Bitcoin Forum
December 06, 2016, 06:21:07 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 [32] 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 ... 326 »
  Print  
Author Topic: [DEAD] DeepBit.net PPS+Prop,instant payouts, we pay for INVALID BLOCKS too  (Read 1453252 times)
[Tycho]
Hero Member
*****
Offline Offline

Activity: 742



View Profile WWW
April 05, 2011, 02:35:45 PM
 #621

What exactly are the benefits of HTTPS?
With HTTPS conection it's harder to intercept the information between browser and server.

Welcome to my bitcoin mining pool: https://deepbit.net - Both payment schemes (including PPS), instant payout, no invalid blocks !
ICBIT Trading platform : USD/BTC futures trading, Bitcoin difficulty futures (NEW!). Third year in bitcoin business.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
dbitcoin
Hero Member
*****
Offline Offline

Activity: 742

BTCDig - mining pool


View Profile WWW
April 05, 2011, 03:20:42 PM
 #622

Yes, i know about demand for HTTPS. It will be added as soon as i get SSL certificate (a couple of days, i hope).
Sorry for delay.

Sadly with current SSL certificate market and browser behavior, good certificate with "green bar" too expensive fro small project.
Or self-signed or cheap "blue" SSL certificate with fake 99% "browser compatibility" ($10-40/per year).

BTCDig - mining pool (Stratum, VarDiff, DGM, SSL, JSON API)
[Tycho]
Hero Member
*****
Offline Offline

Activity: 742



View Profile WWW
April 05, 2011, 03:42:37 PM
 #623

Sadly with current SSL certificate market and browser behavior, good certificate with "green bar" too expensive fro small project.
Or self-signed or cheap "blue" SSL certificate with fake 99% "browser compatibility" ($10-40/per year).
There are many companies giving SSL certs for free. And those are recognized by most browsers (IE7+).
And this isn't a small project :)

Actually the users who asked for SSL may not trust even the root authorities for 100%. The Comodo was already "hacked" a couple of weeks ago.

Welcome to my bitcoin mining pool: https://deepbit.net - Both payment schemes (including PPS), instant payout, no invalid blocks !
ICBIT Trading platform : USD/BTC futures trading, Bitcoin difficulty futures (NEW!). Third year in bitcoin business.
cdhowie
Full Member
***
Offline Offline

Activity: 182



View Profile WWW
April 05, 2011, 04:14:44 PM
 #624

There are many companies giving SSL certs for free. And those are recognized by most browsers (IE7+).
And this isn't a small project Smiley

Actually the users who asked for SSL may not trust even the root authorities for 100%. The Comodo was already "hacked" a couple of weeks ago.
Have you considered CACert?  I use them for my certificates.  They're not trusted by most browsers by default, but it's pretty easy to install the root certs.

Tips are always welcome and can be sent to 1CZ8QgBWZSV3nLLqRk2BD3B4qDbpWAEDCZ

Thanks to ye, we have the final piece.

PGP key fingerprint: 2B7A B280 8B12 21CC 260A  DF65 6FCE 505A CF83 38F5

SerajewelKS @ #bitcoin-otc
[Tycho]
Hero Member
*****
Offline Offline

Activity: 742



View Profile WWW
April 05, 2011, 04:19:35 PM
 #625

Have you considered CACert?  I use them for my certificates.  They're not trusted by most browsers by default, but it's pretty easy to install the root certs.
Thanks for your advice, but if i'm going to support HTTPS, i'd try to get something supported by at least IE7+, if possible :)

Welcome to my bitcoin mining pool: https://deepbit.net - Both payment schemes (including PPS), instant payout, no invalid blocks !
ICBIT Trading platform : USD/BTC futures trading, Bitcoin difficulty futures (NEW!). Third year in bitcoin business.
jgarzik
Legendary
*
Offline Offline

Activity: 1470


View Profile
April 05, 2011, 06:03:52 PM
 #626

Related to HTTPS:  I am planning on adding support for HTTP Digest authentication, on top of current HTTP Basic auth.  While not perfect, and SSL is better, this will move community away from sending base64-encoded passwords (easily decoded) frequently over the 'net.


