gmaxwell (OP)
Staff
Legendary
Offline
Activity: 4284
Merit: 8808
|
|
December 01, 2013, 12:16:27 PM |
|
I noticed that bitcointalk is now being served via cloudflare. I'd missed this happening. What a bummer this is.
Whats the point of having the forum behind SSL when the keys are handed over to a third party?
|
|
|
|
davout
Legendary
Offline
Activity: 1372
Merit: 1008
1davout
|
|
December 01, 2013, 12:17:55 PM |
|
I noticed that bitcointalk is now being served via cloudflare. I'd missed this happening. What a bummer this is.
Whats the point of having the forum behind SSL when the keys are handed over to a third party?
Don't worry it's safe, they just reinvented SSSS.
|
|
|
|
cedivad
Legendary
Offline
Activity: 1176
Merit: 1001
|
|
December 01, 2013, 12:22:35 PM |
|
I remember theymos writing that the third party can't read the content, and the SSL connection to the server is still protected.
|
My anger against what is wrong in the Bitcoin community is productive: Bitcointa.lk - Replace "Bitcointalk.org" with "Bitcointa.lk" in this url to see how this page looks like on a proper forum (Announcement Thread)Hashfast.org - Wiki for screwed customers
|
|
|
davout
Legendary
Offline
Activity: 1372
Merit: 1008
1davout
|
|
December 01, 2013, 12:24:24 PM |
|
I remember theymos writing that the third party can't read the content, and the SSL connection to the server is still protected.
This is factually incorrect. Using cloudflare for anything bitcoin-related is a fucking heresy. As a matter of fact there is exactly one venue that could use it safely and it's MPEx.
|
|
|
|
cedivad
Legendary
Offline
Activity: 1176
Merit: 1001
|
|
December 01, 2013, 12:32:19 PM |
|
The "Pro" plan seems like to allow the use of your certificate, CF should only act as a proxy.
|
My anger against what is wrong in the Bitcoin community is productive: Bitcointa.lk - Replace "Bitcointalk.org" with "Bitcointa.lk" in this url to see how this page looks like on a proper forum (Announcement Thread)Hashfast.org - Wiki for screwed customers
|
|
|
davout
Legendary
Offline
Activity: 1372
Merit: 1008
1davout
|
|
December 01, 2013, 12:35:47 PM |
|
The "Pro" plan seems like to allow the use of your certificate, CF should only act as a proxy.
Both options are a massive MITM vulnerability.
|
|
|
|
cedivad
Legendary
Offline
Activity: 1176
Merit: 1001
|
|
December 01, 2013, 12:44:03 PM |
|
I don't get it, i've never used CF before for this very reason. CF has a copy of the certificate of the forum right now? Also, it looks like that i'm still connecting to 109.201.133.195, that doesn't go trough CF.
|
My anger against what is wrong in the Bitcoin community is productive: Bitcointa.lk - Replace "Bitcointalk.org" with "Bitcointa.lk" in this url to see how this page looks like on a proper forum (Announcement Thread)Hashfast.org - Wiki for screwed customers
|
|
|
gmaxwell (OP)
Staff
Legendary
Offline
Activity: 4284
Merit: 8808
|
|
December 01, 2013, 12:47:00 PM |
|
I remember theymos writing that the third party can't read the content, and the SSL connection to the server is still protected.
That would be good— any citation? (I did look briefly)
|
|
|
|
cedivad
Legendary
Offline
Activity: 1176
Merit: 1001
|
|
December 01, 2013, 01:44:43 PM |
|
I remember theymos writing that the third party can't read the content, and the SSL connection to the server is still protected.
That would be good— any citation? (I did look briefly) I did look as well and came out with the conclusion that i misinterpret his post, as i always misinterpret every post i read... Geotrust doesn't have access to the private key. They're a CA. They sign public keys. Any widely-trusted CA can replace a certificate signed by any other CA, so using a more expensive CA is pointless. But unlike Cloudflare, a CA can't retroactively decrypt encrypted traffic, and it's possible for users to notice a certificate change if they pay close attention.
|
My anger against what is wrong in the Bitcoin community is productive: Bitcointa.lk - Replace "Bitcointalk.org" with "Bitcointa.lk" in this url to see how this page looks like on a proper forum (Announcement Thread)Hashfast.org - Wiki for screwed customers
|
|
|
Kouye
Sr. Member
Offline
Activity: 336
Merit: 250
Cuddling, censored, unicorn-shaped troll.
|
|
December 01, 2013, 01:56:20 PM |
|
I'm really baffled that 2 staff members find out about this after it happened. Shouldn't this be discussed beforehand, and if not announced publicly (which it should), at least announced to staff members?
|
[OVER] RIDDLES 2nd edition --- this was claimed. Look out for 3rd edition! I won't ever ask for a loan nor offer any escrow service. If I do, please consider my account as hacked.
|
|
|
noellajean
Newbie
Offline
Activity: 56
Merit: 0
|
|
December 01, 2013, 02:15:11 PM |
|
I'm now having issues connecting to bitcointalk.org
It doesn't load through my internet at home, I've got to get here through my phone.
Also, for some reason, safari & chrome crash when attempting to access this thread through my iphone.
I had the same issues with btc-e.com for a whiled. cloudflare was confusing my ISP and sending me in a redirect loop. It only just got sorted.
