Bitcoin Forum
December 12, 2024, 12:27:07 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: [PSA] Bitcoin Gambling SSL Security  (Read 1139 times)
Cudahuda (OP)
Newbie
*
Offline Offline

Activity: 52
Merit: 0



View Profile
April 30, 2015, 10:16:35 PM
 #1

When using any site that involves money, from online shopping, to bitcoin web wallets, to bitcoin gaming, one recurring risk which has been seen is the Man in the Middle Attack (MITM).  This is when an attacker, somewhere between your computer and the website you are accessing, intercepts your connection and impersonates the website you are trying to access.  The MITM attack has been seen on the Tor network, when a malicious exit node will impersonate certain bitcoin sites to try and steal a user's bitcoins when they put their login information into the fake site.  So what is the solution to make sure you are secure?

SSL and HTTPS

SSL is a method of end to end encryption that makes sure the information between your computer and the site you are accessing is unable to be altered in transit.  People using VPN's and the Tor program to access various bitcoin sites are at higher risk due to putting more systems in between your computer and the site you are accessing.  By verifying you are connecting to a domain that begins with https with the lock icon next to it, you can ensure that your connection to the site is not being intercepted.  For further security, you can verify the certificate they are presenting you is a valid certificate.

https://i.imgur.com/DUqDAV8.png?1

Common Bitcoin SSL Certificate Hashes (4/30/2015)

PrimeDice - https://primedice.com

SHA-256 Fingerprint: 98:3A:82:A8:50:19:48:19:32:BD:90:19:D6:8C:3E:00:4C:75:FF:69:65:C7:64:B0:8C:86:D2:76:AA:B5:54:D5
SHA1 Fingerprint: 8A:D6:87:4B:99:B2:E1:31:CD:60:A9:BA:72:EF:92:00:4D:40:94:64

Just-Dice - https://just-dice.com

SHA-256 Fingerprint: 78:9B:E9:39:C8:9B:8F:FA:7A:7B:9F:A2:93:B1:79:B4:EA:F7:DF:9C:42:22:4C:5E:2E:18:39:70:3C:EF:0D:1F
SHA1 Fingerprint: 63:31:BA:A9:E0:B3:E3:2A:35:3B:4B:91:35:BC:7D:AF:CA:19:60:CC

Blockchain.info - https://blockchain.info

SHA-256 Fingerprint: D0:3F:04:0B:D9:85:5F:F0:B3:C9:78:89:2B:31:36:8E:D4:C3:76:AA:D5:26:02:9C:33:42:F2:B7:93:F2:85:E1
SHA1 Fingerprint: 94:10:81:EB:E4:62:B5:BD:7B:03:DE:79:C7:A6:4D:91:30:13:7B:E0
GrantDe
Newbie
*
Offline Offline

Activity: 19
Merit: 0



View Profile
May 01, 2015, 01:39:00 AM
 #2

I've always used the GRC's site to check cert hashes every now and then
https://www.grc.com/fingerprints.htm
jacktheking
Legendary
*
Offline Offline

Activity: 1484
Merit: 1001


Personal Text Space Not For Sale


View Profile
May 01, 2015, 01:44:01 AM
 #3

Noted. Gald that I'm using the HTTPS version of Bitcointalk.org and many other sites.

So sad! This profile does not appear as the #1 result (on anonymous) Google searches anymore.

Time to be active on the crypto forums again? Proud to be one of the few Legendary members of the Sparkie Red Dot!

Gonna put this on my resume if I ever join a cryptocurrency/blockchain industry!
xetsr
Legendary
*
Offline Offline

Activity: 1120
Merit: 1000


View Profile
May 01, 2015, 03:37:03 AM
 #4

Great post. It should also be noted having a SSL does NOT make a website more "trustworthy" at all. Anyone can purchase a SSL and they're usually pretty cheap. I only bring this up because I've seen other sites try to mislead visitors before with SSL.
twister
Hero Member
*****
Offline Offline

Activity: 672
Merit: 502



View Profile WWW
May 01, 2015, 04:02:44 AM
 #5

This is exactly what I asked on primedice announcement thread yesterday. I knew about TOR and that it can get your account compromised if you're not careful and you can end up getting your coins stolen but I was confused about VPN. Thanks for this.

Great post. It should also be noted having a SSL does NOT make a website more "trustworthy" at all. Anyone can purchase a SSL and they're usually pretty cheap. I only bring this up because I've seen other sites try to mislead visitors before with SSL.

If hacker uses a SSL to impersonate a site, will the site address still show up as it does originally in the address bar? I mean the green/blue glowed up name with the favicon and the padlock? Ex.

 

██████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
 
Get Free Bitcoin Now!
  ¦¯¦¦¯¦    ¦¯¦¦¯¦    ¦¯¦¦¯¦    ¦¯¦¦¯¦   
0.8%-1% House Edge
[/
dedmax
Member
**
Offline Offline

Activity: 109
Merit: 10


View Profile
May 01, 2015, 10:13:19 AM
 #6

Great post. It should also be noted having a SSL does NOT make a website more "trustworthy" at all. Anyone can purchase a SSL and they're usually pretty cheap. I only bring this up because I've seen other sites try to mislead visitors before with SSL.

Thoughtful, an SSL is never a sure gurantee
An one should take this up in every best possible means. An informative post by the way
LiQuidx
Hero Member
*****
Offline Offline

Activity: 546
Merit: 500



View Profile
May 01, 2015, 11:17:44 AM
 #7

Noted. Gald that I'm using the HTTPS version of Bitcointalk.org and many other sites.