Jeff Garzik, bitcoin core dev team and BitPay engineer; opinions are my own, not my employer.
Donations / tip jar: 1BrufViLKnSWtuWGkryPsKsxonV2NQ7Tcj
cdhowie
Full Member
***
Offline Offline

Activity: 182



View Profile WWW
April 05, 2011, 06:09:05 PM
 #627

Related to HTTPS:  I am planning on adding support for HTTP Digest authentication, on top of current HTTP Basic auth.  While not perfect, and SSL is better, this will move community away from sending base64-encoded passwords (easily decoded) frequently over the 'net.
Note that any risk of discovered passwords is mitigated by pools that have worker accounts (like slush's) and where users use random passwords, different from the main account password, for the worker accounts.

The main account login should be secured with TLS, since the destination wallet can be changed with that password, but the worst you could do with a worker account password is request/submit work or try to screw around with the pool under someone else's name.  (And the pool operator would readily be able to tell that such requests were coming from another IP anyway.)

Tips are always welcome and can be sent to 1CZ8QgBWZSV3nLLqRk2BD3B4qDbpWAEDCZ

Thanks to ye, we have the final piece.

PGP key fingerprint: 2B7A B280 8B12 21CC 260A  DF65 6FCE 505A CF83 38F5

SerajewelKS @ #bitcoin-otc
jgarzik
Legendary
*
Offline Offline

Activity: 1470


View Profile
April 05, 2011, 06:11:42 PM
 #628

Related to HTTPS:  I am planning on adding support for HTTP Digest authentication, on top of current HTTP Basic auth.  While not perfect, and SSL is better, this will move community away from sending base64-encoded passwords (easily decoded) frequently over the 'net.
Note that any risk of discovered passwords is mitigated by pools that have worker accounts (like slush's) and where users use random passwords, different from the main account password, for the worker accounts.

This standard was started by bitcoind, and is used outside of pools.  Furthermore, if I intercept a worker password, I can make an attack look like it's coming from another user, possibly getting them kicked off the pool server.


Jeff Garzik, bitcoin core dev team and BitPay engineer; opinions are my own, not my employer.
Donations / tip jar: 1BrufViLKnSWtuWGkryPsKsxonV2NQ7Tcj
dbitcoin
Hero Member
*****
Offline Offline

Activity: 742

BTCDig - mining pool


View Profile WWW
April 05, 2011, 06:15:50 PM
 #629

Sadly with current SSL certificate market and browser behavior, good certificate with "green bar" too expensive fro small project.
Or self-signed or cheap "blue" SSL certificate with fake 99% "browser compatibility" ($10-40/per year).
There are many companies giving SSL certs for free. And those are recognized by most browsers (IE7+).
And this isn't a small project Smiley
Actually the users who asked for SSL may not trust even the root authorities for 100%. The Comodo was already "hacked" a couple of weeks ago.
You a ready pay something like $400+ per year for complains from such not trusted users? Smiley

BTCDig - mining pool (Stratum, VarDiff, DGM, SSL, JSON API)
dbitcoin
Hero Member
*****
Offline Offline

Activity: 742

BTCDig - mining pool


View Profile WWW
April 05, 2011, 06:18:08 PM
 #630

Note that any risk of discovered passwords is mitigated by pools that have worker accounts (like slush's) and where users use random passwords, different from the main account password, for the worker accounts.

This standard was started by bitcoind, and is used outside of pools.  Furthermore, if I intercept a worker password, I can make an attack look like it's coming from another user, possibly getting them kicked off the pool server.

Such attack easily discovered by IP or if user usually use another miner.

