asdf (OP)
|
|
April 28, 2011, 10:29:56 AM |
|
I've noticed some web sites are publishing addresses on their sites for donations, etc. over unencrypted connections. I thought I'd point out, to anyone who doesn't realise it, that you are vulnerable to man in the middle attacks.
Any MITM can rewrite your address to theirs and receive all your payments! Especially tor exit nodes, which are known to engage in this behavior.
Any payment related pages should be treated the same as a credit card payment gateway, in security terms. That means use SSL!
|
|
|
|
fetokun
Full Member
Offline
Activity: 210
Merit: 100
Presale is live!
|
|
April 28, 2011, 02:20:00 PM |
|
is this kind of attack really that easy?
|
|
|
|
AaronM
|
|
April 28, 2011, 11:36:38 PM |
|
Yes, SSL is very important for Tor users. Tor exit nodes have been caught doing shenanigans like stealing webmail passwords, and this is no more difficult for a malicious exit node.
|
Spare some BTC for a biology student? 1DZcEUEo9rX7LQWcYzVR6Btqj2sMqRznbB
|
|
|
RodeoX
Legendary
Offline
Activity: 3066
Merit: 1147
The revolution will be monetized!
|
|
April 28, 2011, 11:55:11 PM |
|
I can envision all sorts of deceptions being applied to get people to send money to the wrong address. Variations of the things scamers use now. "Donate to the red cross to help flood victims: f6UG92n8k..." It's sad we think so much about all this security stuff.
|
|
|
|
SgtSpike
Legendary
Offline
Activity: 1400
Merit: 1005
|
|
April 29, 2011, 12:03:06 AM |
|
AaronM and RodeoX are already breaking that rule...
|
|
|
|
RodeoX
Legendary
Offline
Activity: 3066
Merit: 1147
The revolution will be monetized!
|
|
April 29, 2011, 12:26:59 AM |
|
AaronM and RodeoX are already breaking that rule...
huh Because of the address in my sig? I was more thinking about how someone might misrepresent who's address it was. The one in my signature will change if I ever get an offer to "work for bitcoins".
|
|
|
|
bitlotto
|
|
April 29, 2011, 01:56:26 AM |
|
Know of any free hosts that have ssl for logging in and having my website in?
|
*Next Draw Feb 1* BitLotto: monthly raffle (0.25 BTC per ticket) Completely transparent and impossible to manipulate who wins. TOR TOR2WEB Donations to: 1JQdiQsjhV2uJ4Y8HFtdqteJsZhv835a8J are appreciated.
|
|
|
SgtSpike
Legendary
Offline
Activity: 1400
Merit: 1005
|
|
April 30, 2011, 12:23:55 AM |
|
AaronM and RodeoX are already breaking that rule...
huh Because of the address in my sig? I was more thinking about how someone might misrepresent who's address it was. The one in my signature will change if I ever get an offer to "work for bitcoins". But it's posted on a non-HTTPS website, so potentially, it could be at risk for such attacks as the one described. Not likely, but hey, you never know... Also, a forum moderator/admin could change your signature to include their own address instead, and hope you don't notice, though I suppose that a risk inherent with any posts on any forums.
|
|
|
|
bitlotto
|
|
April 30, 2011, 12:45:42 AM |
|
AaronM and RodeoX are already breaking that rule...
huh Because of the address in my sig? I was more thinking about how someone might misrepresent who's address it was. The one in my signature will change if I ever get an offer to "work for bitcoins". But it's posted on a non-HTTPS website, so potentially, it could be at risk for such attacks as the one described. Not likely, but hey, you never know... Also, a forum moderator/admin could change your signature to include their own address instead, and hope you don't notice, though I suppose that a risk inherent with any posts on any forums. Just browse the forum using https. So according to me they didn't break the rule!
|
*Next Draw Feb 1* BitLotto: monthly raffle (0.25 BTC per ticket) Completely transparent and impossible to manipulate who wins. TOR TOR2WEB Donations to: 1JQdiQsjhV2uJ4Y8HFtdqteJsZhv835a8J are appreciated.
