Bitcoin Forum
November 18, 2024, 06:51:19 PM *
News: Check out the artwork 1Dq created to commemorate this forum's 15th anniversary
 
   Home   Help Search Login Register More  
Pages: [1] 2 3 »  All
  Print  
Author Topic: Cloudflare  (Read 14889 times)
gmaxwell (OP)
Staff
Legendary
*
Offline Offline

Activity: 4284
Merit: 8808



View Profile WWW
December 01, 2013, 12:16:27 PM
 #1

I noticed that bitcointalk is now being served via cloudflare. I'd missed this happening. What a bummer this is.

Whats the point of having the forum behind SSL when the keys are handed over to a third party?
davout
Legendary
*
Offline Offline

Activity: 1372
Merit: 1008


1davout


View Profile WWW
December 01, 2013, 12:17:55 PM
 #2

I noticed that bitcointalk is now being served via cloudflare. I'd missed this happening. What a bummer this is.

Whats the point of having the forum behind SSL when the keys are handed over to a third party?

Don't worry it's safe, they just reinvented SSSS.

cedivad
Legendary
*
Offline Offline

Activity: 1176
Merit: 1001



View Profile
December 01, 2013, 12:22:35 PM
 #3

I remember theymos writing that the third party can't read the content, and the SSL connection to the server is still protected.

My anger against what is wrong in the Bitcoin community is productive:
Bitcointa.lk - Replace "Bitcointalk.org" with "Bitcointa.lk" in this url to see how this page looks like on a proper forum (Announcement Thread)
Hashfast.org - Wiki for screwed customers
davout
Legendary
*
Offline Offline

Activity: 1372
Merit: 1008


1davout


View Profile WWW
December 01, 2013, 12:24:24 PM
 #4

I remember theymos writing that the third party can't read the content, and the SSL connection to the server is still protected.

This is factually incorrect.
Using cloudflare for anything bitcoin-related is a fucking heresy.
As a matter of fact there is exactly one venue that could use it safely and it's MPEx.

cedivad
Legendary
*
Offline Offline

Activity: 1176
Merit: 1001



View Profile
December 01, 2013, 12:32:19 PM
 #5

The "Pro" plan seems like to allow the use of your certificate, CF should only act as a proxy.

My anger against what is wrong in the Bitcoin community is productive:
Bitcointa.lk - Replace "Bitcointalk.org" with "Bitcointa.lk" in this url to see how this page looks like on a proper forum (Announcement Thread)
Hashfast.org - Wiki for screwed customers
davout
Legendary
*
Offline Offline

Activity: 1372
Merit: 1008


1davout


View Profile WWW
December 01, 2013, 12:35:47 PM
 #6

The "Pro" plan seems like to allow the use of your certificate, CF should only act as a proxy.

Both options are a massive MITM vulnerability.

cedivad
Legendary
*
Offline Offline

Activity: 1176
Merit: 1001



View Profile
December 01, 2013, 12:44:03 PM
 #7

I don't get it, i've never used CF before for this very reason.
CF has a copy of the certificate of the forum right now? Also, it looks like that i'm still connecting to 109.201.133.195, that doesn't go trough CF.

My anger against what is wrong in the Bitcoin community is productive:
Bitcointa.lk - Replace "Bitcointalk.org" with "Bitcointa.lk" in this url to see how this page looks like on a proper forum (Announcement Thread)
Hashfast.org - Wiki for screwed customers
gmaxwell (OP)
Staff
Legendary
*
Offline Offline

Activity: 4284
Merit: 8808



View Profile WWW
December 01, 2013, 12:47:00 PM
 #8

I remember theymos writing that the third party can't read the content, and the SSL connection to the server is still protected.
That would be good— any citation? (I did look briefly)
cedivad
Legendary
*
Offline Offline

Activity: 1176
Merit: 1001



View Profile
December 01, 2013, 01:44:43 PM
 #9

I remember theymos writing that the third party can't read the content, and the SSL connection to the server is still protected.
That would be good— any citation? (I did look briefly)
I did look as well and came out with the conclusion that i misinterpret his post, as i always misinterpret every post i read...

Geotrust doesn't have access to the private key. They're a CA. They sign public keys. Any widely-trusted CA can replace a certificate signed by any other CA, so using a more expensive CA is pointless. But unlike Cloudflare, a CA can't retroactively decrypt encrypted traffic, and it's possible for users to notice a certificate change if they pay close attention.


My anger against what is wrong in the Bitcoin community is productive:
Bitcointa.lk - Replace "Bitcointalk.org" with "Bitcointa.lk" in this url to see how this page looks like on a proper forum (Announcement Thread)
Hashfast.org - Wiki for screwed customers
Kouye
Sr. Member
****
Offline Offline

Activity: 336
Merit: 250


Cuddling, censored, unicorn-shaped troll.


View Profile
December 01, 2013, 01:56:20 PM
 #10

I'm really baffled that 2 staff members find out about this after it happened.
Shouldn't this be discussed beforehand, and if not announced publicly (which it should), at least announced to staff members?

[OVER] RIDDLES 2nd edition --- this was claimed. Look out for 3rd edition!
I won't ever ask for a loan nor offer any escrow service. If I do, please consider my account as hacked.
noellajean
Newbie
*
Offline Offline

Activity: 56
Merit: 0



View Profile WWW
December 01, 2013, 02:15:11 PM
 #11

I'm now having issues connecting to bitcointalk.org

It doesn't load through my internet at home, I've got to get here through my phone. 

Also, for some reason, safari & chrome crash when attempting to access this thread through my iphone.

I had the same issues with btc-e.com for a whiled.  cloudflare was confusing my ISP and sending me in a redirect loop.  It only just got sorted.

