[ANN] KRAKEN.COM - Exchange with USD EUR GBP JPY CAD BTC LTC XRP NMC XDG STR ETH

[Serpens66]

Update on the "Heartbleed" SSL vulnerability:

We now know that is was in fact possible to obtain Cloudflare's private keys for SSL certificates via the Heartbleed vulnerability. Cloudflare issued a challenge for this and it was solved about 9 hours later. You can read the update from Cloudflare here:

http://blog.cloudflare.com/answering-the-critical-question-can-you-get-private-ssl-keys-using-heartbleed

It's still unlikely that any private keys were actually leaked. But as I said before, users should create a new password after we have new certificates issued (we'll let you know when this happens). Cloudflare is stepping up their efforts to get new certificates issued as soon as possible.

"stupid" question...: is the two factor key also affected? Or is it still save with 2FA even if someone got the password?

[1715227871]

1715227871

[Dargo]

Update on the "Heartbleed" SSL vulnerability:

We now know that is was in fact possible to obtain Cloudflare's private keys for SSL certificates via the Heartbleed vulnerability. Cloudflare issued a challenge for this and it was solved about 9 hours later. You can read the update from Cloudflare here:

http://blog.cloudflare.com/answering-the-critical-question-can-you-get-private-ssl-keys-using-heartbleed

It's still unlikely that any private keys were actually leaked. But as I said before, users should create a new password after we have new certificates issued (we'll let you know when this happens). Cloudflare is stepping up their efforts to get new certificates issued as soon as possible.

"stupid" question...: is the two factor key also affected? Or is it still save with 2FA even if someone got the password?

Not a stupid question - you're more secure with 2FA, but Heartbleed might still pose a vulnerability. If you have 2FA and your password is leaked, then your OTP could be leaked at the same time. Since it's just a one-time password, though, the leaked OTP couldn't be used again to gain access to your account.

However, if the key used to set up your 2FA is leaked, then an attacker might be able to appropriate your 2FA. Google Authenticator TOTP uses the key + current time to generate the OTP, so if someone obtains your key it'd be pretty easy to generate OTPs. GA HOTP would be harder because it uses the key + a counter to generate the OTP, so an attacker would need to know both the key and where the counter is at. (HOTP is a bit more secure for this reason, but also harder to recover if it goes out of sync, since you'd have to sync counters rather than just doing a time sync). Yubikey is also counter-based, so it'd be similar to GA HOTP.

Your 2FA is less likely to be affected than your password, but it's probably a good idea to re-do your 2FA after our SSL certificates are reissued.

[yslyung]

it'll be great if different currency can be used to trade with coins. i have krw account but i can only trade in krw but i cannot trade in euros or usd. so far the most active market is euros but the krw market & vol is pretty low. i hope kraken can consider looking into this.

[MusX]

I guess we have all seen this anomaly.
This morning the price jumped from 375 to 444 and then back to 360 all at the same time, and there have been lots of sales orders in the book lower than 444 at this moment.
I am still not getting why this is possible. I mean, we are speaking about a 2BTC trade which made it to 444. Is that related to low volume, if yes - How?
.
.
10:20:43 buy €360.88401 0.01860586
10:20:43 sell €444.80067 2.05480805
10:20:43 buy €375.00000 3.01440826
.
.

Thanks for letting us know - we're looking into it. We won't know the reason for it until we investigate.

Here is the person who may caused this: https://bitcointalk.org/index.php?topic=551744.msg6014980#msg6014980
(exactly the same time on the screenshot)

Dargo, any update on this issue? we still don't know what happened.

[Dargo]

I guess we have all seen this anomaly.
This morning the price jumped from 375 to 444 and then back to 360 all at the same time, and there have been lots of sales orders in the book lower than 444 at this moment.
I am still not getting why this is possible. I mean, we are speaking about a 2BTC trade which made it to 444. Is that related to low volume, if yes - How?
.
.
10:20:43 buy €360.88401 0.01860586
10:20:43 sell €444.80067 2.05480805
10:20:43 buy €375.00000 3.01440826
.
.

