Bitcoin Forum
December 15, 2019, 08:24:04 PM *
News: Latest Bitcoin Core release: 0.19.0.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 [3]  All
  Print  
Author Topic: Cloudflare  (Read 14838 times)
davout
Legendary
*
Offline Offline

Activity: 1372
Merit: 1002


1davout


View Profile WWW
December 02, 2013, 05:33:00 PM
 #41

What's not to like?

The fact that my cert sits AES encrypted on my production servers, in clear in its RAM and nowhere else.
In the security/convenience trade-off I'd rather get DDoS'd from time to time than to get MITM'd permanently.

EDIT : Assuming of course that the service doesn't work simply by looking at the encrypted traffic flow, in which case you can obviously disregard the previous comment :-)

Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
turtle83
Sr. Member
****
Offline Offline

Activity: 322
Merit: 250


Supersonic


View Profile WWW
December 02, 2013, 09:04:35 PM
 #42

I see the forum uses HSTS
Code:
Strict-Transport-Security: max-age=3000000

If im not mistaken, there are some certificate pinning features available which tells the (modern) browsers to trust only the current certificate(or public key) for a predefined time... If thats implemented, trying to pull off a similar MiTM would probably result in some sort of warning... Not sure the status of this extension..

TiagoTiago
Hero Member
*****
Offline Offline

Activity: 616
Merit: 500


Firstbits.com/1fg4i :)


View Profile
December 02, 2013, 09:19:33 PM
 #43

Just gotta make sure you remember to renew the certificate in time though; false positives can be almost just as bad as failing to notice an attack.

(I dont always get new reply notifications, pls send a pm when you think it has happened)

Wanna gimme some BTC/BCH for any or no reason? 1FmvtS66LFh6ycrXDwKRQTexGJw4UWiqDX Smiley

The more you believe in Bitcoin, and the more you show you do to other people, the faster the real value will soar!

Do you like mmmBananas?!
Roy Badami
Hero Member
*****
Offline Offline

Activity: 564
Merit: 500


View Profile
December 02, 2013, 10:12:48 PM
 #44

The Certificate Patrol plug-in for Firefox looks interesting - it's supposed to tell you whenever a site's cert changes. https://addons.mozilla.org/en-US/firefox/addon/certificate-patrol/

I've only just installed it, so I'm not sure how well it works in practice - but judging by the screenshots it looks like it saves the cert of every site you visit (not just a fingerprint) so that on detecting a changed certificate you can actually view both the old and new certs.

Of course, it's not that useful because in reality you often don't have enough information to determine if it's a legitimate change or not.

roy
MPOE-PR
Hero Member
*****
Offline Offline

Activity: 756
Merit: 500



View Profile
December 02, 2013, 11:32:12 PM
 #45

The CA infrastructure stinks and is proven compromised and alternatives should be invented but PKI is a decades old problem and has never been satisfactorily solved anywhere.

I can't readily grasp the confusion of ideas and general brokenness of a brain that farts this proposition, to implement something known to be dysfunctional. Let's prolong the life of a broken piece of crap that should never have existed in the first place and in any event should have died long ago. Let's continuate as much of the stupidity of the old world as humanly possible.

Roughly equivalent, let's put three ounces of dog shit inside the car's tire, because there's no clear mechanism through which food would be contaminated by this, and therefore why not. So there you have the power rangers, on their hands and knees in a parking lot somewhere, huddled around this old rusty clunker of a car missing one door, stuffing dog shit through the air intake.

If this is the sort of ideas you'd entertain it's at least understandable why you wouldn't see what the problem is with them.

My Credentials  | THE BTC Stock Exchange | I have my very own anthology! | Use bitcointa.lk, it's like this one but better.
tvbcof
Legendary
*
Offline Offline

Activity: 3038
Merit: 1052


View Profile
December 03, 2013, 01:19:27 AM
 #46

watching.  (sorry.)

BitcoinFX
Legendary
*
Offline Offline

Activity: 1988
Merit: 1234


youtu.be/7oLdYay0PnE ... hahaha! FU (c)D(c) CSW


View Profile WWW
December 03, 2013, 02:13:55 AM
 #47

I've only just installed it, so I'm not sure how well it works in practice - but judging by the screenshots it looks like it saves the cert of every site you visit (not just a fingerprint) so that on detecting a changed certificate you can actually view both the old and new certs.
It works very well. It's one of the few ways to make HTTPS suck less.

https://www.youtube.com/watch?v=pDmj_xe7EIQ

http://convergence.io/

...

