[DEAD] DeepBit.net PPS+Prop,instant payouts, we pay for INVALID BLOCKS too

[[Tycho]]

What exactly are the benefits of HTTPS?

With HTTPS conection it's harder to intercept the information between browser and server.

[1714898966]

1714898966

[1714898966]

1714898966

[1714898966]

1714898966

[dbitcoin]

Yes, i know about demand for HTTPS. It will be added as soon as i get SSL certificate (a couple of days, i hope).
Sorry for delay.

Sadly with current SSL certificate market and browser behavior, good certificate with "green bar" too expensive fro small project.
Or self-signed or cheap "blue" SSL certificate with fake 99% "browser compatibility" ($10-40/per year).

[[Tycho]]

Sadly with current SSL certificate market and browser behavior, good certificate with "green bar" too expensive fro small project.
Or self-signed or cheap "blue" SSL certificate with fake 99% "browser compatibility" ($10-40/per year).

There are many companies giving SSL certs for free. And those are recognized by most browsers (IE7+).
And this isn't a small project :)

Actually the users who asked for SSL may not trust even the root authorities for 100%. The Comodo was already "hacked" a couple of weeks ago.

[cdhowie]

There are many companies giving SSL certs for free. And those are recognized by most browsers (IE7+).
And this isn't a small project

Actually the users who asked for SSL may not trust even the root authorities for 100%. The Comodo was already "hacked" a couple of weeks ago.

Have you considered CACert?  I use them for my certificates.  They're not trusted by most browsers by default, but it's pretty easy to install the root certs.

[[Tycho]]

Have you considered CACert?  I use them for my certificates.  They're not trusted by most browsers by default, but it's pretty easy to install the root certs.

Thanks for your advice, but if i'm going to support HTTPS, i'd try to get something supported by at least IE7+, if possible :)

[jgarzik]

Related to HTTPS:  I am planning on adding support for HTTP Digest authentication, on top of current HTTP Basic auth.  While not perfect, and SSL is better, this will move community away from sending base64-encoded passwords (easily decoded) frequently over the 'net.

[cdhowie]

Related to HTTPS:  I am planning on adding support for HTTP Digest authentication, on top of current HTTP Basic auth.  While not perfect, and SSL is better, this will move community away from sending base64-encoded passwords (easily decoded) frequently over the 'net.

Note that any risk of discovered passwords is mitigated by pools that have worker accounts (like slush's) and where users use random passwords, different from the main account password, for the worker accounts.

The main account login should be secured with TLS, since the destination wallet can be changed with that password, but the worst you could do with a worker account password is request/submit work or try to screw around with the pool under someone else's name.  (And the pool operator would readily be able to tell that such requests were coming from another IP anyway.)

[jgarzik]

Related to HTTPS:  I am planning on adding support for HTTP Digest authentication, on top of current HTTP Basic auth.  While not perfect, and SSL is better, this will move community away from sending base64-encoded passwords (easily decoded) frequently over the 'net.

Note that any risk of discovered passwords is mitigated by pools that have worker accounts (like slush's) and where users use random passwords, different from the main account password, for the worker accounts.

This standard was started by bitcoind, and is used outside of pools.  Furthermore, if I intercept a worker password, I can make an attack look like it's coming from another user, possibly getting them kicked off the pool server.

[dbitcoin]

Sadly with current SSL certificate market and browser behavior, good certificate with "green bar" too expensive fro small project.
Or self-signed or cheap "blue" SSL certificate with fake 99% "browser compatibility" ($10-40/per year).

There are many companies giving SSL certs for free. And those are recognized by most browsers (IE7+).
And this isn't a small project
Actually the users who asked for SSL may not trust even the root authorities for 100%. The Comodo was already "hacked" a couple of weeks ago.

You a ready pay something like $400+ per year for complains from such not trusted users?

[dbitcoin]

Note that any risk of discovered passwords is mitigated by pools that have worker accounts (like slush's) and where users use random passwords, different from the main account password, for the worker accounts.

This standard was started by bitcoind, and is used outside of pools.  Furthermore, if I intercept a worker password, I can make an attack look like it's coming from another user, possibly getting them kicked off the pool server.