*sigh*
tysat
Legendary
*
Offline Offline

Activity: 966
Merit: 1004


Keep it real


View Profile
December 01, 2013, 02:58:40 PM
 #12

I'm really baffled that 2 staff members find out about this after it happened.
Shouldn't this be discussed beforehand, and if not announced publicly (which it should), at least announced to staff members?

Probably should be.... but it's not.
Queenvio
Hero Member
*****
Offline Offline

Activity: 838
Merit: 534



View Profile
December 01, 2013, 04:45:53 PM
 #13

I'm not sure if its because cloudflare

But a lot of people from europe cant connect to the website.


Greetings
theymos
Administrator
Legendary
*
Offline Offline

Activity: 5390
Merit: 13427


View Profile
December 01, 2013, 06:04:34 PM
 #14

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I didn't order this change. It may just be a miscommunication, but it may also be part of a MITM attack.

The fingerprint of the forum's TLS certificate is:
29:0E:CC:82:2B:3C:CE:0A:73:94:35:A0:26:15:EC:D3:EB:1F:46:6B

Has anyone observed a different certificate?
-----BEGIN PGP SIGNATURE-----

iF4EAREIAAYFAlKbehcACgkQxlVWk9q1kefriQEAvOCK5o1Eb45+Yk+3Oib51Xyn
a1GRdw2UqFeqDWeDJ/gA/3agXFUacZhfO0PCW3FW4iRG4I7/agUbl/fQDko8KPHy
=ioA0
-----END PGP SIGNATURE-----

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
theymos
Administrator
Legendary
*
Offline Offline

Activity: 5390
Merit: 13427


View Profile
December 01, 2013, 06:09:12 PM
 #15

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

This is being undone. It'll take 24 hours for the changes to propagate. Downtime may occur. Even if the forum is not down for you, I recommend adding this to your hosts file:
109.201.133.195 bitcointalk.org

(Make sure to remove it in a few weeks, though, or else the forum will go down for you next time we change IPs.)
-----BEGIN PGP SIGNATURE-----

iF4EAREIAAYFAlKbexcACgkQxlVWk9q1kedVmgD+Jd4c22Bpur9IPTdba8hK78lE
Ht2LBa+EXWNyAQ5JdesA/2nq7nps7SGm8zGqJUrUXtyNutcfVClUMl4VwHg1WZ9R
=QYwE
-----END PGP SIGNATURE-----

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
Kouye
Sr. Member
****
Offline Offline

Activity: 336
Merit: 250


Cuddling, censored, unicorn-shaped troll.


View Profile
December 01, 2013, 06:23:57 PM
 #16

Thanks!
Any clue about what happened?

[OVER] RIDDLES 2nd edition --- this was claimed. Look out for 3rd edition!
I won't ever ask for a loan nor offer any escrow service. If I do, please consider my account as hacked.
Yazuki
Newbie
*
Offline Offline

Activity: 21
Merit: 0


View Profile
December 01, 2013, 06:25:57 PM
 #17

It was pointing to random servers through cloudflare. If you visited the forum and saw it connect through cloudflare, you should scan your computer for viruses.
davout
Legendary
*
Offline Offline

Activity: 1372
Merit: 1008


1davout


View Profile WWW
December 02, 2013, 12:16:53 AM
 #18

So, what's the story here ?

Also :

Quote
If you were only logged in via the "remember me" feature, then you're OK.

No you're not, you want to check your account for changes, payout addresses especially and any other sensitive information that might have been altered without your knowledge.

eldentyrell
Donator
Legendary
*
Offline Offline

Activity: 980
Merit: 1004


felonious vagrancy, personified


View Profile WWW
December 02, 2013, 12:49:18 AM
 #19

I remember theymos writing that the third party can't read the content, and the SSL connection to the server is still protected.

Either you remember incorrectly or Theymos is wrong (probably the former).

Cloudflare talked a major CA into issuing a certificate for any domain with a cloudflare-generated keypair; all they check is that you've pointed your DNS records at cloudflare.

The printing press heralded the end of the Dark Ages and made the Enlightenment possible, but it took another three centuries before any country managed to put freedom of the press beyond the reach of legislators.  So it may take a while before cryptocurrencies are free of the AML-NSA-KYC surveillance plague.
eldentyrell
Donator
Legendary
*
Offline Offline

Activity: 980
Merit: 1004


felonious vagrancy, personified


View Profile WWW
December 02, 2013, 12:51:46 AM
 #20

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

This is being undone. It'll take 24 hours for the changes to propagate. Downtime may occur. Even if the forum is not down for you, I recommend adding this to your hosts file:
109.201.133.195 bitcointalk.org

(Make sure to remove it in a few weeks, though, or else the forum will go down for you next time we change IPs.)
-----BEGIN PGP SIGNATURE-----

iF4EAREIAAYFAlKbexcACgkQxlVWk9q1kedVmgD+Jd4c22Bpur9IPTdba8hK78lE
Ht2LBa+EXWNyAQ5JdesA/2nq7nps7SGm8zGqJUrUXtyNutcfVClUMl4VwHg1WZ9R
=QYwE
-----END PGP SIGNATURE-----


I warned about this EIGHT MONTHS AGO.

Oh well, at least bitcointalk is doing something about it (albeit belatedly)… as opposed to pretty much every single exchange, which continues to ignore the problem.

The printing press heralded the end of the Dark Ages and made the Enlightenment possible, but it took another three centuries before any country managed to put freedom of the press beyond the reach of legislators.  So it may take a while before cryptocurrencies are free of the AML-NSA-KYC surveillance plague.
Pages: [1] 2 3 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!