Bitcoin Forum
May 21, 2019, 01:53:55 AM *
News: Latest Bitcoin Core release: 0.18.0 [Torrent] (New!)
 
   Home   Help Search Login Register More  
Pages: « 1 2 [3] 4 »  All
  Print  
Author Topic: Moving to Cloudflare  (Read 2765 times)
Quickseller
Copper Member
Legendary
*
Offline Offline

Activity: 1778
Merit: 1559


View Profile WWW
December 09, 2017, 06:37:45 AM
 #41

And if the Tor user pays the fee from non-P2PKH addresses (e.g., segwit P2SH addresses or multisig P2SH addresses), the Tor user can't sign the message using those addresses.
Sure they can. They can sign from the private key(s) used to sign the transaction. The public key associated with the private key(s) used to sign a transaction is public information once the transaction is broadcast.

NOTBanned from displaying signatures until May 20, 2022, 11:26:45 PM
Don’t Plagiarize, it’s dishonest and you *will* get caught
1558403635
Hero Member
*
Offline Offline

Posts: 1558403635

View Profile Personal Message (Offline)

Ignore
1558403635
Reply with quote  #2

1558403635
Report to moderator
It is a common myth that Bitcoin is ruled by a majority of miners. This is not true. Bitcoin miners "vote" on the ordering of transactions, but that's all they do. They can't vote to change the network rules.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1558403635
Hero Member
*
Offline Offline

Posts: 1558403635

View Profile Personal Message (Offline)

Ignore
1558403635
Reply with quote  #2

1558403635
Report to moderator
nullius
Copper Member
Full Member
***
Offline Offline

Activity: 168
Merit: 776


Help! I’ve got the Pleurodelinaemia! @nym.zone


View Profile WWW
December 09, 2017, 07:26:21 AM
 #42


The Tor user may pay the fee from a bitcoin exchange account. As far as I'm aware, exchanges do not offer their customers the option of signing messages.


The average fee users pay is below most exchanges minimum withdrawal allowed.

Single data point:  This applies to me.  I don’t wish to discuss details publicly.  I did overpay.

Any users who couldn't sign messages from an address could be given an option to associate another address with their account.

Well, then why bother with the large (and futile) effort of trying to associate a payment-from address?  Delegating trust to a public key (Bitcoin or otherwise) is an ordinary key management issue; and it’s orthogonal to the anti-abuse payment mechanism.

And if the Tor user pays the fee from non-P2PKH addresses (e.g., segwit P2SH addresses or multisig P2SH addresses), the Tor user can't sign the message using those addresses.
Sure they can. They can sign from the private key(s) used to sign the transaction. The public key associated with the private key(s) used to sign a transaction is public information once the transaction is broadcast.

https://github.com/bitcoin/bitcoin/issues/10542 (only discusses Segwit P2WPKH-in-P2SH; generalizing a signature scheme for P2SH would be a non sequitur.)

I recently made this mistake, much to my embarrassment.



Anyway, this whole discussion is on the wrong thread.  The login CAPTCHA issue is distinct from the Cloudflare issue.  theymos added the login CAPTCHA sometime before 2017-10-19, and moved behind Cloudflare 2017-11-29.  The login CAPTCHA is not from Cloudflare.

ImHash
Hero Member
*****
Offline Offline

Activity: 812
Merit: 505


WPP ENERGY - BACKED ASSET GREEN ENERGY TOKEN


View Profile
December 09, 2017, 08:58:18 AM
 #43

No matter using cloudflare or something else, NSA already had access to forum's servers, Since they are in USA.

﹏﹏﹋﹌﹌ WPP ENERGY ﹌﹌﹋﹏﹏
≈ WORLD POWER PRODUCTION ≈

████████████
██████████████████████
██████████████████████████████
██████████████████████████████████
████████████████████████████████████████
██████████████████████████████████████████
██████████████████████████████████████████████
███████████████████████████████████████████████
██████████████████████████████████████████████████
████████████████████████████████████████████████████
█████████████████████████████████████████████████████
████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████
███████████████████████████████████████████████████████████
███████████████████████████████████████████████████████████
████████████████████████████████████████████████████████████
████████████████████████████████████████████████████████████
████████████████████████████████████████████████████████████
████████████████████████████████████████████████████████████
████████████████████████████████████████████████████████████
████████████████████████████████████████████████████████████
████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████
███████████████████████████████████████████████████████
██████████████████████████████████████████████████████
████████████████████████████████████████████████████
██████████████████████████████████████████████████
████████████████████████████████████████████████
██████████████████████████████████████████████
██████████████████████████████████████████
████████████████████████████████████████
██████████████████████████████████
██████████████████████████████
██████████████████████
████████████
nullius
Copper Member
Full Member
***
Offline Offline

Activity: 168
Merit: 776


Help! I’ve got the Pleurodelinaemia! @nym.zone


View Profile WWW
December 09, 2017, 09:12:40 AM
 #44

No matter using cloudflare or something else, NSA already had access to forum's servers, Since they are in USA.