BTCDig - mining pool (Stratum, VarDiff, DGM, SSL, JSON API)
jgarzik
Legendary
*
Offline Offline

Activity: 1470


View Profile
April 05, 2011, 06:57:52 PM
 #631

Note that any risk of discovered passwords is mitigated by pools that have worker accounts (like slush's) and where users use random passwords, different from the main account password, for the worker accounts.

This standard was started by bitcoind, and is used outside of pools.  Furthermore, if I intercept a worker password, I can make an attack look like it's coming from another user, possibly getting them kicked off the pool server.

Such attack easily discovered by IP or if user usually use another miner.

That does not excuse sending cleartext passwords with every request.  Users have been known to do strange things, like re-use passwords.

Decades of security practice has demonstrated that cleartext passwords should never ever be used.


Jeff Garzik, bitcoin core dev team and BitPay engineer; opinions are my own, not my employer.
Donations / tip jar: 1BrufViLKnSWtuWGkryPsKsxonV2NQ7Tcj
electrotime
Newbie
*
Offline Offline

Activity: 21


View Profile
April 05, 2011, 07:21:42 PM
 #632

Hi Tycho! I've been using rpcminer-cuda without problems, but now I've noticed this in my profile:

05.04.2011 18:08:56   0h 25m   31955    None
05.04.2011 17:43:09   0h 49m   61789    None
05.04.2011 16:54:08   0h 59m   74549    None
05.04.2011 15:54:58   0h 19m   25210    None
05.04.2011 15:35:16   0h 42m   55033    None
05.04.2011 14:52:19   0h 23m   30346    None
05.04.2011 14:28:50   0h 02m   3113    None
05.04.2011 14:26:23   0h 30m   38431    None
05.04.2011 13:56:16   0h 07m   9308    None
05.04.2011 13:48:45   0h 34m   42825    None
05.04.2011 13:14:34   0h 42m   53102    None
05.04.2011 12:32:13   0h 30m   40124    None
05.04.2011 12:01:24   0h 26m   33833    None
05.04.2011 11:34:37   2h 18m   181196    None
05.04.2011 09:15:50   2h 35m   203520    None
05.04.2011 06:40:35   1h 36m   123378    None
05.04.2011 05:04:08   0h 00m   871    None
05.04.2011 05:03:23   0h 25m   31564    None
05.04.2011 04:37:58   0h 40m   50619    None
05.04.2011 03:57:42   1h 31m   114299    None
05.04.2011 02:26:00   0h 18m   22245    None
05.04.2011 02:07:55   2h 49m   209771    None
04.04.2011 23:18:31   0h 19m   24617    None
04.04.2011 22:58:37   0h 05m   6482    None
04.04.2011 22:53:05   0h 13m   15859    None
04.04.2011 22:39:33   0h 27m   33861    None
04.04.2011 22:11:54   4h 02m   238749    None
04.04.2011 19:14:14   1h 05m   64308    None
04.04.2011 18:09:00   0h 27m   35344    None
04.04.2011 17:41:39   2h 30m   194227    None

How can it be posible? I've been watching the window and it was working, and I've also been checking my gpu temps and my card was at >60º so it was working... what happened here? Shocked

Si te ha servido mi información, cualquier donación es bienvenida => 17jvU48o4k2ypZNfspinvy1fPBxePs1aY5 <= Gracias.
Miner-TE
Hero Member
*****
Offline Offline

Activity: 513



View Profile
April 05, 2011, 07:34:05 PM
 #633

Hi Tycho! I've been using rpcminer-cuda without problems, but now I've noticed this in my profile:

05.04.2011 18:08:56   0h 25m   31955    None
05.04.2011 17:43:09   0h 49m   61789    None
05.04.2011 16:54:08   0h 59m   74549    None
05.04.2011 15:54:58   0h 19m   25210    None
05.04.2011 15:35:16   0h 42m   55033    None
05.04.2011 14:52:19   0h 23m   30346    None
05.04.2011 14:28:50   0h 02m   3113    None
05.04.2011 14:26:23   0h 30m   38431    None
05.04.2011 13:56:16   0h 07m   9308    None
05.04.2011 13:48:45   0h 34m   42825    None
05.04.2011 13:14:34   0h 42m   53102    None
05.04.2011 12:32:13   0h 30m   40124    None
05.04.2011 12:01:24   0h 26m   33833    None
05.04.2011 11:34:37   2h 18m   181196    None
05.04.2011 09:15:50   2h 35m   203520    None
05.04.2011 06:40:35   1h 36m   123378    None
05.04.2011 05:04:08   0h 00m   871    None
05.04.2011 05:03:23   0h 25m   31564    None
05.04.2011 04:37:58   0h 40m   50619    None
05.04.2011 03:57:42   1h 31m   114299    None
05.04.2011 02:26:00   0h 18m   22245    None
05.04.2011 02:07:55   2h 49m   209771    None
04.04.2011 23:18:31   0h 19m   24617    None
04.04.2011 22:58:37   0h 05m   6482    None
04.04.2011 22:53:05   0h 13m   15859    None
04.04.2011 22:39:33   0h 27m   33861    None
04.04.2011 22:11:54   4h 02m   238749    None
04.04.2011 19:14:14   1h 05m   64308    None
04.04.2011 18:09:00   0h 27m   35344    None
04.04.2011 17:41:39   2h 30m   194227    None

How can it be posible? I've been watching the window and it was working, and I've also been checking my gpu temps and my card was at >60º so it was working... what happened here? Shocked

Are you set for Pay-Per-Share?   PPS does not show you payout by block, only Proportional.

   

BTC - 1PeMMYGn7xbZjUYeaWe9ct1VV6szLS1vkD - LTC - LbtcJRJJQQBjZuHr6Wm7vtB9RnnWtRNYpq
[Tycho]
Hero Member
*****
Offline Offline

Activity: 742



View Profile WWW
April 05, 2011, 07:35:14 PM
 #634

Hi Tycho! I've been using rpcminer-cuda without problems, but now I've noticed this in my profile:
05.04.2011 18:08:56   0h 25m   31955    None
How can it be posible? I've been watching the window and it was working, and I've also been checking my gpu temps and my card was at >60º so it was working... what happened here? :o
Everything is fine on my side. PM me your login name so i can check your account stats.

What was shown on your account page and in workers table ?

If you are using PPS mode, then there is no "your reward per block", your account balance just increases every hour.

Welcome to my bitcoin mining pool: https://deepbit.net - Both payment schemes (including PPS), instant payout, no invalid blocks !
ICBIT Trading platform : USD/BTC futures trading, Bitcoin difficulty futures (NEW!). Third year in bitcoin business.
cdhowie
Full Member
***
Offline Offline

Activity: 182



View Profile WWW
April 05, 2011, 07:58:09 PM
 #635

This standard was started by bitcoind, and is used outside of pools.
If we are talking about Bitcoin's own RPC mechanism, this should really use TLS anyway, rendering the HTTP auth mechanism irrelevant.  If you're sending requests over the Internet to other bitcoind instances to do things like transfer money, all of the data should be secured.

Furthermore, if I intercept a worker password, I can make an attack look like it's coming from another user, possibly getting them kicked off the pool server.
Please read my original post again.  It's clear that you skipped some parts.

That does not excuse sending cleartext passwords with every request.  Users have been known to do strange things, like re-use passwords.

Decades of security practice has demonstrated that cleartext passwords should never ever be used.
I'm not disputing that, only indicating that there are perfectly reasonable workarounds that exist already, and that any security-conscious user would already be using them.  Besides, digest-mode authentication is really like using a band-aid on a severed limb.  If we're going to spend energy securing the protocol, how about we do it right?

Tips are always welcome and can be sent to 1CZ8QgBWZSV3nLLqRk2BD3B4qDbpWAEDCZ

Thanks to ye, we have the final piece.

