mrb
Legendary
Offline
Activity: 1512
Merit: 1028
|
|
September 13, 2011, 07:41:22 AM |
|
Forging a SSL cert only enables the possibility of a man-in-the-middle attack from being transparently obvious when it's no longer signed properly. However, you still have to accept the change in certificate for the forged-SSL MIM attack to work. Did you log in to MtGox from strange internet connections in shady places? Or did MtGox get their DNS forged as well?
No, a forged cert from DigiNotar would allow to transparently execute a MiTM attack against an end-user, without her seeing any security warning whatsoever. Except in 1 scenario, see below... Is there actually a browser that will remember a certificate and complain if that cert is replaced with a different valid CA-signed cert?
...only 1 browser would warn you: Chrome, because Google hard-coded hashes of the public keys for a small number of high-profile websites certificates keys. This is called public key pinning.
|
|
|
|
makomk
|
|
September 13, 2011, 07:47:20 AM |
|
Tux has replaced the missing BTC.
That's unusual. He didn't even do that for people whose accounts were compromised in circumstances suggesting it was due to the password database being extracted by hackers...
|
Quad XC6SLX150 Board: 860 MHash/s or so. SIGS ABOUT BUTTERFLY LABS ARE PAID ADS
|
|
|
DiabloD3 (OP)
Legendary
Offline
Activity: 1162
Merit: 1000
DiabloMiner author
|
|
September 13, 2011, 07:56:49 AM |
|
I also do not think it is likely the recent DigiNotar or Globalsign break ins have produced SSL certs to attack mtgox with (which WOULD explain this) because mtgox uses EV certs and as far as I know none of the fake certs were for EV, but DigiNotar and Globalsign both DO issue EV certs. Although I am not ruling this out.
Forging a SSL cert only enables the possibility of a man-in-the-middle attack from being transparently obvious when it's no longer signed properly. However, you still have to accept the change in certificate for the forged-SSL MIM attack to work. Did you log in to MtGox from strange internet connections in shady places? Or did MtGox get their DNS forged as well? The problem is you DONT need to accept the cert since its signed by a CA. Thats why this was so dangerous. All you need is someone at Tux's ISP juping the traffic and bam MITM attack and no one is the wiser.
|
|
|
|
DiabloD3 (OP)
Legendary
Offline
Activity: 1162
Merit: 1000
DiabloMiner author
|
|
September 13, 2011, 08:00:31 AM |
|
Forging a SSL cert only enables the possibility of a man-in-the-middle attack from being transparently obvious when it's no longer signed properly. However, you still have to accept the change in certificate for the forged-SSL MIM attack to work. Did you log in to MtGox from strange internet connections in shady places? Or did MtGox get their DNS forged as well?
No, a forged cert from DigiNotar would allow to transparently execute a MiTM attack against an end-user, without her seeing any security warning whatsoever. Except in 1 scenario, see below... Is there actually a browser that will remember a certificate and complain if that cert is replaced with a different valid CA-signed cert?
...only 1 browser would warn you: Chrome, because Google hard-coded hashes of the public keys for a small number of high-profile websites certificates keys. This is called public key pinning. Mozilla is considering pinning keys on first site access. So the only way to MITM false certs is during the first access (which makes it same to ssh's flaw on server fingerprint (aka ~/.ssh/known_hosts)). DigiNotar is a clusterfuck, regardless.
|
|
|
|
mrb
Legendary
Offline
Activity: 1512
Merit: 1028
|
|
September 13, 2011, 08:24:45 AM |
|
Mozilla is considering pinning keys on first site access. So the only way to MITM false certs is during the first access (which makes it same to ssh's flaw on server fingerprint (aka ~/.ssh/known_hosts)).
I would love it The only way to provide this sort of pinning with any browser is to delete all trusted CAs before browsing any HTTPS site.
|
|
|
|
nhodges
|
|
September 13, 2011, 08:30:34 AM |
|
It's possible with the recent security lapses at certificate authorities ( a la comodohacker) that someone, for some period of time, was able to do a csrf / mitm attack, no? [Edit: Should have read 3 posts further, I guess I'll leave my original reply, lol.]
|
|
|
|
DiabloD3 (OP)
Legendary
Offline
Activity: 1162
Merit: 1000
DiabloMiner author
|
|
September 13, 2011, 08:32:15 AM |
|
It's possible with the recent security lapses at certificate authorities ( a la comodohacker) that someone, for some period of time, was able to do a csrf / mitm attack, no? This is what I implied earlier. It is, in fact, possible. Just very unlikely.
|
|
|
|
hugolp
Legendary
Offline
Activity: 1148
Merit: 1001
Radix-The Decentralized Finance Protocol
|
|
September 13, 2011, 08:35:41 AM |
|
Sorry if this is a bit offtopic, but does anyone has a propper explanation of what happen at MtGox on Sunday with the ghost trades? The technical explanations Ive heard until now dont seem to make much sense.
|
|
|
|
|
Otoh
Donator
Legendary
Offline
Activity: 3066
Merit: 1164
|
|
September 13, 2011, 09:46:40 AM |
|
Sorry if this is a bit offtopic, but does anyone has a propper explanation of what happen at MtGox on Sunday with the ghost trades? The technical explanations Ive heard until now dont seem to make much sense.