Why would they bother trying the back door, when sites (and browsers) grant them front-door access?

Cloudflare is a global active adversary which MITMs every connection by design, as theymos wisely noted.

I really don't believe in willingly putting a man-in-the-middle in your HTTPS [...]

I especially dislike Cloudflare, which I'm almost certain is basically owned by US intelligence agencies. [...]

The Internet is seriously flawed if everyone needs to huddle behind these huge centralized anti-DDoS companies in order to survive...

The security implications are that Cloudflare can read everything you send to or receive from the server, including your cleartext password and any PMs you send or look at.

Md.Esamul Haque
Member
**
Offline Offline

Activity: 70
Merit: 10


View Profile
December 09, 2017, 09:15:38 AM
 #45

I think there might be numerous individuals like me who don't generally mind if their posts or messages are perused. On the off chance that I have to make some secret courses of action with some individual, at that point I would do this far from the discussion. My essential concern is the security of my posting. You may not concur with my assessments and thoughts, but rather at any rate they are mine, and I don't need anyone putting on a show to be me to post other data, or to execute any extortion. Anything that diminishes spam and pernicious assaults is great as I would like to think.
ChipMixer
Sr. Member
****
Offline Offline

Activity: 341
Merit: 251


ChipMixer.com | ChipMixerwzxtzbw.onion


View Profile WWW
December 09, 2017, 01:31:13 PM
 #46

The security implications are that Cloudflare can read everything you send to or receive from the server, including your cleartext password and any PMs you send or look at.
Is there an official .onion proxy of BitcoinTalk that bypass Cloudflare? We do sometimes get support request PMs.

How about BitcoinTalk Pro accounts with monthly payments, private proxy without Cloudflare and captchas, bot access?

subSTRATA
Legendary
*
Offline Offline

Activity: 1148
Merit: 1033


:^)


View Profile
December 10, 2017, 09:13:17 PM
 #47

Well how about asking tor users to sign a message from the bitcoin address they registered with instead?

Each time they log in they could be given a unique code and asked to sign a message containing it. That wouldn't cost them anything, and signing a message would be faster than going through endless cloudflare captchas.

 registering for a forum account doesn't require a Bitcoin address, only an email address.

Anyone registering through tor has to pay a small bitcoin fee, so all those users have bitcoin addresses associated with their accounts.
that's only if the exit node ip has points of evil associated with it though, i could imagine some new nodes might not have any points linked to them.

There's nothing here. message me if you wish to put an ad here.
nullius
Copper Member
Full Member
***
Offline Offline

Activity: 168
Merit: 776


Help! I’ve got the Pleurodelinaemia! @nym.zone


View Profile WWW
December 10, 2017, 09:27:42 PM
Merited by qwk (1), LoyceV (1)
 #48

The security implications are that Cloudflare can read everything you send to or receive from the server, including your cleartext password and any PMs you send or look at.
Is there an official .onion proxy of BitcoinTalk that bypass Cloudflare? We do sometimes get support request PMs.

How about BitcoinTalk Pro accounts with monthly payments, private proxy without Cloudflare and captchas, bot access?

THIS.  Thank you.  A Bitcointalk .onion was on my mind all week, together with other anti-DDoS mitigation ideas about which I hope to write up suggestions.  It is also something I may perhaps, maybe, perhaps be willing to not only talk about (hint, hint).

.onion sites already have less exposure to DDoS than sites on the open Internet.  Connections to .onion have no access to a full network stack—only to streams through Tor’s circuit protocol, a custom stream transport layer.  No TCP handshake tricks, no amplified UDP floods to clog the pipes, etc.  I suppose theymos’ “homebrew” anti-DDoS had already stopped those.  But also, the capacity limitations and cell queuing mechanisms of the Tor network and its nodes provide some upper bounds on any type of DDoS which uses high bandwidth.  That leaves (1) specialized attacks against the Tor onion proxy, (2) DDoS against introduction points, and (3) any relatively moderate-/low-bandwidth application-layer attacks.  (“Relatively” compared to DDoS which uses tens or hundreds of gigabits per second.)