PGP key fingerprint: 2B7A B280 8B12 21CC 260A  DF65 6FCE 505A CF83 38F5

SerajewelKS @ #bitcoin-otc
jgarzik
Legendary
*
Offline Offline

Activity: 1470


View Profile
April 05, 2011, 08:01:32 PM
 #636

...because not all users will or can use HTTPS, rendering most of those points moot.

Jeff Garzik, bitcoin core dev team and BitPay engineer; opinions are my own, not my employer.
Donations / tip jar: 1BrufViLKnSWtuWGkryPsKsxonV2NQ7Tcj
cdhowie
Full Member
***
Offline Offline

Activity: 182



View Profile WWW
April 05, 2011, 08:04:37 PM
 #637

If we are talking about Bitcoin's own RPC mechanism, this should really use TLS anyway, rendering the HTTP auth mechanism irrelevant.  If you're sending requests over the Internet to other bitcoind instances to do things like transfer money, all of the data should be secured.
To elaborate on this a bit: suppose that Mallory does have the ability to intercept Alice's traffic.  Using basic auth, Mallory can extract Alice's username and password, then send his own requests to her bitcoind and do stuff.  He may also be able to authenticate using Alice's credentials to other services (email, etc.).

Using digest auth, Mallory cannot easily extract Alice's username and password, but if Mallory has the ability to intercept traffic he probably has the ability to alter it as well.  He can then execute a MITM attack, change Alice's request payload, and transfer money to himself, possibly even return a response back to Alice that looks like a reasonable response to her original request so that she is not immediately aware of the attack.  Mallory can't try to authenticate using Alice's unknown-to-him credentials elsewhere, but he now has a fair amount of control over her bitcoind.  This is a slightly better scenario, but only marginally.

Using TLS, Mallory would have to compromise Alice's bitcoind private key (or trick Alice into using a forged certificate) in order for any such attacks to be possible.

Tips are always welcome and can be sent to 1CZ8QgBWZSV3nLLqRk2BD3B4qDbpWAEDCZ

Thanks to ye, we have the final piece.

PGP key fingerprint: 2B7A B280 8B12 21CC 260A  DF65 6FCE 505A CF83 38F5

SerajewelKS @ #bitcoin-otc
cdhowie
Full Member
***
Offline Offline

Activity: 182



View Profile WWW
April 05, 2011, 08:05:48 PM
 #638

...because not all users will or can use HTTPS, rendering most of those points moot.
Nobody could use TLS before TLS was invented, either.  It's a good thing people didn't give up on creating it.

Tips are always welcome and can be sent to 1CZ8QgBWZSV3nLLqRk2BD3B4qDbpWAEDCZ

Thanks to ye, we have the final piece.

PGP key fingerprint: 2B7A B280 8B12 21CC 260A  DF65 6FCE 505A CF83 38F5

SerajewelKS @ #bitcoin-otc
jgarzik
Legendary
*
Offline Offline

Activity: 1470


View Profile
April 05, 2011, 08:11:32 PM
 #639

Using encryption is better than not using encryption.  Thanks for that news flash.

Jeff Garzik, bitcoin core dev team and BitPay engineer; opinions are my own, not my employer.
Donations / tip jar: 1BrufViLKnSWtuWGkryPsKsxonV2NQ7Tcj
[Tycho]
Hero Member
*****
Offline Offline

Activity: 742



View Profile WWW
April 05, 2011, 08:15:00 PM
 #640

User who cares about securuty would use separate password for workers.
Worker processing and JSON API doesn't allow attacker to steal user's money or account. There is no function to change user's bitcoin address with worker password or api token. Someone may even use random password for main account and never use it again to prevent it's interception :))

Welcome to my bitcoin mining pool: https://deepbit.net - Both payment schemes (including PPS), instant payout, no invalid blocks !
ICBIT Trading platform : USD/BTC futures trading, Bitcoin difficulty futures (NEW!). Third year in bitcoin business.
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 [32] 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 ... 326 »
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!