[WARNING] Bitcoinica Claims Process is insecure

[Maged]

Currently, the Bitcoinica claims process is more insecure than anything I've seen here before. Until these issues are resolved, I'd advise that you DO NOT submit any information.

1) The SSL certificate is from a SSL provider that has been compromised.
2) All information submitted is stored in plain text on a server that will almost certainly be re-compromised, especially since it is still on Rackspace. I suspect that the ID submissions are handled in the same manner.
3) Email verifications are sent using a cloud service, again in plain text.

This is not some claims system that was carefully created over several days. At best, I'd say that this took a few hours. Hell, even MtGox handled this better.

[Blazr]

Nevermind the fact that the hacker has a copy the database, and has all for info required to make a claim. The only thing protecting you is a verification email and/or a copy of your ID.

This is not some claims system that was carefully created over several days.

In Zhou's own words, he built Bitcoinica in 4 days.

[Maged]

This is not some claims system that was carefully created over several days.

In Zhou's own words, he built Bitcoinica in 4 days.

And I'm sure that if he had built the claims system, it would have been significantly more secure.

[Maged]

Turns out that they also still use Rackspace. Why am I the one to bring this stuff up?

[Maged]

Oh good, some people in the Mega-thread already noticed this:
https://bitcointalk.org/index.php?topic=81045.msg907344#msg907344

[theymos]

1) The SSL certificate is from a SSL provider that has been compromised.

It doesn't matter if a site uses a "weak" certificate authority, since any CA can override any other CA's certificates. (The CA system is terrible.) It's smartest to use the cheapest CA you can.

[zer0]

Why doesn't he upload a PGP key to https://privacybox.de/index.en.html and take encrypted claims submissions

[rjk]

1) The SSL certificate is from a SSL provider that has been compromised.

It doesn't matter if a site uses a "weak" certificate authority, since any CA can override any other CA's certificates. (The CA system is terrible.) It's smartest to use the cheapest CA you can.

StartCom/StartSSL has been compromised? Do please enlighten me - I make extensive use of their services.

[zer0]

1) The SSL certificate is from a SSL provider that has been compromised.

It doesn't matter if a site uses a "weak" certificate authority, since any CA can override any other CA's certificates. (The CA system is terrible.) It's smartest to use the cheapest CA you can.

StartCom/StartSSL has been compromised? Do please enlighten me - I make extensive use of their services.

Basically all SSL is compromised. 90s system that was randomly thought up to secure a handful of sites
http://youtu.be/Z7Wl2FW2TcA  watch this

[rjk]

1) The SSL certificate is from a SSL provider that has been compromised.

It doesn't matter if a site uses a "weak" certificate authority, since any CA can override any other CA's certificates. (The CA system is terrible.) It's smartest to use the cheapest CA you can.

StartCom/StartSSL has been compromised? Do please enlighten me - I make extensive use of their services.

Basically all SSL is compromised.
http://youtu.be/Z7Wl2FW2TcA  watch this

Yeah OK, well I thought you meant they might have had the private key to their root certificate compromised, or their systems broken into and bad certs issued, or whatever. My projects aren't anything the gubmint is interested it so I'm not really worried.

[zer0]

1) The SSL certificate is from a SSL provider that has been compromised.

It doesn't matter if a site uses a "weak" certificate authority, since any CA can override any other CA's certificates. (The CA system is terrible.) It's smartest to use the cheapest CA you can.

StartCom/StartSSL has been compromised? Do please enlighten me - I make extensive use of their services.

Basically all SSL is compromised.
http://youtu.be/Z7Wl2FW2TcA  watch this

Yeah OK, well I thought you meant they might have had the private key to their root certificate compromised, or their systems broken into and bad certs issued, or whatever. My projects aren't anything the gubmint is interested it so I'm not really worried.

You don't have to worry about the gubmint, you have to worry about the hacker (or rackpace admin /tinfoil) getting your claims info so they can steal your coins again for the second time. And I guess, having your phone number and other information spread all over the internets

[rjk]

You don't have to worry about the gubmint, you have to worry about the hacker (or rackpace admin /tinfoil) getting your claims info so they can steal your coins again for the second time. And I guess, having your phone number and other information spread all over the internets

Um, that is a new certificate (did you look?) generated 5/16/2012 by Patrick's personal account. After the hack. Presumably the previous cert was compromised and then revoked afterwards, but I don't have a copy of the fingerprint so I can't check its revocation status.

[Maged]

1) The SSL certificate is from a SSL provider that has been compromised.

It doesn't matter if a site uses a "weak" certificate authority, since any CA can override any other CA's certificates. (The CA system is terrible.) It's smartest to use the cheapest CA you can.

StartCom/StartSSL has been compromised? Do please enlighten me - I make extensive use of their services.

It has been compromised in the past, so it likely will again in the future. You should simply just not use StartCom, especially after you've been hacked yourself. StartCom should have been completely blacklisted in browsers.

[rjk]

1) The SSL certificate is from a SSL provider that has been compromised.

It doesn't matter if a site uses a "weak" certificate authority, since any CA can override any other CA's certificates. (The CA system is terrible.) It's smartest to use the cheapest CA you can.

StartCom/StartSSL has been compromised? Do please enlighten me - I make extensive use of their services.

It has been compromised in the past, so it likely will again in the future. You should simply just not use StartCom, especially after you've been hacked yourself. StartCom should have been completely blacklisted in browsers.

Ah yes, I remember that incident now, it was during the Comodo debacle -

[...]"StartCom was lucky enough, I already connected to their HSM, got access to their HSM, sent my request, but lucky Eddy [StartCom CEO Eddy Nigg] was sitting behind HSM and was doing manual verification."[...]

Yeah this is lame. I wonder if there is a list of CA's that can definitely and for sure say that they have never been breached. I bet it is fairly short.

[theymos]

It has been compromised in the past, so it likely will again in the future. You should simply just not use StartCom, especially after you've been hacked yourself. StartCom should have been completely blacklisted in browsers.

Comodo, USER-TRUST, and even Verisign have also been compromised in the past, and there's no chance that they'll be removed from browsers because they're so popular. Lots of governments also have their own probably-insecure CAs which are accepted by all browsers. The CA system is a lost cause.

[acoindr]

It has been compromised in the past, so it likely will again in the future. You should simply just not use StartCom, especially after you've been hacked yourself. StartCom should have been completely blacklisted in browsers.

Comodo, USER-TRUST, and even Verisign have also been compromised in the past, and there's no chance that they'll be removed from browsers because they're so popular. Lots of governments also have their own probably-insecure CAs which are accepted by all browsers. The CA system is a lost cause.

Did everyone watch the video @zer0 linked above?

http://youtu.be/Z7Wl2FW2TcA

I think the Convergence system is what everyone should be pushing toward.