Bitcoin Forum
December 08, 2016, 04:02:11 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: anyone publishing bitcoin address on a web site. use ssl!  (Read 1676 times)
asdf
Hero Member
*****
Offline Offline

Activity: 527


View Profile
April 28, 2011, 10:29:56 AM
 #1

I've noticed some web sites are publishing addresses on their sites for donations, etc. over unencrypted connections. I thought I'd point out, to anyone who doesn't realise it, that you are vulnerable to man in the middle attacks.

Any MITM can rewrite your address to theirs and receive all your payments! Especially tor exit nodes, which are known to engage in this behavior.

Any payment related pages should be treated the same as a credit card payment gateway, in security terms. That means use SSL!
1481212931
Hero Member
*
Offline Offline

Posts: 1481212931

View Profile Personal Message (Offline)

Ignore
1481212931
Reply with quote  #2

1481212931
Report to moderator
1481212931
Hero Member
*
Offline Offline

Posts: 1481212931

View Profile Personal Message (Offline)

Ignore
1481212931
Reply with quote  #2

1481212931
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481212931
Hero Member
*
Offline Offline

Posts: 1481212931

View Profile Personal Message (Offline)

Ignore
1481212931
Reply with quote  #2

1481212931
Report to moderator
fetokun
Full Member
***
Offline Offline

Activity: 126



View Profile
April 28, 2011, 02:20:00 PM
 #2

is this kind of attack really that easy?
AaronM
Member
**
Offline Offline

Activity: 77


View Profile WWW
April 28, 2011, 11:36:38 PM
 #3

Yes, SSL is very important for Tor users.  Tor exit nodes have been caught doing shenanigans like stealing webmail passwords, and this is no more difficult for a malicious exit node.

Spare some BTC for a biology student? 1DZcEUEo9rX7LQWcYzVR6Btqj2sMqRznbB
RodeoX
Legendary
*
Offline Offline

Activity: 2114


The revolution will be monetized!


View Profile
April 28, 2011, 11:55:11 PM
 #4

I can envision all sorts of deceptions being applied to get people to send money to the wrong address. Variations of the things scamers use now. "Donate to the red cross to help flood victims: f6UG92n8k..."

It's sad we think so much about all this security stuff. Undecided

The gospel according to Satoshi - https://bitcoin.org/bitcoin.pdf

Free bitcoin=https://bitcointalk.org/index.php?topic=1610684
SgtSpike
Legendary
*
Offline Offline

Activity: 1344



View Profile
April 29, 2011, 12:03:06 AM
 #5

AaronM and RodeoX are already breaking that rule...
RodeoX
Legendary
*
Offline Offline

Activity: 2114


The revolution will be monetized!


View Profile
April 29, 2011, 12:26:59 AM
 #6

AaronM and RodeoX are already breaking that rule...
huh Huh
Because of the address in my sig? I was more thinking about how someone might misrepresent who's address it was. The one in my signature will change if I ever get an offer to "work for bitcoins". 

The gospel according to Satoshi - https://bitcoin.org/bitcoin.pdf

Free bitcoin=https://bitcointalk.org/index.php?topic=1610684
bitlotto
Hero Member
*****
Offline Offline

Activity: 672


BitLotto - best odds + best payouts + cheat-proof


View Profile WWW
April 29, 2011, 01:56:26 AM
 #7

Know of any free hosts that have ssl for logging in and having my website in?

*Next Draw Feb 1*  BitLotto: monthly raffle (0.25 BTC per ticket) Completely transparent and impossible to manipulate who wins. TOR
TOR2WEB
Donations to: 1JQdiQsjhV2uJ4Y8HFtdqteJsZhv835a8J are appreciated.
SgtSpike
Legendary
*
Offline Offline

Activity: 1344



View Profile
April 30, 2011, 12:23:55 AM
 #8

AaronM and RodeoX are already breaking that rule...
huh Huh
Because of the address in my sig? I was more thinking about how someone might misrepresent who's address it was. The one in my signature will change if I ever get an offer to "work for bitcoins". 
But it's posted on a non-HTTPS website, so potentially, it could be at risk for such attacks as the one described.  Not likely, but hey, you never know...

Also, a forum moderator/admin could change your signature to include their own address instead, and hope you don't notice, though I suppose that a risk inherent with any posts on any forums.
bitlotto
Hero Member
*****
Offline Offline

Activity: 672


BitLotto - best odds + best payouts + cheat-proof


View Profile WWW
April 30, 2011, 12:45:42 AM
 #9

AaronM and RodeoX are already breaking that rule...
huh Huh
Because of the address in my sig? I was more thinking about how someone might misrepresent who's address it was. The one in my signature will change if I ever get an offer to "work for bitcoins". 
But it's posted on a non-HTTPS website, so potentially, it could be at risk for such attacks as the one described.  Not likely, but hey, you never know...