For (1), lock down that onion proxy tight and isolate it from the web backend—which you should do anyway.  At least it can’t take down the site itself, or affect reachability from clearnet.  Better still, use onionbalance with multiple onion proxies; that gives load-balancing and failover, and also permits isolating v2 .onion private keys from the machines handling visitor traffic.  (2) is really a Tor network issue, though maxing out your intro points with onionbalance will help.  For (3), well, as always—don’t run poorly designed software.  nginx is already robust against HTTP-level DDoS; I have no idea about the vulnerability profile of SMF, other than that it’s database-intensive forum software written in PHP.  I guess, start by disabling the search function through .onion...

I don’t see why a monthly paid subscription should be required.  If that was intended as an idea for .onion, it would effectually restrict .onion use to people who directly make money off the forum—signature campaigners, etc.  Instead, to prevent abuse, I’d suggest that full posting privileges through .onion be restricted to full Members or paid Copper Members.  (I am guessing that Junior Member accounts may be too cheap on the account sale market, especially for hacked accounts.)  .onion posters without those ranks should be restricted through a “newbie jail”-like system.  Those who could not afford paid membership, could spend a few months ranking up in the .onion jail—or through clearnet exits, just like now.  For spammers and scammers, throwaway accounts would be prohibitively expensive.

Perhaps also add a “.onion” tag below the username and rank for posts made through .onion.  I am reluctant to suggest that, given the level of prejudice some people have against Tor users; but I don’t think the moderators here have such a bias, which is the important part to me, personally.  I myself would be proud to wear a “.onion” tag.  I would explicitly add it, if it were offered as an option.

For a non-location-hidden .onion, as I presume this would be, single-onion mode should be snappy for users.  Projects such as Debian and Tor Project successfully run high-bandwidth services such as public apt repositories through .onions, using onionbalance.  Debian users can do all their OS updates without ever touching clearnet!  Use of .onion also helps the Tor network, by shifting load off the bottleneck of exit nodes.  Any relay can serve as as a rendezvous point, including the far more numerous “middle nodes”.

Note that any .onion version of the forum must be verified to work with Javascript disabled.  Excepting signup and login functions, basic functionality seems to work fine that way.

Anything that diminishes spam and pernicious assaults is great as I would like to think.

Cloudflare’s effect on spam should be somewhere between negligible and nil.  It’s an anti-DDoS reverse proxy network and caching CDN; it also filters out attacks against braindead applications which can’t handle Bobby Tables.  I don’t see how it could help much against spam; how could the HTTP requests involved in spam posts be distinguished from legitimate network traffic?  Especially the spam posts made by nominal humans?  Though I suppose that forum spam is a wetware-layer DDoS.  It does “deny service” when the forum is unreadable.

Anyone registering through tor has to pay a small bitcoin fee, so all those users have bitcoin addresses associated with their accounts.
that's only if the exit node ip has points of evil associated with it though, i could imagine some new nodes might not have any points linked to them.

I wonder whether theymos’ “evil IP” system uses the publicly known IPs of Tor exits, as published in the consensus.  It would make sense to charge a set price to all Tor users, rather than varying the fee by measurements taken on a particular exit IP.  But n.b., not all exits actually exit through the same IP as they use for their ORPort.  I recall some research finding that as many as 10% of exits did otherwise.  This is useful for avoiding blocks, but risky for node operators since the IP is not listed in the “exonerator”.

Quickseller
Copper Member
Legendary
*
Offline Offline

Activity: 1778
Merit: 1559


View Profile WWW
December 11, 2017, 12:23:35 AM
 #49

The security implications are that Cloudflare can read everything you send to or receive from the server, including your cleartext password and any PMs you send or look at.
Is there an official .onion proxy of BitcoinTalk that bypass Cloudflare? We do sometimes get support request PMs.

How about BitcoinTalk Pro accounts with monthly payments, private proxy without Cloudflare and captchas, bot access?

THIS.  Thank you.  A Bitcointalk .onion was on my mind all week, together with other anti-DDoS mitigation ideas about which I hope to write up suggestions.  It is also something I may perhaps, maybe, perhaps be willing to not only talk about (hint, hint).

.onion sites already have less exposure to DDoS than sites on the open Internet. 
There have been plenty of .onion sites that have been DDoS'ed over the years. I know that Silk Road had a decent number of DDoS issues, and Ulbright apparently spent a decent amount of money fighting it. I am not sure if he implemented any of what you suggested though.