Thanks for letting us know - we're looking into it. We won't know the reason for it until we investigate.

Here is the person who may caused this: https://bitcointalk.org/index.php?topic=551744.msg6014980#msg6014980
(exactly the same time on the screenshot)

Dargo, any update on this issue? we still don't know what happened.

Not yet. I won't be able to say what happened (and won't know myself) until we have a fully tested fix in place. So far as I know, the incident you mention above is the only example of it in the wild, so it seems to be triggered by a pretty rare set of circumstances.

[MusX]

thanks for update, good to know you did not forget about it.

kind of new error occurs during the last hour:

Code:

Origin SSL Handshake Error

using cURL library, even if ssl verify is turned off.
It is working ok since the last few minutes. Hope it was temporary issue, maybe something related to cloudflare ssl cert update.

[Dargo]

thanks for update, good to know you did not forget about it.

kind of new error occurs during the last hour:

Code:

Origin SSL Handshake Error

using cURL library, even if ssl verify is turned off.
It is working ok since the last few minutes. Hope it was temporary issue, maybe something related to cloudflare ssl cert update.

Thanks for the information. Let us know if it comes back.

[FlyingLotus]

thanks for update, good to know you did not forget about it.

kind of new error occurs during the last hour:

Code:

Origin SSL Handshake Error

using cURL library, even if ssl verify is turned off.
It is working ok since the last few minutes. Hope it was temporary issue, maybe something related to cloudflare ssl cert update.

Thanks for the information. Let us know if it comes back.

It's back..

[Serpens66]

was the price on kraken ~ one hour ago really at 310€ for a short time (or maybe another bug?)

[Dargo]

thanks for update, good to know you did not forget about it.

kind of new error occurs during the last hour:

Code:

Origin SSL Handshake Error

using cURL library, even if ssl verify is turned off.
It is working ok since the last few minutes. Hope it was temporary issue, maybe something related to cloudflare ssl cert update.

Thanks for the information. Let us know if it comes back.

It's back..

What exactly are you doing when this error message appears?

[Dargo]

was the price on kraken ~ one hour ago really at 310€ for a short time (or maybe another bug?)

Could be another instance of the issue we saw before. We'll take a close look at it.

[Serpens66]

was the price on kraken ~ one hour ago really at 310€ for a short time (or maybe another bug?)

Could be another instance of the issue we saw before. We'll take a close look at it.

some users on the german forum said their orders got triggered, so I think it was not a bug

[Dargo]

was the price on kraken ~ one hour ago really at 310€ for a short time (or maybe another bug?)

Could be another instance of the issue we saw before. We'll take a close look at it.

some users on the german forum said their orders got triggered, so I think it was not a bug

If no orders appear to have been skipped over, then it probably isn't a bug. We'll take a close look at it though.

[KrakenTrader]

was the price on kraken ~ one hour ago really at 310€ for a short time (or maybe another bug?)

Could be another instance of the issue we saw before. We'll take a close look at it.

some users on the german forum said their orders got triggered, so I think it was not a bug

If no orders appear to have been skipped over, then it probably isn't a bug. We'll take a close look at it though.

For me it appears to not have been a bug, as I have been waiting in fiat at different positions near above 310€, and all those have been triggered luckily.
At the very same time there was quite a large volume on Kraken, around 150BTC or so.
The current rate at this moment was around 355€ - went down to 310 and back.
Made me fast 11% profit.

[MusX]

KrakenTrader, good for you
Whether this time it was bug or not, the previous case needs to be investigated and if it gets fixed, then this case would be fixed also, if it was a bug, which is unlikely. So it is better to focus on "sure" bug - the previous case.

[KrakenTrader]

KrakenTrader, good for you
Whether this time it was bug or not, the previous case needs to be investigated and if it gets fixed, then this case would be fixed also, if it was a bug, which is unlikely. So it is better to focus on "sure" bug - the previous case.