It seems MtGox blocked about 2,000 accounts so that their trades still showed up but were not actually executed, opperating with alededly stolen funds & Bitcoins with the intent to seriously disrupt the market, why wasn't there a MtGox warning that their data was going to be completely off - people make trading decisions based on this What now happens to the funds & Btc now locked down at MtGox, how much is this worth, if they were stolen from MyBitCoin will they be expropriated & returned for additional refund to clients there Far too little information comes out of MtGox about these constant shenanigans - I guess that the OP also gets a free MtGox Yubi key as well as his Btc back
|
|
|
|
hugolp
Legendary
Offline
Activity: 1148
Merit: 1001
Radix-The Decentralized Finance Protocol
|
|
September 13, 2011, 10:01:15 AM |
|
It seems MtGox blocked about 2,000 accounts so that their trades still showed up but were not actually executed, Yes, I read MagicalTux chat explanations. But I think the explanation is lacking. How does a user manage to create an order that does not get executed but still shows in the data? Is this normal at MtGox? Without more information Im guessing it might be a bug more than a hack, but the explanation he has given is lacking (as you already said). opperating with alededly stolen funds & Bitcoins with the intent to seriously disrupt the market, why wasn't there a MtGox warning that their data was going to be completely off - people make trading decisions based on this
What now happens to the funds & Btc now locked down at MtGox, how much is this worth, if they were stolen from MyBitCoin will they be expropriated & returned for additional refund to clients there
Far too little information comes out of MtGox about these constant shenanigans - I guess that the OP also gets a free MtGox Yubi key as well as his Btc back
|
|
|
|
EhVedadoOAnonimato
|
|
September 13, 2011, 10:11:30 AM |
|
The problem is you DONT need to accept the cert since its signed by a CA. Thats why this was so dangerous. All you need is someone at Tux's ISP juping the traffic and bam
It shouldn't be that easy to be in the middle of the traffic like that. Unless you were using Tor or any similar kind of proxy. Were you?
|
|
|
|
|
kripz
|
|
September 13, 2011, 12:43:04 PM |
|
Probably radiation (Fukishima? Cosmic?) effected the ram, flipped a bit and the account ID that was being liquidated happen to be Diablo's (and others in the past since the Fukishima incident).
|
|
|
|
ElectricMucus
Legendary
Offline
Activity: 1666
Merit: 1057
Marketing manager - GO MP
|
|
September 13, 2011, 12:51:32 PM |
|
Probably radiation (Fukishima? Cosmic?) effected the ram, flipped a bit and the account ID that was being liquidated happen to be Diablo's (and others in the past since the Fukishima incident).
Possibly http://xkcd.com/378/
|
|
|
|
BlockHash
|
|
September 13, 2011, 12:52:14 PM |
|
This is exactly what reputable and forthright companies would do.
|
|
|
|
Littleshop
Legendary
Offline
Activity: 1386
Merit: 1004
|
|
September 13, 2011, 12:57:19 PM |
|
-a third party is engaging in a cyberwar against bitcoin using man in the middle attacks.
After a lengthy conversation with MagicTux, unless it does turn up that mtgox has been hacked, neither of us can figure out what happened. Its obviously not me and I didn't fall for a phishing expedition, and Im pretty sure its not on his end. His description of security on the new post-hack mtgox is pretty decent. Its not perfect, but he has gone to great lengths to prevent a repeat. Even if they dumped the password database, the passwords are sufficiently salted and hashed that it is extremely unlikely they grabbed my password first. I also do not think it is likely the recent DigiNotar or Globalsign break ins have produced SSL certs to attack mtgox with (which WOULD explain this) because mtgox uses EV certs and as far as I know none of the fake certs were for EV, but DigiNotar and Globalsign both DO issue EV certs. Although I am not ruling this out. DigiNotar knew about the break in for months, and I obviously have logged in since then. Tux has replaced the missing BTC. Asking once again. Do you use a Yubikey on Mt.Gox? As Ive said in the past, I do not believe that they improve security. They do not prevent every kind of attack but they stop entire categories of attacks. You are wrong on this one and should think about it a bit more.
|
|
|
|
phillipsjk
Legendary
Offline
Activity: 1008
Merit: 1001
Let the chips fall where they may.
|
|
September 13, 2011, 03:49:48 PM |
|
Is there actually a browser that will remember a certificate and complain if that cert is replaced with a different valid CA-signed cert?
There is a browser plug-in that will do that: Certificate Patrol.
|
James' OpenPGP public key fingerprint: EB14 9E5B F80C 1F2D 3EBE 0A2F B3DE 81FF 7B9D 5160
|
|
|
rotrott
Newbie
Offline
Activity: 47
Merit: 0
|
|
September 13, 2011, 10:48:07 PM |
|
Was this a mtgox session hijack from the forum hack? Were you logged into mtgox when the forum hack occurred?
|
|
|
|
tvbcof
Legendary
Offline
Activity: 4690
Merit: 1276
|
|
September 13, 2011, 11:55:18 PM |
|
Asking once again. Do you use a Yubikey on Mt.Gox?
As Ive said in the past, I do not believe that they improve security. They do not prevent every kind of attack but they stop entire categories of attacks. You are wrong on this one and should think about it a bit more. They stop entire categories of attacks which not everyone is especially prone to. SSO is a nice to have and very worthwhile in a lot of cases, but it introduce yet another layer of expense and complexity. I don't use one at my exchange but I am quite careful about my username, password, access methods, etc. Most importantly, I do consider the funds I have at my exchange to be disposable. I consider the risk from incompetence, dishonesty, and government intervention to put the assets I have at my exchange at risk more than my authentication being compromised. A good number of people would be well advised to NOT follow suite here.
|
sig spam anywhere and self-moderated threads on the pol&soc board are for losers.
|
|
|
|