Bitcoin Forum
April 18, 2014, 07:27:03 PM *
News: Due to the OpenSSL heartbleed bug, changing your forum password is recommended.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: MtGox uses StartSSL which has been compromised. (Updated : Not a problem)  (Read 1376 times)
Isosceles
Member
**
Offline Offline

Activity: 71


View Profile

Ignore
June 26, 2011, 03:47:51 AM
 #1

MtGox's https certificate provider StartSSL have been compromised
http://news.netcraft.com/archives/2011/06/22/startssl-suspends-services-after-security-breach.html

I'm not an internet security expert, is this cause for concern? What types of attack does that open MtGox to?

Your Bitcoin Economy needs YOU!  Tip here : 12hFuVrSpLaPeTxwGUoPXoTDuhFnDhxRu3
1397849223
Hero Member
*
Offline Offline

Posts: 1397849223

View Profile Personal Message (Offline)

Ignore
1397849223
Reply with quote  #2

1397849223
Report to moderator
    mBitCASINOWIN BITCOINS IN OUR
24/7 LIVE DEALER CASINO

Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1397849223
Hero Member
*
Offline Offline

Posts: 1397849223

View Profile Personal Message (Offline)

Ignore
1397849223
Reply with quote  #2

1397849223
Report to moderator
1397849223
Hero Member
*
Offline Offline

Posts: 1397849223

View Profile Personal Message (Offline)

Ignore
1397849223
Reply with quote  #2

1397849223
Report to moderator
1397849223
Hero Member
*
Offline Offline

Posts: 1397849223

View Profile Personal Message (Offline)

Ignore
1397849223
Reply with quote  #2

1397849223
Report to moderator
1397849223
Hero Member
*
Offline Offline

Posts: 1397849223

View Profile Personal Message (Offline)

Ignore
1397849223
Reply with quote  #2

1397849223
Report to moderator
casascius
Mike Caldwell
VIP
Hero Member
*
Offline Offline

Activity: 1204


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW

Ignore
June 26, 2011, 04:21:15 AM
 #2

Probably not a concern.

If StartSSL's intermediate certificates get revoked due to being stolen, browsers may throw up warnings upon connecting to MtGox.  As soon as MtGox installed a new cert from elsewhere, all would be well.

MtGox is using a regular non-EV (extended validation) certificate.  Organizations like banks who run a high risk of spoofed websites or man-in-the-middle attacks often get EV certs which turn the address bar green or similar. These provide a higher level of assurance against such attacks. So long as MtGox uses a regular cert, the fact that it comes from a provider that gets hacked means not much different than a regular cert from a provider that wasn't hacked.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper wallets instead.
elggawf
Sr. Member
****
Offline Offline

Activity: 308



View Profile

Ignore
June 26, 2011, 04:28:14 AM
 #3

If you can believe StartSSL's press release, this time around the attackers didn't actually successfully make off with anything (as opposed to the Comodo hack, where they did make off with fake certificates that took time to blacklist).

So it probably doesn't mean anything at this point.

Edit: and yes, theymos is correct - a site doesn't have to be using $CA for $CA getting hacked to put their security at risk, a user's browser merely has to trust $CA.

^_^
theymos
Administrator
Hero Member
*
Offline Offline

Activity: 1540


View Profile
June 26, 2011, 04:36:54 AM
 #4

HTTPS prevents someone who is sitting between you and the destination on the network from reading or modifying your transmissions. For example, it prevents your ISP from seeing your MtGox password. Usually, anyone between you and the destination is pretty trustworthy, but this is not the case if you live in a non-free country or if you are using a free proxy like Tor.

This compromise means that all HTTPS connections are suspect until things are sorted out. Even sites that don't use StartSSL can have their HTTPS broken. Even if MtGox was using Verisign, they would be affected equally.

I recommend installing the Certificate Patrol and Perspectives extensions for Firefox:
http://patrol.psyced.org/
http://www.networknotary.org/firefox.html

Certificate Patrol warns you whenever a site's certificate changes. This will happen when an attacker tries to exploit a compromised certificate authority like StartSSL. It also happens occasionally for other reasons.

Perspectives asks several notary servers for information about certificates. If the notaries see a different certificate than you do, then there is probably an attack going on. In the settings, use these options:
- Percentage of notaries...: 100
- Days of continuous...: 0
- Contact notaries for all HTTPS sites: yes
- Allow Perspectives to automatically...: no (unless you want to allow Perspectives to stand in for a CA when a site is using a self-signed certificate)

Isosceles
Member
**
Offline Offline

Activity: 71


View Profile

Ignore
June 26, 2011, 01:26:28 PM
 #5

Thanks!

Your Bitcoin Economy needs YOU!  Tip here : 12hFuVrSpLaPeTxwGUoPXoTDuhFnDhxRu3
casascius
Mike Caldwell
VIP
Hero Member
*
Offline Offline

Activity: 1204


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW

Ignore
June 26, 2011, 04:10:29 PM
 #6


Edit: and yes, theymos is correct - a site doesn't have to be using $CA for $CA getting hacked to put their security at risk, a user's browser merely has to trust $CA.

According to the EFF, at a talk they gave at one of the last two defcons, the state of the current list of trusted CAs for non-EV SSL is pretty much a joke, and law enforcement routinely gets valid SSL certs issued to perform MITM attacks on suspects. The talk was titled something like "observations of the SSLiverse" and can probably be googled. in other words, the risk was always there to begin with.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper wallets instead.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!