*sigh*
|
|
|
|
tysat
Legendary
Offline
Activity: 966
Merit: 1004
Keep it real
|
|
December 01, 2013, 02:58:40 PM |
|
I'm really baffled that 2 staff members find out about this after it happened. Shouldn't this be discussed beforehand, and if not announced publicly (which it should), at least announced to staff members?
Probably should be.... but it's not.
|
|
|
|
Queenvio
|
|
December 01, 2013, 04:45:53 PM |
|
I'm not sure if its because cloudflare
But a lot of people from europe cant connect to the website.
Greetings
|
|
|
|
theymos
Administrator
Legendary
Offline
Activity: 5390
Merit: 13427
|
|
December 01, 2013, 06:04:34 PM |
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
I didn't order this change. It may just be a miscommunication, but it may also be part of a MITM attack.
The fingerprint of the forum's TLS certificate is: 29:0E:CC:82:2B:3C:CE:0A:73:94:35:A0:26:15:EC:D3:EB:1F:46:6B
Has anyone observed a different certificate? -----BEGIN PGP SIGNATURE-----
iF4EAREIAAYFAlKbehcACgkQxlVWk9q1kefriQEAvOCK5o1Eb45+Yk+3Oib51Xyn a1GRdw2UqFeqDWeDJ/gA/3agXFUacZhfO0PCW3FW4iRG4I7/agUbl/fQDko8KPHy =ioA0 -----END PGP SIGNATURE-----
|
1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
|
|
|
theymos
Administrator
Legendary
Offline
Activity: 5390
Merit: 13427
|
|
December 01, 2013, 06:09:12 PM |
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
This is being undone. It'll take 24 hours for the changes to propagate. Downtime may occur. Even if the forum is not down for you, I recommend adding this to your hosts file: 109.201.133.195 bitcointalk.org
(Make sure to remove it in a few weeks, though, or else the forum will go down for you next time we change IPs.) -----BEGIN PGP SIGNATURE-----
iF4EAREIAAYFAlKbexcACgkQxlVWk9q1kedVmgD+Jd4c22Bpur9IPTdba8hK78lE Ht2LBa+EXWNyAQ5JdesA/2nq7nps7SGm8zGqJUrUXtyNutcfVClUMl4VwHg1WZ9R =QYwE -----END PGP SIGNATURE-----
|
1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
|
|
|
Kouye
Sr. Member
Offline
Activity: 336
Merit: 250
Cuddling, censored, unicorn-shaped troll.
|
|
December 01, 2013, 06:23:57 PM |
|
Thanks! Any clue about what happened?
|
[OVER] RIDDLES 2nd edition --- this was claimed. Look out for 3rd edition! I won't ever ask for a loan nor offer any escrow service. If I do, please consider my account as hacked.
|
|
|
Yazuki
Newbie
Offline
Activity: 21
Merit: 0
|
|
December 01, 2013, 06:25:57 PM |
|
It was pointing to random servers through cloudflare. If you visited the forum and saw it connect through cloudflare, you should scan your computer for viruses.
|
|
|
|
davout
Legendary
Offline
Activity: 1372
Merit: 1008
1davout
|
|
December 02, 2013, 12:16:53 AM |
|
So, what's the story here ? Also : If you were only logged in via the "remember me" feature, then you're OK. No you're not, you want to check your account for changes, payout addresses especially and any other sensitive information that might have been altered without your knowledge.
|
|
|
|
eldentyrell
Donator
Legendary
Offline
Activity: 980
Merit: 1004
felonious vagrancy, personified
|
|
December 02, 2013, 12:49:18 AM |
|
I remember theymos writing that the third party can't read the content, and the SSL connection to the server is still protected.
Either you remember incorrectly or Theymos is wrong (probably the former). Cloudflare talked a major CA into issuing a certificate for any domain with a cloudflare-generated keypair; all they check is that you've pointed your DNS records at cloudflare.
|
The printing press heralded the end of the Dark Ages and made the Enlightenment possible, but it took another three centuries before any country managed to put freedom of the press beyond the reach of legislators. So it may take a while before cryptocurrencies are free of the AML-NSA-KYC surveillance plague.
|
|
|
eldentyrell
Donator
Legendary
Offline
Activity: 980
Merit: 1004
felonious vagrancy, personified
|
|
December 02, 2013, 12:51:46 AM |
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
This is being undone. It'll take 24 hours for the changes to propagate. Downtime may occur. Even if the forum is not down for you, I recommend adding this to your hosts file: 109.201.133.195 bitcointalk.org
(Make sure to remove it in a few weeks, though, or else the forum will go down for you next time we change IPs.) -----BEGIN PGP SIGNATURE-----
iF4EAREIAAYFAlKbexcACgkQxlVWk9q1kedVmgD+Jd4c22Bpur9IPTdba8hK78lE Ht2LBa+EXWNyAQ5JdesA/2nq7nps7SGm8zGqJUrUXtyNutcfVClUMl4VwHg1WZ9R =QYwE -----END PGP SIGNATURE-----
I warned about this EIGHT MONTHS AGO. Oh well, at least bitcointalk is doing something about it (albeit belatedly)… as opposed to pretty much every single exchange, which continues to ignore the problem.
|
The printing press heralded the end of the Dark Ages and made the Enlightenment possible, but it took another three centuries before any country managed to put freedom of the press beyond the reach of legislators. So it may take a while before cryptocurrencies are free of the AML-NSA-KYC surveillance plague.
|
|
|
|