I guess you are referring to this 444€ spike http://imgur.com/a/yMy3E
which I noticed on 01.April

Let's see if Dargo can soon give an update

[bahamapascal]

Hi Drago!

I would like to make a suggestion, could you please add 2fa via email? So if one would make a withdraw, you first send a email with a verification link before the transaction is processed.
The same would be for changing password. Almost every exchange supports 2fa via email, so I guess it shouldn't be to difficult to add it.
I know you support 2fa via google, but not every one has a smart phone and is able to use this method.

Otherwise I am more then happy with kraken, but not being able to have 2fa is the only reason that I am currently not using it for day trading, which is a shame as you are otherwise my favorite exchange.

If I understand what you're asking for, I wouldn't call it 2fa via email. Strictly speaking, 2fa is supposed to be something you own rather than something you know. But if you don't have a 2fa device, then your email is going to be accessible via something known (your password). Email confirmation would in effect be like asking for a second password, and you can set up the equivalent of this on our exchange just by creating a password for login and funding. If you go to Account > Security > Two-Factor Authentication > Account login and funding (setup) > Method > Password, you can set a second password for login and funding. (I just noticed that the verbiage says for login, deposits, and withdrawals, but really it's just for login and withdrawals).

Another thing you can do to secure your account without a two-factor device, either in conjunction with the above, or as an alternative to it, is to use the global settings lock

https://www.kraken.com/help/faq#global-settings-lock

What this will do is lock your settings so that nobody can change your withdrawal settings (among other things). If an attacker gained access to your account, they could only withdraw to your existing withdrawal accounts (and if you set a password for this, only if they have the password). They could request a settings unlock, but then they'd have to wait for the specified number of days for the unlock to take place. Meanwhile, you'd receive a notification by email that an unlock was requested, and you'd have time to stop the thief before they do any damage.

Be careful with the settings lock though, because if you don't set a master key first

https://www.kraken.com/help/faq#master-key

then even you won't be able to unlock the settings until the specified number of days pass (no, customer support agents won't unlock for you - you just have to wait). If you create the master key first, the master key will allow you to unlock immediately. I'd recommend either not using the master key and setting the unlock to just a day or two (long enough to give you time to react if get you get an email about an unwarranted unlock request, but not so long that you can't stand to wait if you need to unlock), or creating a master key and setting the unlock for a longer period of time. If you go the master key route, this password should be kept in a safe place and *separate* from your other Kraken passwords.

Hope that helps to understand the security options we have for folks without 2fa devices. You can still lock down your account pretty darn well without them. Personally I'd prefer the options above over a simple verification link by email, but we'll consider what we might be able to do with email as well.

Thanks for this information, I have tested it and am quite satisfied. Just as a improvement I would suggest making it more clearer were one has to enter the second password. I tried for hours before I found out that my second password has to be entered in the "one-time only" password section/field.

[yslyung]

Made a withdrawal request 2 days ago & it still says pending sitting idle. Drago, can you please look into this ? ACHTUDG-WLYD4O-KHVAMP
Previously made a withdrawal from Euros to local bank account in korea & it is so much faster than now from KRW to local korean bank.

thx.

[Dargo]

Made a withdrawal request 2 days ago & it still says pending sitting idle. Drago, can you please look into this ? ACHTUDG-WLYD4O-KHVAMP
Previously made a withdrawal from Euros to local bank account in korea & it is so much faster than now from KRW to local korean bank.

thx.

I alerted the person who handles the Korean bank funding to the issue. It should get resolved quickly. I think Korean bank transfers are usually next business day, so I'm not sure why this one is delayed.

[Serpens66]

Dargo, is it possible to increase the minimum for one trade? At the moment it is 0.01BTC.

e.g I made a buy order for 0.1BTC at 382€. It is parital filled.  0.00871011BTC are left... and now I can't make a new order with a higher price, because the amount is too low -.-