Bitcoin Forum
December 10, 2016, 08:28:10 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  

Warning: Moderators do not remove likely scams. You must use your own brain: caveat emptor. Watch out for Ponzi schemes. Do not invest more than you can afford to lose.

Pages: [1]
  Print  
Author Topic: GLBSE switching DNS servers, may cause issues  (Read 1924 times)
Nefario
Hero Member
*****
Offline Offline

Activity: 602


GLBSE Support support@glbse.com


View Profile WWW
May 15, 2012, 02:45:20 AM
 #1

As part of using cloudflares service (to protect and speed up GLBSE for users) we're required to change the DNS servers for the domain.

This means that over the next 24 hours there may be connection issues as a result(name not resolving). This is also responsible for the SSL errors or warnings users may be experiencing.

We're sorry for any inconvenience caused but believe this is a move for the better, the end result will be a much faster service for users.


PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
1481401690
Hero Member
*
Offline Offline

Posts: 1481401690

View Profile Personal Message (Offline)

Ignore
1481401690
Reply with quote  #2

1481401690
Report to moderator
1481401690
Hero Member
*
Offline Offline

Posts: 1481401690

View Profile Personal Message (Offline)

Ignore
1481401690
Reply with quote  #2

1481401690
Report to moderator
1481401690
Hero Member
*
Offline Offline

Posts: 1481401690

View Profile Personal Message (Offline)

Ignore
1481401690
Reply with quote  #2

1481401690
Report to moderator
There are several different types of Bitcoin clients. The most secure are full nodes like Bitcoin-Qt, but full nodes are more resource-heavy, and they must do a lengthy initial syncing process. As a result, lightweight clients with somewhat less security are commonly used.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
drakahn
Hero Member
*****
Offline Offline

Activity: 504



View Profile
May 15, 2012, 02:55:49 AM
 #2

Would this have caused my account to not work at all?

14ga8dJ6NGpiwQkNTXg7KzwozasfaXNfEU
BinaryMage
Hero Member
*****
Offline Offline

Activity: 546


Ad astra.


View Profile
May 15, 2012, 03:25:54 AM
 #3

Would this have caused my account to not work at all?

I doubt it. What do you mean by "not work at all"?

-- BinaryMage -- | OTC | PGP
drakahn
Hero Member
*****
Offline Offline

Activity: 504



View Profile
May 15, 2012, 03:38:14 AM
 #4

Would this have caused my account to not work at all?

I doubt it. What do you mean by "not work at all"?

I could not log in, Nefario has fixed it for me but i have no idea what was wrong.

14ga8dJ6NGpiwQkNTXg7KzwozasfaXNfEU
BinaryMage
Hero Member
*****
Offline Offline

Activity: 546


Ad astra.


View Profile
May 15, 2012, 03:38:52 AM
 #5

Would this have caused my account to not work at all?

I doubt it. What do you mean by "not work at all"?

I could not log in, Nefario has fixed it for me but i have no idea what was wrong.

Perhaps some database records got garbled. Anyway, glad it's fixed.

-- BinaryMage -- | OTC | PGP
Deafboy
Hero Member
*****
Offline Offline

Activity: 484



View Profile WWW
May 15, 2012, 03:52:09 AM
 #6

Isn't involving 3rd party in communication with glbse a potential security threat?
Cloudflare is providing good and valuable service, but look at the recent incident with Linode (slush's pool and Bitcoinica targeted) and Rackspace (Bitcoinica).
Trust is weakness. We already need to trust GLBSE, issuers of shares, and now also Cloudflare.
Is faster loading of images on website really worth it?
BinaryMage
Hero Member
*****
Offline Offline

Activity: 546


Ad astra.


View Profile
May 15, 2012, 03:54:03 AM
 #7

Isn't involving 3rd party in communication with glbse a potential security threat?
Cloudflare is providing good and valuable service, but look at the recent incident with Linode (slush's pool and Bitcoinica targeted) and Rackspace (Bitcoinica).
Trust is weakness. We already need to trust GLBSE, issuers of shares, and now also Cloudflare.
Is faster loading of images on website really worth it?

CloudFlare doesn't host wallets, Linode and Rackspace did. Major difference there.