If you are using Chrome you can always use this extension in order to force the https to all the sites: https://chrome.google.com/webstore/detail/https-everywhere/gcbommkclmclpchllfjekcdonpmejbdp

 

██████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
 
Get Free Bitcoin Now!
  ¦¯¦¦¯¦    ¦¯¦¦¯¦    ¦¯¦¦¯¦    ¦¯¦¦¯¦   
0.8%-1% House Edge
[/
Blazr
Hero Member
*****
Offline Offline

Activity: 882
Merit: 1006



View Profile
May 01, 2015, 11:31:28 AM
Last edit: May 01, 2015, 11:56:36 AM by Blazr
 #8

This is exactly what I asked on primedice announcement thread yesterday. I knew about TOR and that it can get your account compromised if you're not careful and you can end up getting your coins stolen but I was confused about VPN. Thanks for this.

Great post. It should also be noted having a SSL does NOT make a website more "trustworthy" at all. Anyone can purchase a SSL and they're usually pretty cheap. I only bring this up because I've seen other sites try to mislead visitors before with SSL.

If hacker uses a SSL to impersonate a site, will the site address still show up as it does originally in the address bar? I mean the green/blue glowed up name with the favicon and the padlock? Ex.


If you are not using SSL, the URL will look correct, but there will not be a padlock, and the url will start with http:// rather than https://

If you are using SSL, there will be a padlock and https and your connection is encrypted and you are reasonably safe. Just pay attention to any popups you might get about "expired ceritificates" and such, and also check the fingerprint of the SSL cert for extra safety as OP mentioned.

I would recommend the browser addon HTTPS Everywhere, which will check the fingerprints automatically for you and also force your browser to use SSL on most websites. This will mitigate the risk of this kind of attack significantly without you needing to do anything.

Note that this kind of attack can happen to anyone using the internet, however it is most frequently seen on Tor, VPN's, proxies and public wifi as it is easier for an attacker to get "in-the-middle" of your internet connection. The NSA have used backbone internet routers to execute these attacks, these routers relay vast amount of the internets traffic so they can do this to almost any connection, so this kind of thing can happen to anyone.

bitbaby
Hero Member
*****
Offline Offline

Activity: 812
Merit: 1000



View Profile WWW
May 01, 2015, 12:15:18 PM
 #9

Great bit of information for people using Tor/Vpn and other such services, every little precaution is necessary when it comes to protecting your sensitive information and Bitcoins.

I've always used the GRC's site to check cert hashes every now and then
https://www.grc.com/fingerprints.htm

Didn't know about this, will defo use this to check fingerprints to make sure I am visiting the correct site. Thanks

twister
Hero Member
*****
Offline Offline

Activity: 672
Merit: 502



View Profile WWW
May 01, 2015, 02:11:38 PM
 #10

This is exactly what I asked on primedice announcement thread yesterday. I knew about TOR and that it can get your account compromised if you're not careful and you can end up getting your coins stolen but I was confused about VPN. Thanks for this.

Great post. It should also be noted having a SSL does NOT make a website more "trustworthy" at all. Anyone can purchase a SSL and they're usually pretty cheap. I only bring this up because I've seen other sites try to mislead visitors before with SSL.

If hacker uses a SSL to impersonate a site, will the site address still show up as it does originally in the address bar? I mean the green/blue glowed up name with the favicon and the padlock? Ex.


If you are not using SSL, the URL will look correct, but there will not be a padlock, and the url will start with http:// rather than https://

If you are using SSL, there will be a padlock and https and your connection is encrypted and you are reasonably safe. Just pay attention to any popups you might get about "expired ceritificates" and such, and also check the fingerprint of the SSL cert for extra safety as OP mentioned.

I would recommend the browser addon HTTPS Everywhere, which will check the fingerprints automatically for you and also force your browser to use SSL on most websites. This will mitigate the risk of this kind of attack significantly without you needing to do anything.

Note that this kind of attack can happen to anyone using the internet, however it is most frequently seen on Tor, VPN's, proxies and public wifi as it is easier for an attacker to get "in-the-middle" of your internet connection. The NSA have used backbone internet routers to execute these attacks, these routers relay vast amount of the internets traffic so they can do this to almost any connection, so this kind of thing can happen to anyone.

I have that extension installed already. I was just asking that because he said that hackers can imitate SSL as well and most people including me will not check certificates and will think that it is the right site, if it shows https:// and the glowing site name/favicon with the padlock.

 

██████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
 
Get Free Bitcoin Now!
  ¦¯¦¦¯¦    ¦¯¦¦¯¦    ¦¯¦¦¯¦    ¦¯¦¦¯¦   
0.8%-1% House Edge
[/
Kprawn
Legendary
*
Offline Offline

Activity: 1904
Merit: 1074


View Profile
May 01, 2015, 04:56:53 PM
 #11

Telling people SSL / RSA is safe, would give them a false sense of security. We have seen how the NSA has exploited SSL and we still believe that it's safe.

Watch this and see if you agree with me ----> https://www.youtube.com/watch?v=CJNxbpbHA-I

Using VPN's are even less safe.  Shocked .... Let's agree on one thing... SSL will not stop expert hackers.  Tongue

THE FIRST DECENTRALIZED & PLAYER-OWNED CASINO
.EARNBET..EARN BITCOIN: DIVIDENDS
FOR-LIFETIME & MUCH MORE.
. BET WITH: BTCETHEOSLTCBCHWAXXRPBNB
.JOIN US: GITLABTWITTERTELEGRAM
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!