Bitcoin Forum
December 09, 2019, 09:42:30 PM *
News: Latest Bitcoin Core release: 0.19.0.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: 1 2 3 [All]
  Print  
Author Topic: Cloudflare  (Read 14838 times)
gmaxwell
Staff
Legendary
*
Offline Offline

Activity: 2898
Merit: 2862



View Profile
December 01, 2013, 12:16:27 PM
 #1

I noticed that bitcointalk is now being served via cloudflare. I'd missed this happening. What a bummer this is.

Whats the point of having the forum behind SSL when the keys are handed over to a third party?
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
davout
Legendary
*
Offline Offline

Activity: 1372
Merit: 1002


1davout


View Profile WWW
December 01, 2013, 12:17:55 PM
 #2

I noticed that bitcointalk is now being served via cloudflare. I'd missed this happening. What a bummer this is.

Whats the point of having the forum behind SSL when the keys are handed over to a third party?

Don't worry it's safe, they just reinvented SSSS.

cedivad
Legendary
*
Offline Offline

Activity: 1162
Merit: 1001



View Profile
December 01, 2013, 12:22:35 PM
 #3

I remember theymos writing that the third party can't read the content, and the SSL connection to the server is still protected.

My anger against what is wrong in the Bitcoin community is productive:
Bitcointa.lk - Replace "Bitcointalk.org" with "Bitcointa.lk" in this url to see how this page looks like on a proper forum (Announcement Thread)
Hashfast.org - Wiki for screwed customers
davout
Legendary
*
Offline Offline

Activity: 1372
Merit: 1002


1davout


View Profile WWW
December 01, 2013, 12:24:24 PM
 #4

I remember theymos writing that the third party can't read the content, and the SSL connection to the server is still protected.

This is factually incorrect.
Using cloudflare for anything bitcoin-related is a fucking heresy.
As a matter of fact there is exactly one venue that could use it safely and it's MPEx.

cedivad
Legendary
*
Offline Offline

Activity: 1162
Merit: 1001



View Profile
December 01, 2013, 12:32:19 PM
 #5

The "Pro" plan seems like to allow the use of your certificate, CF should only act as a proxy.

My anger against what is wrong in the Bitcoin community is productive:
Bitcointa.lk - Replace "Bitcointalk.org" with "Bitcointa.lk" in this url to see how this page looks like on a proper forum (Announcement Thread)
Hashfast.org - Wiki for screwed customers
davout
Legendary
*
Offline Offline

Activity: 1372
Merit: 1002


1davout


View Profile WWW
December 01, 2013, 12:35:47 PM
 #6

The "Pro" plan seems like to allow the use of your certificate, CF should only act as a proxy.

Both options are a massive MITM vulnerability.

cedivad
Legendary
*
Offline Offline

Activity: 1162
Merit: 1001



View Profile
December 01, 2013, 12:44:03 PM
 #7

I don't get it, i've never used CF before for this very reason.
CF has a copy of the certificate of the forum right now? Also, it looks like that i'm still connecting to 109.201.133.195, that doesn't go trough CF.

My anger against what is wrong in the Bitcoin community is productive:
Bitcointa.lk - Replace "Bitcointalk.org" with "Bitcointa.lk" in this url to see how this page looks like on a proper forum (Announcement Thread)
Hashfast.org - Wiki for screwed customers
gmaxwell
Staff
Legendary
*
Offline Offline

Activity: 2898
Merit: 2862



View Profile
December 01, 2013, 12:47:00 PM
 #8

I remember theymos writing that the third party can't read the content, and the SSL connection to the server is still protected.
That would be good— any citation? (I did look briefly)
cedivad
Legendary
*
Offline Offline

Activity: 1162
Merit: 1001



View Profile
December 01, 2013, 01:44:43 PM
 #9

I remember theymos writing that the third party can't read the content, and the SSL connection to the server is still protected.
That would be good— any citation? (I did look briefly)
I did look as well and came out with the conclusion that i misinterpret his post, as i always misinterpret every post i read...

Geotrust doesn't have access to the private key. They're a CA. They sign public keys. Any widely-trusted CA can replace a certificate signed by any other CA, so using a more expensive CA is pointless. But unlike Cloudflare, a CA can't retroactively decrypt encrypted traffic, and it's possible for users to notice a certificate change if they pay close attention.


