Ferroh (OP)
Member
Offline
Activity: 111
Merit: 100
|
|
February 17, 2012, 03:29:35 PM |
|
https://blockchain.info/wallet/yubikeyHow is this possible? Don't they need both the MtGox AES key and the user's AES key for the Yubikey in order to make this work?
|
|
|
|
schnell
|
|
February 17, 2012, 03:38:51 PM |
|
I know the mtgox yubis are different, but they must have support in the api. Not that I would ever use mtgox.
|
|
|
|
Lord F(r)og
Donator
Sr. Member
Offline
Activity: 477
Merit: 250
|
|
February 17, 2012, 04:11:41 PM Last edit: February 17, 2012, 04:32:51 PM by Lord Fog |
|
maybe they work together with mtgox? with your auth at yubi activation you verfi some sort of public key? would be interesting if so if totally erroneous: please, not in the face
|
|
|
|
makomk
|
|
February 17, 2012, 06:02:11 PM |
|
Oh dear. If you use your MtGox Yubikey on there you're effectively giving them the ability to log in to your MtGox account and according to the MtGox TOS you'll be liable for any losses that result from this. (In fact, that's quite likely to be how they do it. The other possibility is that they only bother checking the static bits of the Yubikey authentication string, which they can do without knowing the secret embedded in it but which doesn't add any security.)
|
Quad XC6SLX150 Board: 860 MHash/s or so. SIGS ABOUT BUTTERFLY LABS ARE PAID ADS
|
|
|
notme
Legendary
Offline
Activity: 1904
Merit: 1002
|
|
February 17, 2012, 06:16:03 PM |
|
Oh dear. If you use your MtGox Yubikey on there you're effectively giving them the ability to log in to your MtGox account and according to the MtGox TOS you'll be liable for any losses that result from this. (In fact, that's quite likely to be how they do it. The other possibility is that they only bother checking the static bits of the Yubikey authentication string, which they can do without knowing the secret embedded in it but which doesn't add any security.) Not without your password.
|
|
|
|
piuk
|
|
February 17, 2012, 06:39:52 PM |
|
We only check the yubikey public identifier. You get 16 bytes of extra entropy added to your password, but not full OTP validation. Line 1316: https://github.com/zootreeves/blockchain.info/blob/master/WalletServlet.javaOh dear. If you use your MtGox Yubikey on there you're effectively giving them the ability to log in to your MtGox account.
This is absolutely not true.
|
|
|
|
casascius
Mike Caldwell
VIP
Legendary
Offline
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
|
|
June 28, 2012, 12:44:27 AM |
|
YOu would definitely be giving the operator of any keylogger on your machine access to your MtGox account, as instead of having a one time password that's "in the air" for only a fraction of a second while you watch and confirm it gets consumed, you would be giving him a one time password that he can use at his own leisure and out of your sight.
|
Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable. I never believe them. If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins. I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion. Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice. Don't keep coins online. Use paper or hardware wallets instead.
|
|
|
Raize
Donator
Legendary
Offline
Activity: 1419
Merit: 1015
|
|
June 29, 2012, 06:52:04 PM |
|
Unless blockchain.info has some way to "burn" the key usage with MtGox, right? Do you? I actually just came to the forums after looking at the options to ask the exact same question as the OP. This might not be a good option to keep active, piuk, though I do think it's pretty ingenuitive of a process.
|
|
|
|
piuk
|
|
June 30, 2012, 11:05:09 AM |
|
Has anyone tested this? Login with an Mt.Gox Yubikey at blockchain then re-use the same OTP again at Mt.Gox. If Mt.Gox use the yubico server it may well be invalidated.
|
|
|
|
casascius
Mike Caldwell
VIP
Legendary
Offline
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
|
|
July 01, 2012, 03:58:14 AM |
|
My understanding from discussing with them is that they don't use the Yubico server. Rather, they use a feature of the key (documented in its manual) that allows you to replace the AES keys with your own. Once that's done, the key can only be used with whatever knows the AES keys you put in.
The key has two memory slots: one for pressing the button briefly, and one for holding it down for several seconds.
MtGox programs slot #1 with one key that is used for logging in. They have this slot programmed to press Enter after spitting out the encrypted string.
MtGox programs slot #2 with a different key for withdraw. This one does not press Enter. Presumably these are options that are set by MtGox at the time they set up the key.
Because MtGox issues the keys themselves and clearly indicate they cannot be used with Yubico, it's a pretty sure bet that they are reprogramming it themselves and not using a Yubico service.
|
Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable. I never believe them. If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins. I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion. Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice. Don't keep coins online. Use paper or hardware wallets instead.
|
|
|
Raize
Donator
Legendary
Offline
Activity: 1419
Merit: 1015
|
|
July 01, 2012, 05:35:31 AM |
|
I just tested it, it worked. Two keys were used, and then I subsequently went to MtGox and used them to log in.
Understandably, however, there are a number of caveats to this. First, someone has to have a keylogger on your system, and if they have a keylogger, they probably don't have to do much more to get access to your local wallet than wait for you to use it. Additionally, they could use your already established connection to MtGox to steal coin that way as well.
But I am still a little worried that people using their MtGox Yubikeys here might not understand that they are taking *some* risk, even if it isn't a HUGE one. Google Authenticator is working fine for me, so I intend to keep using that.
EDIT: Like piuk says, you are not sending anything to blockchain.info by using this. The only threat is a local one.
|
|
|
|
rjk
Sr. Member
Offline
Activity: 448
Merit: 250
1ngldh
|
|
August 06, 2012, 01:18:16 PM |
|
Bugger. I was hoping that MagicalTux had actually given them access to his validation server, but this is less than ideal.
|
|
|
|
matthewh3
Legendary
Offline
Activity: 1372
Merit: 1003
|
|
October 27, 2012, 03:13:43 PM Last edit: October 27, 2012, 03:57:58 PM by matthewh3 |
|
Does this key-logger threat still apply to standard Yubikeys on this wallet service? Also can you use the standard Yubikey safely on more than one wallet or on other websites?
Edit: And does using a Yubikey protect your wallet backups stored online?
|
|
|
|
niko
|
|
October 27, 2012, 03:36:42 PM |
|
Using MtGox yubi anywhere but on MtGox login page generates OTPs that MtGox hasn't seen yet. Anyone with a keylogger runni g on your machine can reuse any of these OTPs on MtGox. Anything that was generated after your last legitimate login to MtGox will work for the next login. Therefore, do not use your MtGox yubi anywhere else (including playing in Notepad), unless that other party has some kind of official deal with MtGox to burn OTPs after use (to increase the counter).
|
They're there, in their room. Your mining rig is on fire, yet you're very calm.
|
|
|
|