All CloudFlare does, IIRC, is provide a passthrough server to protect against DDOS and the like and provide analytics services.

-- BinaryMage -- | OTC | PGP
Deafboy
Hero Member
*****
Offline Offline

Activity: 484



View Profile WWW
May 15, 2012, 04:20:32 AM
 #8

I am aware of what cloudflare do and how. But there is still small possibility of someone exploiting Cloudflares service and provide a cached copy of edited html document instead of original. And there is no need to steal wallet.dat to get money out there.
BinaryMage
Hero Member
*****
Offline Offline

Activity: 546


Ad astra.


View Profile
May 15, 2012, 04:27:56 AM
 #9

I am aware of what cloudflare do and how. But there is still small possibility of someone exploiting Cloudflares service and provide a cached copy of edited html document instead of original. And there is no need to steal wallet.dat to get money out there.

It's probably astronomically less than the possibility of the GLBSE server being hacked, but you are correct, a chance does exist. I suspect that the DDOS protection and speedup will be worth it to the majority of users, however.

-- BinaryMage -- | OTC | PGP
sunnankar
Legendary
*
Offline Offline

Activity: 1030



View Profile WWW
May 15, 2012, 12:45:22 PM
 #10

It's probably astronomically less than the possibility of the GLBSE server being hacked, but you are correct, a chance does exist. I suspect that the DDOS protection and speedup will be worth it to the majority of users, however.

Nefario needs to build in some additional security tools, things besides only the cumbersome and annoying two factor authentication, and once a good option is decided on it should probably take top priority. Things like:

1. The ability to require a different password(s) than the login to make change email, trades or withdraw bitcoins, etc.

2. With changes discussed in #1 add the ability to require a transaction PIN code which is sent via email.

3. Perhaps offer a YubiKey option. But being fairly minimalist and one who travels often I do not want another little piece of physical crap to deal with and possibly lose.

4. The ability to 'freeze' an account for a specified amount of time. Or an ability to require a BTC withdrawal to take X amount of time before it is submitted to the network during which it could be canceled.

Just some things that could add enough friction to make it not worth a thief's time and reduce the potential profitability from messing with GLBSE accounts.

Sukrim
Legendary
*
Offline Offline

Activity: 1848


View Profile
May 15, 2012, 01:10:07 PM
 #11

1. The ability to require a different password(s) than the login to make change email, trades or withdraw bitcoins, etc.

2. With changes discussed in #1 add the ability to require a transaction PIN code which is sent via email.

3. Perhaps offer a YubiKey option. But being fairly minimalist and one who travels often I do not want another little piece of physical crap to deal with and possibly lose.

4. The ability to 'freeze' an account for a specified amount of time. Or an ability to require a BTC withdrawal to take X amount of time before it is submitted to the network during which it could be canceled.

Just some things that could add enough friction to make it not worth a thief's time and reduce the potential profitability from messing with GLBSE accounts.
1. As long as one can read the API key, one could empty an account much faster anyways. Also if an email account is compromised too (as it is often the case), these passwords would just get reset/changed.

2. Email is not secure at all.

3. It requires a mobile phone afaik...

4. Great, and who decides that an account can/should be frozen? Account owner can be the "hacker", GLBSE would disrupt trading, GLBSE on request of account owner would mean the request could be forged. The delaying payouts thing can also be used to grief account holders... and if it can be changed later, it will be - or it will create lots of support requests if it can't.

https://bitfinex.com <-- leveraged trading of BTCUSD, LTCUSD and LTCBTC (long and short) - 10% discount on fees for the first 30 days with this refcode: x5K9YtL3Zb
Mail me at Bitmessage: BM-BbiHiVv5qh858ULsyRDtpRrG9WjXN3xf
REF
Hero Member
*****
Offline Offline

Activity: 526


View Profile
May 15, 2012, 01:40:27 PM
 #12

1. The ability to require a different password(s) than the login to make change email, trades or withdraw bitcoins, etc.

2. With changes discussed in #1 add the ability to require a transaction PIN code which is sent via email.

3. Perhaps offer a YubiKey option. But being fairly minimalist and one who travels often I do not want another little piece of physical crap to deal with and possibly lose.

