Wolf0 (OP)
Member
Offline
Activity: 81
Merit: 1002
It was only the wind.
|
|
June 16, 2013, 03:55:44 AM Last edit: October 16, 2018, 03:20:18 AM by Wolf0 |
|
NaN.
|
|
|
|
grue
Legendary
Offline
Activity: 2058
Merit: 1452
|
|
June 16, 2013, 02:35:16 PM |
|
dynamic or offsite avatars are not allowed because they are not guaranteed to be SSL.
|
|
|
|
BadBear
v2.0
Legendary
Offline
Activity: 1652
Merit: 1128
|
|
June 16, 2013, 05:54:09 PM |
|
So upload it.
|
|
|
|
jackjack
Legendary
Offline
Activity: 1176
Merit: 1280
May Bitcoin be touched by his Noodly Appendage
|
|
June 16, 2013, 07:25:32 PM |
|
So upload it.
I think the problem here is that he wants a PHP-generated (from his hashrate I suppose) picture as his avatar
|
Own address: 19QkqAza7BHFTuoz9N8UQkryP4E9jHo4N3 - Pywallet support: 1AQDfx22pKGgXnUZFL1e4UKos3QqvRzNh5 - Bitcointalk++ script support: 1Pxeccscj1ygseTdSV1qUqQCanp2B2NMM2 Pywallet: instructions. Encrypted wallet support, export/import keys/addresses, backup wallets, export/import CSV data from/into wallet, merge wallets, delete/import addresses and transactions, recover altcoins sent to bitcoin addresses, sign/verify messages and files with Bitcoin addresses, recover deleted wallets, etc.
|
|
|
grue
Legendary
Offline
Activity: 2058
Merit: 1452
|
|
June 16, 2013, 07:53:07 PM |
|
dynamic or offsite avatars are not allowed because they are not guaranteed to be SSL.
So? SO THAT'S THE REASON WHY YOU CAN'T USE IT.
|
|
|
|
grue
Legendary
Offline
Activity: 2058
Merit: 1452
|
|
June 16, 2013, 10:45:01 PM |
|
WHO CARES IF IT'S NOT SSL? As a matter of fact, you CAN'T use https links in there, IIRC.
non https links =/= non https images. Images are loaded by default by browsers. If all the page's content is not loaded via https, it is possible for an attacker to eavesdrop or modify the page. for more info, see: https://bitcointalk.org/index.php?topic=69891.0
|
|
|
|
🏰 TradeFortress 🏰
Bitcoin Veteran
VIP
Legendary
Offline
Activity: 1316
Merit: 1043
👻
|
|
June 17, 2013, 12:10:34 AM |
|
I'm pretty sure a hostile image cannot inject JS to the page (for modern browsers of course). However, if you already know my IP, you can know when I read a post / etc.
Just buy a security certificate for your domain, that costs $9 and takes literally 10 minutes before you get a cert in email.
Proxy the image.
Total time taken:
15 minutes Cost: $9
|
|
|
|
theymos
Administrator
Legendary
Offline
Activity: 5376
Merit: 13407
|
|
June 17, 2013, 03:08:50 AM |
|
Having http images (or https images with invalid certificates) on an https site results in warnings on a lot of browsers. I allow it with [img] tags because they're more rare. Some day I'd like to have something like: [fetch]http://mining.com/my_stats.txt[/fetch] which would cause the forum to periodically fetch the textual data from the given URL and insert it into the post. This is a very low priority, though.
|
1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
|
|
|
grue
Legendary
Offline
Activity: 2058
Merit: 1452
|
|
June 17, 2013, 02:39:12 PM |
|
So, you're saying it's intentionally broken because some users might get warnings?
It's not "some" users, it's most browsers. And it's not "intentionally broken", it's a feature to prevent warnings and preserve https integrity. If there is insecure content on a page... on chromium based browsers, the lock symbol in the address bar will have a red strikeout on firefox, there won't be a lock symbol on internet explorer, the user will be asked whether to load the insecure content safari, opera probably has similar warnings
|
|
|
|
crumbs
|
|
June 17, 2013, 04:41:11 PM |
|
But wait, don't we post pics from plain http sites like postimg.org? [test for this board:] and here's php-generated content from another site (reload page for new pic): Edit: nevermind, i see the browser warning.
|
|
|
|
tysat
Legendary
Offline
Activity: 966
Merit: 1004
Keep it real
|
|
June 18, 2013, 01:12:22 PM |
|
So, you're saying it's intentionally broken because some users might get warnings?