NOTBanned from displaying signatures until May 20, 2022, 11:26:45 PM
Don’t Plagiarize, it’s dishonest and you *will* get caught
nullius
Copper Member
Full Member
***
Offline Offline

Activity: 168
Merit: 776


Help! I’ve got the Pleurodelinaemia! @nym.zone


View Profile WWW
December 11, 2017, 01:37:09 PM
 #50

A Bitcointalk .onion was on my mind all week, together with other anti-DDoS mitigation ideas about which I hope to write up suggestions.  It is also something I may perhaps, maybe, perhaps be willing to not only talk about (hint, hint).

.onion sites already have less exposure to DDoS than sites on the open Internet. 

There have been plenty of .onion sites that have been DDoS'ed over the years. I know that Silk Road had a decent number of DDoS issues, and Ulbright apparently spent a decent amount of money fighting it. I am not sure if he implemented any of what you suggested though.

I was careful not to suggest that .onions be DDoS-proof.  Of course, they’re not.  But they do radically change the attack surface, largely for the better (at least against DDoS).

In practice, I would suppose that probably, the best means to deny access to a .onion would be to DDoS its introduction points.  Those have publicly known IP addresses; and I doubt many Tor node operators are prepared to handle even something so commonplace as an amplified flood of UDP packets in response to forged DNS requests.  The .onion will become available again as it changes introduction points; but meanwhile, users will have an awful time getting through.  I am not saying anything which is not already well-known and widely discussed amongst Tor devs.

On another note, I would not deem Ulbricht competent to admin the website for a hot-dog cart.  Let alone to run a site under a threat model far beyond my abilities, and likely beyond the capability of the Tor network.  He couldn’t even keep PHP (!) errors from spilling his servers’ guts.  I guess he must have been high on drugs.  I would not take any lessons from his experience, other than mining it for examples of what not to do.  Whereas .onions run by competent sysadmins have survived extreme DDoS attempts.

nullius
Copper Member
Full Member
***
Offline Offline

Activity: 168
Merit: 776


Help! I’ve got the Pleurodelinaemia! @nym.zone


View Profile WWW
December 11, 2017, 03:22:02 PM
 #51

Hot off the presses, a Cloudflare-blocking browser add-on!  a.m.o. currently says it was last updated “an hour ago (Dec 11, 2017)”:

https://addons.mozilla.org/en-US/firefox/addon/block-cloudflare-mitm-attack/

I have not yet examined the code.  Use at your own risk, pending review.

Referred by:

https://trac.torproject.org/projects/tor/ticket/24351#comment:25

Cheers to whomever did this.  “Cypherpunks write code.”

Meuh6879
Legendary
*
Offline Offline

Activity: 1512
Merit: 1000



View Profile
December 12, 2017, 01:12:08 PM
 #52

can you (theymos) suppress the automated filtered ip.bitcointalk.org picture recreation ... if we are on cloudflare, now ?

many pictures are not recreate now (on popular thread : the Wall Observer).
nullius
Copper Member
Full Member
***
Offline Offline

Activity: 168
Merit: 776


Help! I’ve got the Pleurodelinaemia! @nym.zone


View Profile WWW
December 12, 2017, 07:57:54 PM
 #53

can you (theymos) suppress the automated filtered ip.bitcointalk.org picture recreation ... if we are on cloudflare, now ?

How is Cloudflare thus relevant?  The purpose of the image proxy is to “improve privacy and eliminate mixed content warnings”.  (I also speculate that it might filter some evil, though that’s only an idle guess.)  It has nothing to do with DDoS protection, other than needing it.



On a related note, I am now working to spearhead the development of a browser add-on to block Cloudflare.  Bitcointalk.org is discussed in Issue 4.

The Internet is seriously flawed if everyone needs to huddle behind these huge centralized anti-DDoS companies in order to survive...

jojo69
Legendary
*
Offline Offline

Activity: 1386
Merit: 1744


no FOMO


View Profile
December 13, 2017, 04:59:30 PM
 #54

it isn't working

This is not some pseudoeconomic post-modern Libertarian cult, it's an un-led, crowd-sourced mega startup organized around mutual self-interest where problems, whether of the theoretical or purely practical variety, are treated as temporary and, ultimately, solvable.
Censorship of e-gold was easy. Censorship of Bitcoin will be… entertaining.
hilariousetc
Legendary
*
Offline Offline

Activity: 1218
Merit: 2071


Pro board spammer


View Profile
December 13, 2017, 05:22:29 PM
 #55

it isn't working

Yeah, I'm not sure it even works very well because every other website that uses it seems to have a lot of downtime and cloudflare errors. There's seemingly no difference between when we had theymos' own version and it's been especially bad today. Barely been able to use the site at all, so not sure how effective the service really is if the forum is still going to be unusable.