Also, a forum moderator/admin could change your signature to include their own address instead, and hope you don't notice, though I suppose that a risk inherent with any posts on any forums.

Just browse the forum using https. So according to me they didn't break the rule!  Wink

*Next Draw Feb 1*  BitLotto: monthly raffle (0.25 BTC per ticket) Completely transparent and impossible to manipulate who wins. TOR
TOR2WEB
Donations to: 1JQdiQsjhV2uJ4Y8HFtdqteJsZhv835a8J are appreciated.
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1344


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
April 30, 2011, 12:48:38 AM
 #10


Just browse the forum using https. So according to me they didn't break the rule!  Wink

But of course a MITM is super easy for the Bitcoin forums, with that silly self-signed cert, 90% won't notice if it is replaced with a different one.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper wallets instead.
bitlotto
Hero Member
*****
Offline Offline

Activity: 672


BitLotto - best odds + best payouts + cheat-proof


View Profile WWW
April 30, 2011, 01:09:07 AM
 #11


But of course a MITM is super easy for the Bitcoin forums, with that silly self-signed cert, 90% won't notice if it is replaced with a different one.

If I'm using TOR, what would be safer? using plain http and risking a MITM attack or risking one from the forum?

*Next Draw Feb 1*  BitLotto: monthly raffle (0.25 BTC per ticket) Completely transparent and impossible to manipulate who wins. TOR
TOR2WEB
Donations to: 1JQdiQsjhV2uJ4Y8HFtdqteJsZhv835a8J are appreciated.
TiagoTiago
Hero Member
*****
Offline Offline

Activity: 616


Firstbits.com/1fg4i                :Ƀ


View Profile
April 30, 2011, 02:01:45 AM
 #12

With plain http you got both risks, with ssl only the forum one

(I dont always get new reply notifications, pls send a pm when you think it has happened)

Wanna gimme some BTC for any or no reason? 1FmvtS66LFh6ycrXDwKRQTexGJw4UWiqDX Smiley

The more you believe in Bitcoin, and the more you show you do to other people, the faster the real value will soar!

Do you like mmmBananas?!
SgtSpike
Legendary
*
Offline Offline

Activity: 1344



View Profile
April 30, 2011, 03:02:59 AM
 #13


But of course a MITM is super easy for the Bitcoin forums, with that silly self-signed cert, 90% won't notice if it is replaced with a different one.

If I'm using TOR, what would be safer? using plain http and risking a MITM attack or risking one from the forum?
Your website is failing at life...

"Oops! Google Chrome could not find bitlotto.com"
bitlotto
Hero Member
*****
Offline Offline

Activity: 672


BitLotto - best odds + best payouts + cheat-proof


View Profile WWW
April 30, 2011, 03:10:51 AM
 #14


"Oops! Google Chrome could not find bitlotto.com"
Thanks. I shouldn't have touched those DNS settings...dang it. It will come back, I promise! At least I didn't do it on draw date!! Shocked

*Next Draw Feb 1*  BitLotto: monthly raffle (0.25 BTC per ticket) Completely transparent and impossible to manipulate who wins. TOR
TOR2WEB
Donations to: 1JQdiQsjhV2uJ4Y8HFtdqteJsZhv835a8J are appreciated.
SgtSpike
Legendary
*
Offline Offline

Activity: 1344



View Profile
April 30, 2011, 03:51:21 AM
 #15


"Oops! Google Chrome could not find bitlotto.com"
Thanks. I shouldn't have touched those DNS settings...dang it. It will come back, I promise! At least I didn't do it on draw date!! Shocked
Tongue

At least you're not taking the money and running!
theymos
Administrator
Legendary
*
Offline Offline

Activity: 2506


View Profile
April 30, 2011, 04:36:54 AM
 #16

But of course a MITM is super easy for the Bitcoin forums, with that silly self-signed cert, 90% won't notice if it is replaced with a different one.

A MITM attack is only easy the first time you access bitcoin.org with HTTPS. After that, your browser will warn you about changes in the cert.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
RodeoX
Legendary
*
Offline Offline

Activity: 2114


The revolution will be monetized!


View Profile
May 02, 2011, 02:28:35 PM
 #17

AaronM and RodeoX are already breaking that rule...
huh Huh
Because of the address in my sig? I was more thinking about how someone might misrepresent who's address it was. The one in my signature will change if I ever get an offer to "work for bitcoins". 
But it's posted on a non-HTTPS website, so potentially, it could be at risk for such attacks as the one described.  Not likely, but hey, you never know...

Also, a forum moderator/admin could change your signature to include their own address instead, and hope you don't notice, though I suppose that a risk inherent with any posts on any forums.

I was thinking that my login password here provides some protection. But your right, MITM attack would work and admins here might switch addresses. As a security check, try sending me 100BTC and I'll post here if I receive it.  Grin

The gospel according to Satoshi - https://bitcoin.org/bitcoin.pdf

Free bitcoin=https://bitcointalk.org/index.php?topic=1610684
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!