My anger against what is wrong in the Bitcoin community is productive:
Bitcointa.lk - Replace "Bitcointalk.org" with "Bitcointa.lk" in this url to see how this page looks like on a proper forum (Announcement Thread)
Hashfast.org - Wiki for screwed customers
Kouye
Sr. Member
****
Offline Offline

Activity: 336
Merit: 250


Cuddling, censored, unicorn-shaped troll.


View Profile
December 01, 2013, 01:56:20 PM
 #10

I'm really baffled that 2 staff members find out about this after it happened.
Shouldn't this be discussed beforehand, and if not announced publicly (which it should), at least announced to staff members?

[OVER] RIDDLES 2nd edition --- this was claimed. Look out for 3rd edition!
I won't ever ask for a loan nor offer any escrow service. If I do, please consider my account as hacked.
noellajean
Newbie
*
Offline Offline

Activity: 56
Merit: 0



View Profile WWW
December 01, 2013, 02:15:11 PM
 #11

I'm now having issues connecting to bitcointalk.org

It doesn't load through my internet at home, I've got to get here through my phone. 

Also, for some reason, safari & chrome crash when attempting to access this thread through my iphone.

I had the same issues with btc-e.com for a whiled.  cloudflare was confusing my ISP and sending me in a redirect loop.  It only just got sorted.

*sigh*
tysat
Legendary
*
Offline Offline

Activity: 966
Merit: 1001


Keep it real


View Profile
December 01, 2013, 02:58:40 PM
 #12

I'm really baffled that 2 staff members find out about this after it happened.
Shouldn't this be discussed beforehand, and if not announced publicly (which it should), at least announced to staff members?

Probably should be.... but it's not.
Queenvio
Hero Member
*****
Offline Offline

Activity: 792
Merit: 517



View Profile
December 01, 2013, 04:45:53 PM
 #13

I'm not sure if its because cloudflare

But a lot of people from europe cant connect to the website.


Greetings

theymos
Administrator
Legendary
*
Offline Offline

Activity: 3598
Merit: 7354


View Profile
December 01, 2013, 06:04:34 PM
 #14

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I didn't order this change. It may just be a miscommunication, but it may also be part of a MITM attack.

The fingerprint of the forum's TLS certificate is:
29:0E:CC:82:2B:3C:CE:0A:73:94:35:A0:26:15:EC:D3:EB:1F:46:6B

Has anyone observed a different certificate?
-----BEGIN PGP SIGNATURE-----

iF4EAREIAAYFAlKbehcACgkQxlVWk9q1kefriQEAvOCK5o1Eb45+Yk+3Oib51Xyn
a1GRdw2UqFeqDWeDJ/gA/3agXFUacZhfO0PCW3FW4iRG4I7/agUbl/fQDko8KPHy
=ioA0
-----END PGP SIGNATURE-----

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
theymos
Administrator
Legendary
*
Offline Offline

Activity: 3598
Merit: 7354


View Profile
December 01, 2013, 06:09:12 PM
 #15

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

This is being undone. It'll take 24 hours for the changes to propagate. Downtime may occur. Even if the forum is not down for you, I recommend adding this to your hosts file:
109.201.133.195 bitcointalk.org

(Make sure to remove it in a few weeks, though, or else the forum will go down for you next time we change IPs.)
-----BEGIN PGP SIGNATURE-----

iF4EAREIAAYFAlKbexcACgkQxlVWk9q1kedVmgD+Jd4c22Bpur9IPTdba8hK78lE
Ht2LBa+EXWNyAQ5JdesA/2nq7nps7SGm8zGqJUrUXtyNutcfVClUMl4VwHg1WZ9R
=QYwE
-----END PGP SIGNATURE-----

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
Kouye
Sr. Member
****
Offline Offline

Activity: 336
Merit: 250


Cuddling, censored, unicorn-shaped troll.


View Profile
December 01, 2013, 06:23:57 PM
 #16

Thanks!
Any clue about what happened?

[OVER] RIDDLES 2nd edition --- this was claimed. Look out for 3rd edition!
I won't ever ask for a loan nor offer any escrow service. If I do, please consider my account as hacked.
Yazuki
Newbie
*
Offline Offline

Activity: 21
Merit: 0


View Profile
December 01, 2013, 06:25:57 PM
 #17

It was pointing to random servers through cloudflare. If you visited the forum and saw it connect through cloudflare, you should scan your computer for viruses.
davout
Legendary
*
Offline Offline

Activity: 1372
Merit: 1002


1davout


View Profile WWW
December 02, 2013, 12:16:53 AM
 #18

So, what's the story here ?