Such attack easily discovered by IP or if user usually use another miner.

[jgarzik]

Note that any risk of discovered passwords is mitigated by pools that have worker accounts (like slush's) and where users use random passwords, different from the main account password, for the worker accounts.

This standard was started by bitcoind, and is used outside of pools.  Furthermore, if I intercept a worker password, I can make an attack look like it's coming from another user, possibly getting them kicked off the pool server.

Such attack easily discovered by IP or if user usually use another miner.

That does not excuse sending cleartext passwords with every request.  Users have been known to do strange things, like re-use passwords.

Decades of security practice has demonstrated that cleartext passwords should never ever be used.

[electrotime]

Hi Tycho! I've been using rpcminer-cuda without problems, but now I've noticed this in my profile:

05.04.2011 18:08:56   0h 25m   31955    None
05.04.2011 17:43:09   0h 49m   61789    None
05.04.2011 16:54:08   0h 59m   74549    None
05.04.2011 15:54:58   0h 19m   25210    None
05.04.2011 15:35:16   0h 42m   55033    None
05.04.2011 14:52:19   0h 23m   30346    None
05.04.2011 14:28:50   0h 02m   3113    None
05.04.2011 14:26:23   0h 30m   38431    None
05.04.2011 13:56:16   0h 07m   9308    None
05.04.2011 13:48:45   0h 34m   42825    None
05.04.2011 13:14:34   0h 42m   53102    None
05.04.2011 12:32:13   0h 30m   40124    None
05.04.2011 12:01:24   0h 26m   33833    None
05.04.2011 11:34:37   2h 18m   181196    None
05.04.2011 09:15:50   2h 35m   203520    None
05.04.2011 06:40:35   1h 36m   123378    None
05.04.2011 05:04:08   0h 00m   871    None
05.04.2011 05:03:23   0h 25m   31564    None
05.04.2011 04:37:58   0h 40m   50619    None
05.04.2011 03:57:42   1h 31m   114299    None
05.04.2011 02:26:00   0h 18m   22245    None
05.04.2011 02:07:55   2h 49m   209771    None
04.04.2011 23:18:31   0h 19m   24617    None
04.04.2011 22:58:37   0h 05m   6482    None
04.04.2011 22:53:05   0h 13m   15859    None
04.04.2011 22:39:33   0h 27m   33861    None
04.04.2011 22:11:54   4h 02m   238749    None
04.04.2011 19:14:14   1h 05m   64308    None
04.04.2011 18:09:00   0h 27m   35344    None
04.04.2011 17:41:39   2h 30m   194227    None

How can it be posible? I've been watching the window and it was working, and I've also been checking my gpu temps and my card was at >60º so it was working... what happened here?

[Miner-TE]

Hi Tycho! I've been using rpcminer-cuda without problems, but now I've noticed this in my profile:

05.04.2011 18:08:56   0h 25m   31955    None
05.04.2011 17:43:09   0h 49m   61789    None
05.04.2011 16:54:08   0h 59m   74549    None
05.04.2011 15:54:58   0h 19m   25210    None
05.04.2011 15:35:16   0h 42m   55033    None
05.04.2011 14:52:19   0h 23m   30346    None
05.04.2011 14:28:50   0h 02m   3113    None
05.04.2011 14:26:23   0h 30m   38431    None
05.04.2011 13:56:16   0h 07m   9308    None
05.04.2011 13:48:45   0h 34m   42825    None
05.04.2011 13:14:34   0h 42m   53102    None
05.04.2011 12:32:13   0h 30m   40124    None
05.04.2011 12:01:24   0h 26m   33833    None
05.04.2011 11:34:37   2h 18m   181196    None
05.04.2011 09:15:50   2h 35m   203520    None
05.04.2011 06:40:35   1h 36m   123378    None
05.04.2011 05:04:08   0h 00m   871    None
05.04.2011 05:03:23   0h 25m   31564    None
05.04.2011 04:37:58   0h 40m   50619    None
05.04.2011 03:57:42   1h 31m   114299    None
05.04.2011 02:26:00   0h 18m   22245    None
05.04.2011 02:07:55   2h 49m   209771    None
04.04.2011 23:18:31   0h 19m   24617    None
04.04.2011 22:58:37   0h 05m   6482    None
04.04.2011 22:53:05   0h 13m   15859    None
04.04.2011 22:39:33   0h 27m   33861    None
04.04.2011 22:11:54   4h 02m   238749    None
04.04.2011 19:14:14   1h 05m   64308    None
04.04.2011 18:09:00   0h 27m   35344    None
04.04.2011 17:41:39   2h 30m   194227    None