I'd go with customizing ModSecurity: http://www.modsecurity.org/ if you have the 'money' and the time.

I use CloudFlare on my USA proxy websites, but I don't use it for SSL and choose to keep the https on a sub-domain.

https://wikipedia.org/wiki/CloudFlare

"On February 13, 2013, a comparative penetration testing analysis report was published by Zero Science Lab, showing that ModSecurity is more effective than CloudFlare and Incapsula. In fact, out of the three, CloudFlare was the least effective."

Bitcoin without polity !?! | Get a Gapcoin slice of Mathematically constant π + new world record and attempt ongoing! | "The industry of the integrated spectacle and immaterial command owes me (us all) money." | We do not Forgive. We do not Forget. Expect Revolution Renaissance! for we are all Satoshi now? | Vision does not = Prescient | "the multiple and the multiplex!" | HODL BTC and/or buy Pizza's | Read the first chapter ... | P.S. "I Eye love found you!" 456 | Mostly harmless ... 42 | "INSERT COIN" break blocks!
gmaxwell
Staff
Legendary
*
Offline Offline

Activity: 2898
Merit: 2865



View Profile
December 03, 2013, 04:41:56 AM
 #48

Extended validation costs more, but it's worth much more.
My understanding is that they're not easy to get if you're not a typical institution. It might not be possible for the forum to get one.
davout
Legendary
*
Offline Offline

Activity: 1372
Merit: 1002


1davout


View Profile WWW
December 03, 2013, 07:57:23 AM
 #49

My understanding is that they're not easy to get if you're not a typical institution. It might not be possible for the forum to get one.

Any kind of shell company will be just fine.

TiagoTiago
Hero Member
*****
Offline Offline

Activity: 616
Merit: 500


Firstbits.com/1fg4i :)


View Profile
December 03, 2013, 01:34:00 PM
 #50

watching.  (sorry.)
Click the watch and the notify links at the top or bottom of the thread...

(I dont always get new reply notifications, pls send a pm when you think it has happened)

Wanna gimme some BTC/BCH for any or no reason? 1FmvtS66LFh6ycrXDwKRQTexGJw4UWiqDX Smiley

The more you believe in Bitcoin, and the more you show you do to other people, the faster the real value will soar!

Do you like mmmBananas?!
phelix
Legendary
*
Offline Offline

Activity: 1708
Merit: 1005


nmc:id/phelix


View Profile
December 03, 2013, 07:53:31 PM
 #51

The CA system sucks in general.
It would be nice if you could add bitcointalk.bit as an external domain so that it can be used as a backup. Of course I would be happy to send you the name.

Also I added the forum fingerprint so Namecoin TLS should work with the Namecoin TLS firefox plugin - authorized, encrypted, decentralized.  Grin

blockchained.com ■ bitcointalk top posts
wtogami
Sr. Member
****
Offline Offline

Activity: 263
Merit: 250



View Profile
December 03, 2013, 08:25:04 PM
 #52

I jokingly suggested that theymos sell personal openvpn certs for paranoid users to access BitcoinTalk without any reliance on SSL.  He's considering it.

If you appreciate my work please consider making a small donation.
BTC:  1LkYiL3RaouKXTUhGcE84XLece31JjnLc3      LTC:  LYtrtYZsVSn5ymhPepcJMo4HnBeeXXVKW9
GPG: AEC1884398647C47413C1C3FB1179EB7347DC10D
tvbcof
Legendary
*
Offline Offline

Activity: 3038
Merit: 1052


View Profile
December 03, 2013, 08:26:27 PM
 #53

watching.  (sorry.)
Click the watch and the notify links at the top or bottom of the thread...

Off-topic for this thread, but on-topic for this board:

I want it on my 'new replies to your posts' list.  I don't want it on my 'watchlist', and I certainly don't want to get spammed via e-mail.  It would be nice if there were a toggle such that the flag could be added without making a post...and especially subtracted if one had made a post.


Pages: « 1 2 [3]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!