Also :

Quote
If you were only logged in via the "remember me" feature, then you're OK.

No you're not, you want to check your account for changes, payout addresses especially and any other sensitive information that might have been altered without your knowledge.

eldentyrell
Donator
Legendary
*
Offline Offline

Activity: 980
Merit: 1001


felonious vagrancy, personified


View Profile WWW
December 02, 2013, 12:49:18 AM
 #19

I remember theymos writing that the third party can't read the content, and the SSL connection to the server is still protected.

Either you remember incorrectly or Theymos is wrong (probably the former).

Cloudflare talked a major CA into issuing a certificate for any domain with a cloudflare-generated keypair; all they check is that you've pointed your DNS records at cloudflare.

The printing press heralded the end of the Dark Ages and made the Enlightenment possible, but it took another three centuries before any country managed to put freedom of the press beyond the reach of legislators.  So it may take a while before cryptocurrencies are free of the AML-NSA-KYC surveillance plague.
eldentyrell
Donator
Legendary
*
Offline Offline

Activity: 980
Merit: 1001


felonious vagrancy, personified


View Profile WWW
December 02, 2013, 12:51:46 AM
 #20

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

This is being undone. It'll take 24 hours for the changes to propagate. Downtime may occur. Even if the forum is not down for you, I recommend adding this to your hosts file:
109.201.133.195 bitcointalk.org

(Make sure to remove it in a few weeks, though, or else the forum will go down for you next time we change IPs.)
-----BEGIN PGP SIGNATURE-----

iF4EAREIAAYFAlKbexcACgkQxlVWk9q1kedVmgD+Jd4c22Bpur9IPTdba8hK78lE
Ht2LBa+EXWNyAQ5JdesA/2nq7nps7SGm8zGqJUrUXtyNutcfVClUMl4VwHg1WZ9R
=QYwE
-----END PGP SIGNATURE-----


I warned about this EIGHT MONTHS AGO.

Oh well, at least bitcointalk is doing something about it (albeit belatedly)… as opposed to pretty much every single exchange, which continues to ignore the problem.

The printing press heralded the end of the Dark Ages and made the Enlightenment possible, but it took another three centuries before any country managed to put freedom of the press beyond the reach of legislators.  So it may take a while before cryptocurrencies are free of the AML-NSA-KYC surveillance plague.
davout
Legendary
*
Offline Offline

Activity: 1372
Merit: 1002


1davout


View Profile WWW
December 02, 2013, 12:54:42 AM
 #21

Cloudflare talked a major CA into issuing a certificate for any domain with a cloudflare-generated keypair;

Bullshit.

theymos
Administrator
Legendary
*
Offline Offline

Activity: 3598
Merit: 7354


View Profile
December 02, 2013, 12:55:40 AM
 #22

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Here's what we think happened:

8-14 hours ago, an attacker used a flaw in the forum's AnonymousSpeech registrar to change the forum's DNS to point to 108.162.197.161 (exact details unknown). Sirius noticed this 8 hours ago and immediately transferred bitcointalk.org to a different registrar. However, such changes take about 24 hours to propagate.

Because the HTTPS protocol is pretty terrible, this alone could have allowed the attacker to intercept and modify encrypted forum transmissions, allowing them to see passwords sent during login, authentication cookies, PMs, etc. Your password only could have been intercepted if you actually entered it while the forum was affected. I invalidated all security codes, so you're not at risk of having your account stolen if you logged in using the "remember me" feature without actually entering your password.

For the next ~20 hours, you should only log into the forum if you're quite sure that you're talking to the correct server. This can be done by adding '109.201.133.195 bitcointalk.org' to your hosts file (remember to remove it later!), or by using some browser plugin to ensure that you're talking to the server with TLS certificate SHA1 fingerprint of:
29:0E:CC:82:2B:3C:CE:0A:73:94:35:A0:26:15:EC:D3:EB:1F:46:6B

Simultaniously, the forum has been the target of a massive DDoS attack. These two events are probably related, though I'm not yet sure why an attacker would do both of these things at once.
-----BEGIN PGP SIGNATURE-----

iF4EAREIAAYFAlKb2nkACgkQxlVWk9q1kefhTwD+Ni5k7CUrHjvzG29wO3Gx4Am+
MV5tdw8zE1AAWvbstt8BAIrndOXCYmawoXN+VeSZkLXHnCyQbR8IOftQnpl2aXYs
=465T
-----END PGP SIGNATURE-----

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
eldentyrell
Donator
Legendary
*
Offline Offline

Activity: 980
Merit: 1001


felonious vagrancy, personified


View Profile WWW
December 02, 2013, 12:58:13 AM
 #23

Cloudflare talked a major CA into issuing a certificate for any domain with a cloudflare-generated keypair;

Bullshit.