|
|
|
casascius
Mike Caldwell
VIP
Legendary
Offline
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
|
|
April 30, 2011, 12:48:38 AM |
|
Just browse the forum using https. So according to me they didn't break the rule! But of course a MITM is super easy for the Bitcoin forums, with that silly self-signed cert, 90% won't notice if it is replaced with a different one.
|
Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable. I never believe them. If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins. I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion. Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice. Don't keep coins online. Use paper or hardware wallets instead.
|
|
|
bitlotto
|
|
April 30, 2011, 01:09:07 AM |
|
But of course a MITM is super easy for the Bitcoin forums, with that silly self-signed cert, 90% won't notice if it is replaced with a different one.
If I'm using TOR, what would be safer? using plain http and risking a MITM attack or risking one from the forum?
|
*Next Draw Feb 1* BitLotto: monthly raffle (0.25 BTC per ticket) Completely transparent and impossible to manipulate who wins. TOR TOR2WEB Donations to: 1JQdiQsjhV2uJ4Y8HFtdqteJsZhv835a8J are appreciated.
|
|
|
TiagoTiago
|
|
April 30, 2011, 02:01:45 AM |
|
With plain http you got both risks, with ssl only the forum one
|
(I dont always get new reply notifications, pls send a pm when you think it has happened) Wanna gimme some BTC/BCH for any or no reason? 1FmvtS66LFh6ycrXDwKRQTexGJw4UWiqDX The more you believe in Bitcoin, and the more you show you do to other people, the faster the real value will soar!
|
|
|
SgtSpike
Legendary
Offline
Activity: 1400
Merit: 1005
|
|
April 30, 2011, 03:02:59 AM |
|
But of course a MITM is super easy for the Bitcoin forums, with that silly self-signed cert, 90% won't notice if it is replaced with a different one.
If I'm using TOR, what would be safer? using plain http and risking a MITM attack or risking one from the forum? Your website is failing at life... "Oops! Google Chrome could not find bitlotto.com"
|
|
|
|
bitlotto
|
|
April 30, 2011, 03:10:51 AM |
|
"Oops! Google Chrome could not find bitlotto.com"
Thanks. I shouldn't have touched those DNS settings...dang it. It will come back, I promise! At least I didn't do it on draw date!!
|
*Next Draw Feb 1* BitLotto: monthly raffle (0.25 BTC per ticket) Completely transparent and impossible to manipulate who wins. TOR TOR2WEB Donations to: 1JQdiQsjhV2uJ4Y8HFtdqteJsZhv835a8J are appreciated.
|
|
|
SgtSpike
Legendary
Offline
Activity: 1400
Merit: 1005
|
|
April 30, 2011, 03:51:21 AM |
|
"Oops! Google Chrome could not find bitlotto.com"
Thanks. I shouldn't have touched those DNS settings...dang it. It will come back, I promise! At least I didn't do it on draw date!! At least you're not taking the money and running!
|
|
|
|
theymos
Administrator
Legendary
Offline
Activity: 5348
Merit: 13315
|
|
April 30, 2011, 04:36:54 AM |
|
But of course a MITM is super easy for the Bitcoin forums, with that silly self-signed cert, 90% won't notice if it is replaced with a different one.
A MITM attack is only easy the first time you access bitcoin.org with HTTPS. After that, your browser will warn you about changes in the cert.
|
1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
|
|
|
RodeoX
Legendary
Offline
Activity: 3066
Merit: 1147
The revolution will be monetized!
|
|
May 02, 2011, 02:28:35 PM |
|
AaronM and RodeoX are already breaking that rule...
huh Because of the address in my sig? I was more thinking about how someone might misrepresent who's address it was. The one in my signature will change if I ever get an offer to "work for bitcoins". But it's posted on a non-HTTPS website, so potentially, it could be at risk for such attacks as the one described. Not likely, but hey, you never know... Also, a forum moderator/admin could change your signature to include their own address instead, and hope you don't notice, though I suppose that a risk inherent with any posts on any forums. I was thinking that my login password here provides some protection. But your right, MITM attack would work and admins here might switch addresses. As a security check, try sending me 100BTC and I'll post here if I receive it.
|
|
|
|
|