4. The ability to 'freeze' an account for a specified amount of time. Or an ability to require a BTC withdrawal to take X amount of time before it is submitted to the network during which it could be canceled.

Just some things that could add enough friction to make it not worth a thief's time and reduce the potential profitability from messing with GLBSE accounts.
1. As long as one can read the API key, one could empty an account much faster anyways. Also if an email account is compromised too (as it is often the case), these passwords would just get reset/changed.

2. Email is not secure at all.

3. It requires a mobile phone afaik...

4. Great, and who decides that an account can/should be frozen? Account owner can be the "hacker", GLBSE would disrupt trading, GLBSE on request of account owner would mean the request could be forged. The delaying payouts thing can also be used to grief account holders... and if it can be changed later, it will be - or it will create lots of support requests if it can't.
3. google auth can be done with a phone app, yubikey is a usb.

4. I wouldn't have a problem with a mandatory 1hour(personally I wouldnt even mind 24hrs) wait time on all withdrawals before they get processed. Its maybe a little annoying to some people but it may turn out to be just enough time to prevent massive theif. I think it would be better to be a site wide feature rather than account based.
BinaryMage
Hero Member
*****
Offline Offline

Activity: 546


Ad astra.


View Profile
May 15, 2012, 03:21:56 PM
 #13

3. google auth can be done with a phone app, yubikey is a usb.

4. I wouldn't have a problem with a mandatory 1hour(personally I wouldnt even mind 24hrs) wait time on all withdrawals before they get processed. Its maybe a little annoying to some people but it may turn out to be just enough time to prevent massive theif. I think it would be better to be a site wide feature rather than account based.

3. How is a Yubikey more secure than Google Auth? Both require physical possession of the device you own and both are extremely unlikely to get hacked. The latter is just cheaper and more convenient.

4. 1 hour I could tolerate, but I doubt it would be enough to prevent thievery; Nefario can't individually process each withdrawal, and a lot of BTC is transferred in and out of GLBSE daily. 24 hours would do more, but it would be an extreme inconvenience to people who need to move funds around quickly.

-- BinaryMage -- | OTC | PGP
Nefario
Hero Member
*****
Offline Offline

Activity: 602


GLBSE Support support@glbse.com


View Profile WWW
May 15, 2012, 04:13:52 PM
 #14

Would this have caused my account to not work at all?

I doubt it. What do you mean by "not work at all"?

I could not log in, Nefario has fixed it for me but i have no idea what was wrong.

Perhaps some database records got garbled. Anyway, glad it's fixed.

No, he wasn't solving the captcha after the failed login.

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
gabbynot
Sr. Member
****
Offline Offline

Activity: 338


View Profile
May 15, 2012, 04:17:49 PM
 #15

I would assume that most of GLBSE's BTC is kept in cold storage.

Nefario
Hero Member
*****
Offline Offline

Activity: 602


GLBSE Support support@glbse.com


View Profile WWW
May 15, 2012, 04:25:37 PM
 #16

It's probably astronomically less than the possibility of the GLBSE server being hacked, but you are correct, a chance does exist. I suspect that the DDOS protection and speedup will be worth it to the majority of users, however.

Nefario needs to build in some additional security tools, things besides only the cumbersome and annoying two factor authentication, and once a good option is decided on it should probably take top priority. Things like:

1. The ability to require a different password(s) than the login to make change email, trades or withdraw bitcoins, etc.

2. With changes discussed in #1 add the ability to require a transaction PIN code which is sent via email.

3. Perhaps offer a YubiKey option. But being fairly minimalist and one who travels often I do not want another little piece of physical crap to deal with and possibly lose.

4. The ability to 'freeze' an account for a specified amount of time. Or an ability to require a BTC withdrawal to take X amount of time before it is submitted to the network during which it could be canceled.

Just some things that could add enough friction to make it not worth a thief's time and reduce the potential profitability from messing with GLBSE accounts.

Regarding making accounts more secure.
Once a users email has been compromised, and two factor authentication is not enabled there is no way for us to tell the difference between the hacker and the real account owner.

I am going to be adding more security features that will hopefully prevent accounts getting cleared out, but the above mentioned won't do much except piss off users.