Read up.  Globalsign issues certificates directly to cloudflare, signing a cloudflare-generated keypair.

The entire X.509 edifice is a complete joke.  Or an NSA honeypot.

The printing press heralded the end of the Dark Ages and made the Enlightenment possible, but it took another three centuries before any country managed to put freedom of the press beyond the reach of legislators.  So it may take a while before cryptocurrencies are free of the AML-NSA-KYC surveillance plague.
theymos
Administrator
Legendary
*
Offline Offline

Activity: 3598
Merit: 7354


View Profile
December 02, 2013, 01:04:03 AM
 #24

Read up.  Globalsign issues certificates directly to cloudflare, signing a cloudflare-generated keypair.

That's not even necessary in this case. Most CAs will verify you only by sending an email to something like admin@domain.com. But if the attacker controls the DNS, then they can receive mail at such email addresses.

The CA system sucks in general. I actually used to have all CAs disabled in Firefox, but Firefox (especially newer versions) handles this really badly, so I couldn't do it anymore.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
davout
Legendary
*
Offline Offline

Activity: 1372
Merit: 1002


1davout


View Profile WWW
December 02, 2013, 01:06:07 AM
 #25

Read up.  Globalsign issues certificates directly to cloudflare, signing a cloudflare-generated keypair.

I just did, you're partly right, I'm partly right too.


for any domain

I think this is where you're wrong, I'd assume (the reference doesn't say) that the CA wouldn't sign the certificate without at least the DNS of the domain pointing to CF. They wouldn't simply sign *any* certificate.

Could have been achieved with any CA that validates ownership of domains with the insertion of some validation token at an arbitrary URL on said domain.

davout
Legendary
*
Offline Offline

Activity: 1372
Merit: 1002


1davout


View Profile WWW
December 02, 2013, 01:06:48 AM
 #26

The CA system sucks in general.

Yet it's being built right into bitcoin-qt... :-(

eldentyrell
Donator
Legendary
*
Offline Offline

Activity: 980
Merit: 1001


felonious vagrancy, personified


View Profile WWW
December 02, 2013, 01:19:24 AM
 #27


(emphasis added)

Cloudflare talked a major CA into issuing a certificate for any domain with a cloudflare-generated keypair; all they check is that you've pointed your DNS records at cloudflare.

I think this is where you're wrong, I'd assume (the reference doesn't say) that the CA wouldn't sign the certificate without at least the DNS of the domain pointing to CF. They wouldn't simply sign *any* certificate.

Uh…. isn't that exactly what I said?


Yet it's being built right into bitcoin-qt... :-(

Gee I wonder why.

The printing press heralded the end of the Dark Ages and made the Enlightenment possible, but it took another three centuries before any country managed to put freedom of the press beyond the reach of legislators.  So it may take a while before cryptocurrencies are free of the AML-NSA-KYC surveillance plague.
davout
Legendary
*
Offline Offline

Activity: 1372
Merit: 1002


1davout


View Profile WWW
December 02, 2013, 01:22:56 AM
 #28

Uh…. isn't that exactly what I said?

Hah, guess I re-quoted my misquote and dropped this bit :-)

gmaxwell
Staff
Legendary
*
Offline Offline

Activity: 2898
Merit: 2862



View Profile
December 02, 2013, 03:29:38 AM
 #29

Gee I wonder why.
Because there isn't any functional alternative at the moment. But the only thing its used for is so you can have a "payment requests signed by XYZ.com", thats it. In not case is it weaker than not having it, excluding arguments perhaps about false senses of security. The payment protocol stuff is fully extensible so if someone shows up with a more useful PKI it can easily be added.