How can it be posible? I've been watching the window and it was working, and I've also been checking my gpu temps and my card was at >60º so it was working... what happened here?

Are you set for Pay-Per-Share?   PPS does not show you payout by block, only Proportional.

   

[[Tycho]]

Hi Tycho! I've been using rpcminer-cuda without problems, but now I've noticed this in my profile:
05.04.2011 18:08:56   0h 25m   31955    None
How can it be posible? I've been watching the window and it was working, and I've also been checking my gpu temps and my card was at >60º so it was working... what happened here? :o

Everything is fine on my side. PM me your login name so i can check your account stats.

What was shown on your account page and in workers table ?

If you are using PPS mode, then there is no "your reward per block", your account balance just increases every hour.

[cdhowie]

This standard was started by bitcoind, and is used outside of pools.

If we are talking about Bitcoin's own RPC mechanism, this should really use TLS anyway, rendering the HTTP auth mechanism irrelevant.  If you're sending requests over the Internet to other bitcoind instances to do things like transfer money, all of the data should be secured.

Furthermore, if I intercept a worker password, I can make an attack look like it's coming from another user, possibly getting them kicked off the pool server.

Please read my original post again.  It's clear that you skipped some parts.

That does not excuse sending cleartext passwords with every request.  Users have been known to do strange things, like re-use passwords.

Decades of security practice has demonstrated that cleartext passwords should never ever be used.

I'm not disputing that, only indicating that there are perfectly reasonable workarounds that exist already, and that any security-conscious user would already be using them.  Besides, digest-mode authentication is really like using a band-aid on a severed limb.  If we're going to spend energy securing the protocol, how about we do it right?

[jgarzik]

...because not all users will or can use HTTPS, rendering most of those points moot.

[cdhowie]

If we are talking about Bitcoin's own RPC mechanism, this should really use TLS anyway, rendering the HTTP auth mechanism irrelevant.  If you're sending requests over the Internet to other bitcoind instances to do things like transfer money, all of the data should be secured.

To elaborate on this a bit: suppose that Mallory does have the ability to intercept Alice's traffic.  Using basic auth, Mallory can extract Alice's username and password, then send his own requests to her bitcoind and do stuff.  He may also be able to authenticate using Alice's credentials to other services (email, etc.).

Using digest auth, Mallory cannot easily extract Alice's username and password, but if Mallory has the ability to intercept traffic he probably has the ability to alter it as well.  He can then execute a MITM attack, change Alice's request payload, and transfer money to himself, possibly even return a response back to Alice that looks like a reasonable response to her original request so that she is not immediately aware of the attack.  Mallory can't try to authenticate using Alice's unknown-to-him credentials elsewhere, but he now has a fair amount of control over her bitcoind.  This is a slightly better scenario, but only marginally.

Using TLS, Mallory would have to compromise Alice's bitcoind private key (or trick Alice into using a forged certificate) in order for any such attacks to be possible.

[cdhowie]

...because not all users will or can use HTTPS, rendering most of those points moot.

Nobody could use TLS before TLS was invented, either.  It's a good thing people didn't give up on creating it.

[jgarzik]

Using encryption is better than not using encryption.  Thanks for that news flash.

[[Tycho]]

User who cares about securuty would use separate password for workers.
Worker processing and JSON API doesn't allow attacker to steal user's money or account. There is no function to change user's bitcoin address with worker password or api token. Someone may even use random password for main account and never use it again to prevent it's interception :))