We only keep a small fraction of BTC on our server, nearly all of it is in cold storage, I think GLBSE isn't really a worthwhile target for attackers. There isn't much to steal.

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
REF
Hero Member
*****
Offline Offline

Activity: 526


View Profile
May 15, 2012, 05:23:46 PM
 #17

3. google auth can be done with a phone app, yubikey is a usb.

4. I wouldn't have a problem with a mandatory 1hour(personally I wouldnt even mind 24hrs) wait time on all withdrawals before they get processed. Its maybe a little annoying to some people but it may turn out to be just enough time to prevent massive thief. I think it would be better to be a site wide feature rather than account based.

3. How is a Yubikey more secure than Google Auth? Both require physical possession of the device you own and both are extremely unlikely to get hacked. The latter is just cheaper and more convenient.

4. 1 hour I could tolerate, but I doubt it would be enough to prevent thievery; Nefario can't individually process each withdrawal, and a lot of BTC is transferred in and out of GLBSE daily. 24 hours would do more, but it would be an extreme inconvenience to people who need to move funds around quickly.
I didnt say either was more secure. Im not sure what you read, all I did was point out one was on a phone the other a usb. It appeared sukrim said yubikey was on a phone and its not so I was clearing that up. Although there is a yubikey app im not sure how it works I think you still need the yubikey usb and you can then add it to a phone.

If nerfario was awake it might be enough time to shut everything down and cancel pending transitions. Think about bitcoincia zhoutong was awake and was able to react quickly to prevent further damage. I didnt say he should individually process each transaction. Make them wait in limbo for an hour before they are processed automatically. I know it wouldnt help if the private keys got stolen but it is still another hurtle at least in the way of hacked accounts.
sunnankar
Legendary
*
Offline Offline

Activity: 1030



View Profile WWW
May 15, 2012, 06:37:24 PM
 #18

Regarding making accounts more secure.
Once a users email has been compromised, and two factor authentication is not enabled there is no way for us to tell the difference between the hacker and the real account owner.

I am going to be adding more security features that will hopefully prevent accounts getting cleared out, but the above mentioned won't do much except piss off users.

We only keep a small fraction of BTC on our server, nearly all of it is in cold storage, I think GLBSE isn't really a worthwhile target for attackers. There isn't much to steal.

Perhaps adding a security question to distinguish between hacker/owner would be a viable option.

Another option would be to have a withdrawal address unable to be added for X hours/days and that period, once set, could only be increased to a max of like 30 days or something. Same with an email address and allow users to add additional contact info, if they want.

I also think increased security burdens should be voluntary since it may not be worth the hassle if you have 3BTC in the account but if you have 3000BTC.

I agree there is a balance between security and usabilty. But currently I feel GLBSE is too insecure. Just making it less likely a thief could profit even if they compromise an account goes a long way towards deterence.

Dalkore
Legendary
*
Offline Offline

Activity: 1176


ASIC Miner Hosting: www.bitcoinasichosting.com


View Profile WWW
May 15, 2012, 06:45:37 PM
 #19

As part of using cloudflares service (to protect and speed up GLBSE for users) we're required to change the DNS servers for the domain.

This means that over the next 24 hours there may be connection issues as a result(name not resolving). This is also responsible for the SSL errors or warnings users may be experiencing.

We're sorry for any inconvenience caused but believe this is a move for the better, the end result will be a much faster service for users.



Thank you for the heads up.   Glad to see your taking steps to improve the service.

Dal

[Winter Fire Sale] Hosting: $60.00 per KW) [6-month contracts] - Link
Transaction List: jayson3 +5 - ColdHardMetal +3 - Nolo +2 - CoinHoarder +1 - Elxiliath +1 - tymm0 +1 - Johnniewalker +1 - Oscer +1 - Davidj411 +1 - BitCoiner2012 +1 - dstruct2k +1 - Philj +1 - camolist +1 - exahash +1 - Littleshop +1 - Severian +1 - DebitMe +1 - lepenguin +1 - StringTheory +1 - amagimetals +1 - jcoin200 +1 - serp +1 - klintay +1 - -droid- +1 - FlutterPie +1
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!