Seriously, I'm one of the last guys to think the situation with x509 isn't a complete farce but I don't see any problem with the payment protocol supporting x509 signing of invoices. You'd not adding to the quality of discourse with that "wonder why" bullshit. Especially because there are a lot of ignorant people out there who have absolutely no idea how it works and think that supporting CA authentication of a signing key will somehow make all their transactions visible to the CA or other such threats that don't exist.
gmaxwell
Staff
Legendary
*
Offline Offline

Activity: 2898
Merit: 2862



View Profile
December 02, 2013, 04:21:43 AM
Last edit: December 02, 2013, 05:36:38 AM by gmaxwell
 #30

Looks like there is no way to escape a "cloudflare mediated attack": short of

(1) Get a shiny new SSL cert with a CA that has a strong security policy. (e.g. won't give certs to cloudflare), the current one may be adequate
(2) Get browser vendors to pin that CA for this domain.
(3) HSTS the site.


(2) would be a somewhat amusing discussion. As Bitcointalk is a much lower traffic than most of the other sites that have been CA pinned in chrome. OTOH, we can point out that a redirect to cloudflare attack was actually performed on us, ... while most of the other pinned sites are not known to have been attacked. Smiley
gmaxwell
Staff
Legendary
*
Offline Offline

Activity: 2898
Merit: 2862



View Profile
December 02, 2013, 05:39:26 AM
 #31

Theymos, any chance you could contact Globalsign — cloudflare's CA partner— and point out we believe their relationship with cloudflare may have been used to fraudulently issue a certificate for bitcointalk.org, ask them if they did— and if they did, to please list that certificate in their CRLs?
theymos
Administrator
Legendary
*
Offline Offline

Activity: 3598
Merit: 7354


View Profile
December 02, 2013, 06:40:35 AM
 #32

Theymos, any chance you could contact Globalsign — cloudflare's CA partner— and point out we believe their relationship with cloudflare may have been used to fraudulently issue a certificate for bitcointalk.org, ask them if they did— and if they did, to please list that certificate in their CRLs?

Did anyone actually save a MITM cert? I only have a few reports of unusual behavior -- nothing too solid. Personally, I observed 108.162.197.161 proxying the traffic verbatim, without touching the cert.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
rme
Hero Member
*****
Offline Offline

Activity: 742
Merit: 501



View Profile
December 02, 2013, 06:45:49 AM
 #33

Theymos, any chance you could contact Globalsign — cloudflare's CA partner— and point out we believe their relationship with cloudflare may have been used to fraudulently issue a certificate for bitcointalk.org, ask them if they did— and if they did, to please list that certificate in their CRLs?

Did anyone actually save a MITM cert? I only have a few reports of unusual behavior -- nothing too solid. Personally, I observed 108.162.197.161 proxying the traffic verbatim, without touching the cert.


I dont save it, but I can assure that when bitcointalk.org was under cloudflare a valid SSL certificate was been served.

gmaxwell
Staff
Legendary
*
Offline Offline

Activity: 2898
Merit: 2862



View Profile
December 02, 2013, 07:26:31 AM
 #34

I looked at the darn cert, but didn't save it.  Geotrust vs Globalsign ... I'm sure I wouldn't remember the difference. I was looking for something like "cloudflare".

It remains true that anyone who could respond to a http request as the server (e.g. someone at the hosting provider or an upstream ISP) to a CA could get a cert issued in the site's name, since several CAs do nothing more than request a page with a specific name. So even without the cloudflare turbo compromise ... the CA universe stinks. Sad
davout
Legendary
*
Offline Offline

Activity: 1372
Merit: 1002


1davout


View Profile WWW
December 02, 2013, 07:51:47 AM
 #35

or other such threats that don't exist.

It's kind funny you'd say such a thing, in this very thread.
All these threats exist and the vulnerabilities will be exploited eventually, better do something about it.
For my part I'll look for a flag in the Makefile to disable the whole invoicing crap, if there's none I'll patch it back to oblivion.


Theymos, any chance you could contact Globalsign — cloudflare's CA partner— and point out we believe their relationship with cloudflare may have been used to fraudulently issue a certificate for bitcointalk.org, ask them if they did— and if they did, to please list that certificate in their CRLs?

If it happened the way theymos described it's a waste of time, except maybe for getting the cert revoked.
If the DNS was changed it won't be a fraudulent request from their PoV.

gmaxwell
Staff
Legendary
*
Offline Offline

Activity: 2898
Merit: 2862



View Profile
December 02, 2013, 09:21:39 AM
 #36

All these threats exist
No. Mythical nonsense threats— things like the claims that supporting x509 signed payment requests will allow CA's to monitor transactions— which are structurally impossible do not exist.