It's not "some" users, it's most browsers. And it's not "intentionally broken", it's a feature to prevent warnings and preserve https integrity. If there is insecure content on a page... on chromium based browsers, the lock symbol in the address bar will have a red strikeout on firefox, there won't be a lock symbol on internet explorer, the user will be asked whether to load the insecure content safari, opera probably has similar warnings Okay, again, who cares? If you have a MITM on your connection, he can modify an image. Oh, noes! You know what he can also do? He can proxy your connection, and connect using HTTPS to the site where you want to go, then send you HTTP data. No browsers will warn, it just won't show that the site is HTTPS, and most users won't notice. Why does it matter so much?
|
|
|
|
jackjack
Legendary
Offline
Activity: 1176
Merit: 1280
May Bitcoin be touched by his Noodly Appendage
|
|
June 18, 2013, 04:52:10 PM |
|
I think the amount of madness in this thread is nowhere related to the issue significance
|
Own address: 19QkqAza7BHFTuoz9N8UQkryP4E9jHo4N3 - Pywallet support: 1AQDfx22pKGgXnUZFL1e4UKos3QqvRzNh5 - Bitcointalk++ script support: 1Pxeccscj1ygseTdSV1qUqQCanp2B2NMM2 Pywallet: instructions. Encrypted wallet support, export/import keys/addresses, backup wallets, export/import CSV data from/into wallet, merge wallets, delete/import addresses and transactions, recover altcoins sent to bitcoin addresses, sign/verify messages and files with Bitcoin addresses, recover deleted wallets, etc.
|
|
|
grue
Legendary
Offline
Activity: 2058
Merit: 1452
|
|
June 18, 2013, 08:25:51 PM |
|
Okay, again, who cares? If you have a MITM on your connection, he can modify an image. Oh, noes! You know what he can also do? He can proxy your connection, and connect using HTTPS to the site where you want to go, then send you HTTP data. No browsers will warn, it just won't show that the site is HTTPS, and most users won't notice.
You clearly do not understand how https works. Since the page is loaded with https, all references to external resources will be secured against tampering. An attacker won't be able to modify the image link to a "proxy". The best he can do is intercept the request, but since he doesn't have the certificate, the browser will show a warning.
|
|
|
|
grue
Legendary
Offline
Activity: 2058
Merit: 1452
|
|
June 19, 2013, 02:34:17 PM |
|
You clearly have no idea what you are talking about, because I've done it before. An attacker can strip out HTTPS. You should have checked out Moxie Marlinspike's SSLStrip before making yourself look like an idiot.
You clearly have no idea what you're talking about. A quick search of "SSLStrip" on google reveals: It will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links. Too bad bitcointalk's traffic is in https. Next time, actually read your references so you don't end up looking like a dumbass.
|
|
|
|
grue
Legendary
Offline
Activity: 2058
Merit: 1452
|
|
June 19, 2013, 07:57:28 PM |
|
I've actually USED SSLStrip before. Had you watched the demonstration, you would have noticed that SSLStrip does just what its name implies, that is, feed the victim HTTP data while connecting to the victim's intended destination using HTTPS to get the data. It works on PayPal, which is why they started fucking with Marlinspike.
How dense are you? Did you even read my argument? Bitcointalk's traffic is in https. HTTPS traffic can not be tampered with in transit, nor can it be downgraded. SSLStrip only intercepts http pages, and replaces any https references. The only attack you can do is intercepting a http bitcointalk request and preventing https upgrade. You can intercept any embedded http image requests, but the tampering will be limited to the image. Your claim of using SSLStrip are red herrings, so is your claim of being able to hack paypal because they do not refute my central point (SSLstrip is limited to http traffic). If you read the fucking documentation for sslstrip instead of glancing over the name, you would know that.
|
|
|
|
|