InvoKing
Legendary
*
Offline Offline

Activity: 1344
Merit: 1064


View Profile
December 13, 2017, 05:24:08 PM
 #56

I can hardly connect to bitcointalk.org and read the topics without many errors / downtime.
Another DDOS attack?
What's the difference between having cloudflare and not?

Edit : more than 3 minutes to pass this post (and i think the same time to pass this edit). Agree totally with hilarious.
hilariousetc
Legendary
*
Offline Offline

Activity: 1218
Merit: 2071


Pro board spammer


View Profile
December 13, 2017, 05:25:59 PM
 #57

Seemingly nothing at the moment.

ibminer
Legendary
*
Offline Offline

Activity: 1336
Merit: 1345


Goonies never say die.


View Profile
December 13, 2017, 06:34:54 PM
 #58

Connectivity has sucked all day. NSA must have finally implemented their traffic analyzer  Grin  Angry  Sad

The Internet is seriously flawed if everyone needs to huddle behind these huge centralized anti-DDoS companies in order to survive...

Cloudflare is seriously flawed if your homemade DDoS protection works better than theirs.

:-: Bitcointalk Public Information Project (BPIP) New stats, new reports, and a new design(done by me. Smiley)
Don't be obsessed with your desires. The Zen philosopher Basho once wrote, 'A flute with no holes, is not a flute... and a donut with no hole, is a Danish.' He was a funny guy.
nullius
Copper Member
Full Member
***
Offline Offline

Activity: 168
Merit: 776


Help! I’ve got the Pleurodelinaemia! @nym.zone


View Profile WWW
December 13, 2017, 08:43:40 PM
Merited by qwk (1)
 #59

@theymos, this isn’t what you signed up for!  Not the downtime, and not the following—as seen through Tor.  Not changed by rotating circuits.  I can’t dump cookies, because I need to stay logged in; and once Cloudflare decided to demand from me an Internet cavity search, they locked me out of bitcointalk.org with a demand that I let them run their executable code on my machine.  I waited it out, and they eventually let me pass.


Cloudflare also repeatedly tried to Google-CAPTCHA me on their error pages.  No, thanks; I can do without seeing the holy secret errors.

This interrupted my repeated attempts to post the following.  (Anybody awaiting a reply from me elsewhere, please understand if it may be slow in coming.)



I especially dislike Cloudflare, which I'm almost certain is basically owned by US intelligence agencies.

it isn't working

Yeah, I'm not sure it even works very well because every other website that uses it seems to have a lot of downtime and cloudflare errors. There's seemingly no difference between when we had theymos' own version and it's been especially bad today. Barely been able to use the site at all, so not sure how effective the service really is if the forum is still going to be unusable.

I’ve oftentimes wondered how Cloudflare can afford to offer “free” DDoS protection.  Their product requires serious network bandwidth, hardware, sysadmin, and engineering.  Those cost money—lots of money.

Usually, “free” products which cost big money to offer can be explained with the aphorism, “You are not the customer; you are the product.”  That raises the question, who pays?

In practice, who pays? is isomorphic to the ancient idiom:  Cui bono?

“You are the product.”  Bitcointalk.org is now a product.  For whom?  And does the customer truly wish for Bitcointalk.org to succeed?

At that, does Cloudflare itself like customers who “especially dislike Cloudflare”?  One of the great benefits of dependence on “huge centralized anti-DDoS companies” is that you can’t bite the hand which feeds you—at least, not more than that hand will deign to tolerate.  Too bad.  Even if this is only some generalized Cloudflare failure, I doubt that theymos stands at the front of their support queue.

Connectivity has sucked all day. NSA must have finally implemented their traffic analyzer  Grin  Angry  Sad

The Internet is seriously flawed if everyone needs to huddle behind these huge centralized anti-DDoS companies in order to survive...

Cloudflare is seriously flawed if your homemade DDoS protection works better than theirs.

nullius
Copper Member
Full Member
***
Offline Offline

Activity: 168
Merit: 776


Help! I’ve got the Pleurodelinaemia! @nym.zone


View Profile WWW
December 13, 2017, 10:08:43 PM
 #60

Well, it’s not only Cloudflare.  It’s that and/or something else:


Admins may e-mail me for details, if that would be useful.  (I doubt it; that’s all I saw.)  PM seems not so useful right now.

Pages: « 1 2 [3] 4 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!