Just because something has some facility for checking some signing key was signed by another key and pretty printing a name doesn't magically give the root signer the ability to print money, monitor transactions, track users, or whatever other insipid nonsense people have convinced themselves of in their paranoia orgy.  All it means is that they could impersonate that party in the pretty printing, but absent the existence of the facility _anyone_ could impersonate.

The CA infrastructure stinks and is proven compromised and alternatives should be invented but PKI is a decades old problem and has never been satisfactorily solved anywhere.

The fantastical, confused, and— in some cases— personally violent arguments made about the x509 signing in the payment protocol are beyond the pale, even in this sometimes cesspool of a forum. Having a real commitment to security means also being  aggressive in refusing nonsense insecurity claims. Sorting out the signal from the non-man-made noise is already very hard. There is no excuse for additional noise.  Trolling secure systems with paranoia and FUD would be a fantastic counter-security move for a well funded attacker, and we must be robust against it.

If you've got an actual threat that people would be exposed to, please spell it out. Otherwise, cut the black-helicopter FUD. It's seriously demotivating and inevitably harmful to people's security.

Quote
Theymos, any chance you could contact Globalsign — cloudflare's CA partner— and point out we believe their relationship with cloudflare may have been used to fraudulently issue a certificate for bitcointalk.org, ask them if they did— and if they did, to please list that certificate in their CRLs?
If it happened the way theymos described it's a waste of time, except maybe for getting the cert revoked.
If the DNS was changed it won't be a fraudulent request from their PoV.
It would be good to have some evidence about the system being abused in order to get improvements to the way things are done. More selfishly, it would be easier to argue for adding BCT to the browser cert pins with that kind of information. Perhaps not worth the time, but I thought I'd ask.
davout
Legendary
*
Offline Offline

Activity: 1372
Merit: 1002


1davout


View Profile WWW
December 02, 2013, 09:48:52 AM
 #37

All these threats exist
No. Mythical nonsense threats— things like the claims that supporting x509 signed payment requests will allow CA's to monitor transactions— which are structurally impossible do not exist.

[...]

If you've got an actual threat that people would be exposed to, please spell it out. Otherwise, cut the black-helicopter FUD. It's seriously demotivating and inevitably harmful to people's security.

Chill out, I'm not interested in drama.
I was referring to the *other* threats. I'm not going to waste my time on the nonsensical ones like you just did.

The CA system is bullshit, banks manage to somewhat handle it with chargebacks and wire recalls, Bitcoin deserves much better, and sometimes "much better" means "nothing at all".
This merchant stuff solves an imaginary problem in a broken way, what's next in the core tree? Discount codes? Loyalty programs?

flynn
Hero Member
*****
Offline Offline

Activity: 728
Merit: 540



View Profile
December 02, 2013, 12:28:21 PM
 #38

If I may, using DNSSEC would probably be the solution. And it's quite easy to implement.

http://dnssec-debugger.verisignlabs.com/bitcointalk.org

intentionally left blank
Wy9o2Y3s
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
December 02, 2013, 04:56:31 PM
 #39

We have to remember that the people behind cloudflare previously ran a project called projecthoneypot.org, a pretty useless project that thought it could stop spam.
They had financial issues when someone suddenly came around and said "Oh we could do a lot of interesting things with your datas". They then magically appeared with 20 millions dollars...
Cloudflare pretends a lot of things which are misleading people, for example they tell that they operate 23 datacenters around the world, this is definitely a lie as it is known that cloudflare usually only runs a router and a few servers in already existing datacenters.
They over exaggerate their capacity, they also tried to pretended to have developed their own httpd but it is only a lightly modified version of nginx.
It was also previously written in their TOS that they allow themselves to look at the datas to build some statistics and other things out of your traffic.

