC wagered, I don't think an argument like "not worth the effort for us" sounds plausible. You just don't want, admit it.
Claiming the information is available in other parts isn't a valid excuse too. Is there some place in the website saying this? No? And what about new users?
Man in the middle attack isn't a problem for luckybit because:
1.- MITM is a LAN attack. That mean the only users who will be affected are those who are on the local area network of the attacker. Users access point is users responsability, if you are on a not secure network better don't use bitcoin, because if you are under MITM attack, the hacker will not change the betting addys, he will get your blockchain.info wallet access information.
It depends on the wallet. blockchain.info uses an HTTPS conection, so it's unlikely to be affected. Even if you're affected, the HTTPS conection will be gone and the lock in address box of the browser won't appear.
About the LAN attack, well, you can take care about your network, but when this goes to your ISP, international routes and so, you lose the control of what goes on.
2.- MITM can be detected by users with tools like wireshark. But is responsability of the user to verify if the network is secure.
Do you really expect average people to use wireshark in order to detect if there's a MITM happening?
It's much more simple having an HTTPS website. If it isn't encrypted, there will be lock on the browser. If it presents an invalid certificate, you'll receive an alert.
3.- MITM have a tool called sslstrip to bypass the SSL connection, so, change the site to SSL will fix nothing about the attack.
sslstrip turns HTTPS traffic in HTTP. But to be effective, the user needs to go further and ignore the lack of HTTPS. Aside of this, there are tools and settings to avoid these types of downgrading, like HSTS.
Make a man in the middle to change luckybit addys, is one of the worst things you can do with this attack. Because if the users don't see the bets rolling they will ask to support what happen?, then we will ask for the TX ID, and in that moment we will see the fake addy. How much the hacker get? 0.005? 0.01?... not really a big lost. So, that attack is just a waste of time if some one is thinking about use it that way.
I want to make emphasis on the point of; This has never happened to luckybit and isn't something to worry about.
Well, a more sophisticated attack can try to replace the entire game too.
And again, the "this never happened" isn't a good reason. You need to consider the possibilities and risks, not the "it never happened".
But it seems you think it's more simple to deal with an eventual problem than fixing the origin of it. OK, it's your choice. A bad choice, I think, but, well...
Show Posts
To querendo virar JR também pra ganhar uns satoshinhos 
