harmen (OP)
Newbie
Offline
Activity: 1
Merit: 0
|
|
June 20, 2011, 11:37:11 AM |
|
MTGox security was flawed: the API instructions where send using cleartext passwords in the URL. With such security sense it was a matter of time. Some unusual tips for creating very strong and very easily to remember passwords from grc.com: https://www.grc.com/%5Chaystack.htmIt is not about randomness, it is about length and potential complexity. Cheers!
|
|
|
|
|
|
|
|
The forum strives to allow free discussion of any ideas. All policies are built around this principle. This doesn't mean you can post garbage, though: posts should actually contain ideas, and these ideas should be argued reasonably.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
adamncsu
Newbie
Offline
Activity: 6
Merit: 0
|
|
June 20, 2011, 01:48:43 PM |
|
thanks. there can never be too many posts about password security. so many people are under-educated in the subject.
|
|
|
|
ribuck
Donator
Hero Member
Offline
Activity: 826
Merit: 1039
|
|
June 20, 2011, 03:26:18 PM |
|
...the API instructions where send using cleartext passwords in the URL...
Over https.
|
|
|
|
|
dan_a
Newbie
Offline
Activity: 48
Merit: 0
|
|
June 20, 2011, 03:39:22 PM |
|
That attack will only work if you have control of a network between MTGOX and their customers.
|
|
|
|
|
vampire
|
|
June 20, 2011, 04:07:03 PM |
|
Mt. Gox looked like an amateur site, for some reason I question why should an auditor get a copy of their database?
|
|
|
|
EyeRis
Member
Offline
Activity: 70
Merit: 10
|
|
June 20, 2011, 04:14:36 PM |
|
...the API instructions where send using cleartext passwords in the URL...
Over https. So that means the data is encrypted the URL is not.
|
|
|
|
dan_a
Newbie
Offline
Activity: 48
Merit: 0
|
|
June 20, 2011, 04:20:36 PM |
|
There's been a big jump in interest in bitcoin in a very short time - it's not surprising that some sites would go up and down as they sort out an appropriate level of hosting.
|
|
|
|
Xenland
Legendary
Offline
Activity: 980
Merit: 1003
I'm not just any shaman, I'm a Sha256man
|
|
June 20, 2011, 05:41:57 PM |
|
This attack does not apply as long as you browse completely over HTTPS. So just bookmark the https://www.mtgox.com/ url, use only that bookmark, and you'll be fine. So that means the data is encrypted the URL is not. HTTPS encrypts also the URL and other request details. I agree, to my understanding HTTPS sends a signal that we are doing a secure connection(with no data besides IP) and then after the key's have been exchanged it will then proceed to send necessary data after a secure connection has been established.
|
|
|
|
|