I would be very careful with this company.
scotjam
Sr. Member
****
Offline Offline

Activity: 268
Merit: 250


View Profile
December 02, 2013, 05:04:31 PM
 #40

For the next ~20 hours, you should only log into the forum if you're quite sure that you're talking to the correct server. This can be done by adding '109.201.133.195 bitcointalk.org' to your hosts file (remember to remove it later!), or by using some browser plugin to ensure that you're talking to the server with TLS certificate SHA1 fingerprint of:
29:0E:CC:82:2B:3C:CE:0A:73:94:35:A0:26:15:EC:D3:EB:1F:46:6B

FYI - you can check the thumbprint in google chrome browser by clicking the green lock in the address bar, choosing the connection tab, clicking the "Certificate information" link, clicking the "Details" tab, and then selecting "Thumbprint" (near the bottom of the list)

scotjam
davout
Legendary
*
Offline Offline

Activity: 1372
Merit: 1002


1davout


View Profile WWW
December 02, 2013, 05:33:00 PM
 #41

What's not to like?

The fact that my cert sits AES encrypted on my production servers, in clear in its RAM and nowhere else.
In the security/convenience trade-off I'd rather get DDoS'd from time to time than to get MITM'd permanently.

EDIT : Assuming of course that the service doesn't work simply by looking at the encrypted traffic flow, in which case you can obviously disregard the previous comment :-)

turtle83
Sr. Member
****
Offline Offline

Activity: 322
Merit: 250


Supersonic


View Profile WWW
December 02, 2013, 09:04:35 PM
 #42

I see the forum uses HSTS
Code:
Strict-Transport-Security: max-age=3000000

If im not mistaken, there are some certificate pinning features available which tells the (modern) browsers to trust only the current certificate(or public key) for a predefined time... If thats implemented, trying to pull off a similar MiTM would probably result in some sort of warning... Not sure the status of this extension..

TiagoTiago
Hero Member
*****
Offline Offline

Activity: 616
Merit: 500


Firstbits.com/1fg4i :)


View Profile
December 02, 2013, 09:19:33 PM
 #43

Just gotta make sure you remember to renew the certificate in time though; false positives can be almost just as bad as failing to notice an attack.

(I dont always get new reply notifications, pls send a pm when you think it has happened)

Wanna gimme some BTC/BCH for any or no reason? 1FmvtS66LFh6ycrXDwKRQTexGJw4UWiqDX Smiley

The more you believe in Bitcoin, and the more you show you do to other people, the faster the real value will soar!

Do you like mmmBananas?!
Roy Badami
Hero Member
*****
Offline Offline

Activity: 564
Merit: 500


View Profile
December 02, 2013, 10:12:48 PM
 #44

The Certificate Patrol plug-in for Firefox looks interesting - it's supposed to tell you whenever a site's cert changes. https://addons.mozilla.org/en-US/firefox/addon/certificate-patrol/

I've only just installed it, so I'm not sure how well it works in practice - but judging by the screenshots it looks like it saves the cert of every site you visit (not just a fingerprint) so that on detecting a changed certificate you can actually view both the old and new certs.

Of course, it's not that useful because in reality you often don't have enough information to determine if it's a legitimate change or not.

roy
MPOE-PR
Hero Member
*****
Offline Offline

Activity: 756
Merit: 500



View Profile
December 02, 2013, 11:32:12 PM
 #45

The CA infrastructure stinks and is proven compromised and alternatives should be invented but PKI is a decades old problem and has never been satisfactorily solved anywhere.

I can't readily grasp the confusion of ideas and general brokenness of a brain that farts this proposition, to implement something known to be dysfunctional. Let's prolong the life of a broken piece of crap that should never have existed in the first place and in any event should have died long ago. Let's continuate as much of the stupidity of the old world as humanly possible.

Roughly equivalent, let's put three ounces of dog shit inside the car's tire, because there's no clear mechanism through which food would be contaminated by this, and therefore why not. So there you have the power rangers, on their hands and knees in a parking lot somewhere, huddled around this old rusty clunker of a car missing one door, stuffing dog shit through the air intake.

If this is the sort of ideas you'd entertain it's at least understandable why you wouldn't see what the problem is with them.

My Credentials  | THE BTC Stock Exchange | I have my very own anthology! | Use bitcointa.lk, it's like this one but better.
tvbcof
Legendary
*
Offline Offline

Activity: 3038
Merit: 1052


View Profile
December 03, 2013, 01:19:27 AM
 #46

watching.  (sorry.)

