Cloudflare

[gmaxwell]

I noticed that bitcointalk is now being served via cloudflare. I'd missed this happening. What a bummer this is.

Whats the point of having the forum behind SSL when the keys are handed over to a third party?

[davout]

I noticed that bitcointalk is now being served via cloudflare. I'd missed this happening. What a bummer this is.

Whats the point of having the forum behind SSL when the keys are handed over to a third party?

Don't worry it's safe, they just reinvented SSSS.

[cedivad]

I remember theymos writing that the third party can't read the content, and the SSL connection to the server is still protected.

[davout]

I remember theymos writing that the third party can't read the content, and the SSL connection to the server is still protected.

This is factually incorrect.
Using cloudflare for anything bitcoin-related is a fucking heresy.
As a matter of fact there is exactly one venue that could use it safely and it's MPEx.

[cedivad]

The "Pro" plan seems like to allow the use of your certificate, CF should only act as a proxy.

[davout]

The "Pro" plan seems like to allow the use of your certificate, CF should only act as a proxy.

Both options are a massive MITM vulnerability.

[cedivad]

I don't get it, i've never used CF before for this very reason.
CF has a copy of the certificate of the forum right now? Also, it looks like that i'm still connecting to 109.201.133.195, that doesn't go trough CF.

[gmaxwell]

I remember theymos writing that the third party can't read the content, and the SSL connection to the server is still protected.

That would be good— any citation? (I did look briefly)

[cedivad]

I remember theymos writing that the third party can't read the content, and the SSL connection to the server is still protected.

That would be good— any citation? (I did look briefly)

I did look as well and came out with the conclusion that i misinterpret his post, as i always misinterpret every post i read...

Geotrust doesn't have access to the private key. They're a CA. They sign public keys. Any widely-trusted CA can replace a certificate signed by any other CA, so using a more expensive CA is pointless. But unlike Cloudflare, a CA can't retroactively decrypt encrypted traffic, and it's possible for users to notice a certificate change if they pay close attention.

[Kouye]

I'm really baffled that 2 staff members find out about this after it happened.
Shouldn't this be discussed beforehand, and if not announced publicly (which it should), at least announced to staff members?

[noellajean]

I'm now having issues connecting to bitcointalk.org

It doesn't load through my internet at home, I've got to get here through my phone. 

Also, for some reason, safari & chrome crash when attempting to access this thread through my iphone.

I had the same issues with btc-e.com for a whiled.  cloudflare was confusing my ISP and sending me in a redirect loop.  It only just got sorted.

*sigh*

[tysat]

I'm really baffled that 2 staff members find out about this after it happened.
Shouldn't this be discussed beforehand, and if not announced publicly (which it should), at least announced to staff members?

Probably should be.... but it's not.

[Queenvio]

I'm not sure if its because cloudflare

But a lot of people from europe cant connect to the website.


Greetings

[theymos]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I didn't order this change. It may just be a miscommunication, but it may also be part of a MITM attack.

The fingerprint of the forum's TLS certificate is:
29:0E:CC:82:2B:3C:CE:0A:73:94:35:A0:26:15:EC:D3:EB:1F:46:6B

Has anyone observed a different certificate?
-----BEGIN PGP SIGNATURE-----

iF4EAREIAAYFAlKbehcACgkQxlVWk9q1kefriQEAvOCK5o1Eb45+Yk+3Oib51Xyn
a1GRdw2UqFeqDWeDJ/gA/3agXFUacZhfO0PCW3FW4iRG4I7/agUbl/fQDko8KPHy
=ioA0
-----END PGP SIGNATURE-----

[theymos]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

This is being undone. It'll take 24 hours for the changes to propagate. Downtime may occur. Even if the forum is not down for you, I recommend adding this to your hosts file:
109.201.133.195 bitcointalk.org

(Make sure to remove it in a few weeks, though, or else the forum will go down for you next time we change IPs.)
-----BEGIN PGP SIGNATURE-----

iF4EAREIAAYFAlKbexcACgkQxlVWk9q1kedVmgD+Jd4c22Bpur9IPTdba8hK78lE
Ht2LBa+EXWNyAQ5JdesA/2nq7nps7SGm8zGqJUrUXtyNutcfVClUMl4VwHg1WZ9R
=QYwE
-----END PGP SIGNATURE-----

[Kouye]

Thanks!
Any clue about what happened?

[Yazuki]

It was pointing to random servers through cloudflare. If you visited the forum and saw it connect through cloudflare, you should scan your computer for viruses.

[davout]

So, what's the story here ?

Also :

If you were only logged in via the "remember me" feature, then you're OK.

No you're not, you want to check your account for changes, payout addresses especially and any other sensitive information that might have been altered without your knowledge.

[eldentyrell]

I remember theymos writing that the third party can't read the content, and the SSL connection to the server is still protected.

Either you remember incorrectly or Theymos is wrong (probably the former).

Cloudflare talked a major CA into issuing a certificate for any domain with a cloudflare-generated keypair; all they check is that you've pointed your DNS records at cloudflare.

[eldentyrell]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

This is being undone. It'll take 24 hours for the changes to propagate. Downtime may occur. Even if the forum is not down for you, I recommend adding this to your hosts file:
109.201.133.195 bitcointalk.org

(Make sure to remove it in a few weeks, though, or else the forum will go down for you next time we change IPs.)
-----BEGIN PGP SIGNATURE-----

iF4EAREIAAYFAlKbexcACgkQxlVWk9q1kedVmgD+Jd4c22Bpur9IPTdba8hK78lE
Ht2LBa+EXWNyAQ5JdesA/2nq7nps7SGm8zGqJUrUXtyNutcfVClUMl4VwHg1WZ9R
=QYwE
-----END PGP SIGNATURE-----

I warned about this EIGHT MONTHS AGO.

Oh well, at least bitcointalk is doing something about it (albeit belatedly)… as opposed to pretty much every single exchange, which continues to ignore the problem.