BitcoinFX
Legendary
*
Offline Offline

Activity: 1988
Merit: 1234


youtu.be/7oLdYay0PnE ... hahaha! FU (c)D(c) CSW


View Profile WWW
December 03, 2013, 02:13:55 AM
 #47

I've only just installed it, so I'm not sure how well it works in practice - but judging by the screenshots it looks like it saves the cert of every site you visit (not just a fingerprint) so that on detecting a changed certificate you can actually view both the old and new certs.
It works very well. It's one of the few ways to make HTTPS suck less.

https://www.youtube.com/watch?v=pDmj_xe7EIQ

http://convergence.io/

...

I'd go with customizing ModSecurity: http://www.modsecurity.org/ if you have the 'money' and the time.

I use CloudFlare on my USA proxy websites, but I don't use it for SSL and choose to keep the https on a sub-domain.

https://wikipedia.org/wiki/CloudFlare

"On February 13, 2013, a comparative penetration testing analysis report was published by Zero Science Lab, showing that ModSecurity is more effective than CloudFlare and Incapsula. In fact, out of the three, CloudFlare was the least effective."

Bitcoin without polity !?! | Get a Gapcoin slice of Mathematically constant π + new world record and attempt ongoing! | "The industry of the integrated spectacle and immaterial command owes me (us all) money." | We do not Forgive. We do not Forget. Expect Revolution Renaissance! for we are all Satoshi now? | Vision does not = Prescient | "the multiple and the multiplex!" | HODL BTC and/or buy Pizza's | Read the first chapter ... | P.S. "I Eye love found you!" 456 | Mostly harmless ... 42 | "INSERT COIN" break blocks!
gmaxwell
Staff
Legendary
*
Offline Offline

Activity: 2898
Merit: 2862



View Profile
December 03, 2013, 04:41:56 AM
 #48

Extended validation costs more, but it's worth much more.
My understanding is that they're not easy to get if you're not a typical institution. It might not be possible for the forum to get one.
davout
Legendary
*
Offline Offline

Activity: 1372
Merit: 1002


1davout


View Profile WWW
December 03, 2013, 07:57:23 AM
 #49

My understanding is that they're not easy to get if you're not a typical institution. It might not be possible for the forum to get one.

Any kind of shell company will be just fine.

TiagoTiago
Hero Member
*****
Offline Offline

Activity: 616
Merit: 500


Firstbits.com/1fg4i :)


View Profile
December 03, 2013, 01:34:00 PM
 #50

watching.  (sorry.)
Click the watch and the notify links at the top or bottom of the thread...

(I dont always get new reply notifications, pls send a pm when you think it has happened)

Wanna gimme some BTC/BCH for any or no reason? 1FmvtS66LFh6ycrXDwKRQTexGJw4UWiqDX Smiley

The more you believe in Bitcoin, and the more you show you do to other people, the faster the real value will soar!

Do you like mmmBananas?!
phelix
Legendary
*
Offline Offline

Activity: 1708
Merit: 1005


nmc:id/phelix


View Profile
December 03, 2013, 07:53:31 PM
 #51

The CA system sucks in general.
It would be nice if you could add bitcointalk.bit as an external domain so that it can be used as a backup. Of course I would be happy to send you the name.

Also I added the forum fingerprint so Namecoin TLS should work with the Namecoin TLS firefox plugin - authorized, encrypted, decentralized.  Grin

blockchained.com ■ bitcointalk top posts
wtogami
Sr. Member
****
Offline Offline

Activity: 263
Merit: 250



View Profile
December 03, 2013, 08:25:04 PM
 #52

I jokingly suggested that theymos sell personal openvpn certs for paranoid users to access BitcoinTalk without any reliance on SSL.  He's considering it.

If you appreciate my work please consider making a small donation.
BTC:  1LkYiL3RaouKXTUhGcE84XLece31JjnLc3      LTC:  LYtrtYZsVSn5ymhPepcJMo4HnBeeXXVKW9
GPG: AEC1884398647C47413C1C3FB1179EB7347DC10D
tvbcof
Legendary
*
Offline Offline

Activity: 3038
Merit: 1052


View Profile
December 03, 2013, 08:26:27 PM
 #53

watching.  (sorry.)
Click the watch and the notify links at the top or bottom of the thread...

Off-topic for this thread, but on-topic for this board:

I want it on my 'new replies to your posts' list.  I don't want it on my 'watchlist', and I certainly don't want to get spammed via e-mail.  It would be nice if there were a toggle such that the flag could be added without making a post...and especially subtracted if one had made a post.


Pages: 1 2 3 [All]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!