Maged (OP)
Legendary
Offline
Activity: 1204
Merit: 1015
|
|
May 20, 2012, 12:08:07 AM Last edit: May 20, 2012, 12:35:02 AM by Maged |
|
Currently, the Bitcoinica claims process is more insecure than anything I've seen here before. Until these issues are resolved, I'd advise that you DO NOT submit any information.
1) The SSL certificate is from a SSL provider that has been compromised. 2) All information submitted is stored in plain text on a server that will almost certainly be re-compromised, especially since it is still on Rackspace. I suspect that the ID submissions are handled in the same manner. 3) Email verifications are sent using a cloud service, again in plain text.
This is not some claims system that was carefully created over several days. At best, I'd say that this took a few hours. Hell, even MtGox handled this better.
|
|
|
|
Blazr
|
|
May 20, 2012, 12:11:50 AM |
|
Nevermind the fact that the hacker has a copy the database, and has all for info required to make a claim. The only thing protecting you is a verification email and/or a copy of your ID. This is not some claims system that was carefully created over several days.
In Zhou's own words, he built Bitcoinica in 4 days.
|
|
|
|
Maged (OP)
Legendary
Offline
Activity: 1204
Merit: 1015
|
|
May 20, 2012, 12:15:42 AM |
|
This is not some claims system that was carefully created over several days.
In Zhou's own words, he built Bitcoinica in 4 days. And I'm sure that if he had built the claims system, it would have been significantly more secure.
|
|
|
|
Maged (OP)
Legendary
Offline
Activity: 1204
Merit: 1015
|
|
May 20, 2012, 12:20:02 AM |
|
Turns out that they also still use Rackspace. Why am I the one to bring this stuff up?
|
|
|
|
Maged (OP)
Legendary
Offline
Activity: 1204
Merit: 1015
|
|
May 20, 2012, 12:36:55 AM |
|
|
|
|
|
theymos
Administrator
Legendary
Offline
Activity: 5404
Merit: 13498
|
|
May 20, 2012, 12:46:18 AM |
|
1) The SSL certificate is from a SSL provider that has been compromised.
It doesn't matter if a site uses a "weak" certificate authority, since any CA can override any other CA's certificates. (The CA system is terrible.) It's smartest to use the cheapest CA you can.
|
1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
|
|
|
|
rjk
Sr. Member
Offline
Activity: 448
Merit: 250
1ngldh
|
|
May 20, 2012, 12:55:26 AM |
|
1) The SSL certificate is from a SSL provider that has been compromised.
It doesn't matter if a site uses a "weak" certificate authority, since any CA can override any other CA's certificates. (The CA system is terrible.) It's smartest to use the cheapest CA you can. StartCom/StartSSL has been compromised? Do please enlighten me - I make extensive use of their services.
|
|
|
|
zer0
|
|
May 20, 2012, 01:08:10 AM Last edit: May 20, 2012, 01:20:27 AM by zer0 |
|
1) The SSL certificate is from a SSL provider that has been compromised.
It doesn't matter if a site uses a "weak" certificate authority, since any CA can override any other CA's certificates. (The CA system is terrible.) It's smartest to use the cheapest CA you can. StartCom/StartSSL has been compromised? Do please enlighten me - I make extensive use of their services. Basically all SSL is compromised. 90s system that was randomly thought up to secure a handful of sites http://youtu.be/Z7Wl2FW2TcA watch this
|
|
|
|
rjk
Sr. Member
Offline
Activity: 448
Merit: 250
1ngldh
|
|
May 20, 2012, 01:11:34 AM |
|
1) The SSL certificate is from a SSL provider that has been compromised.
It doesn't matter if a site uses a "weak" certificate authority, since any CA can override any other CA's certificates. (The CA system is terrible.) It's smartest to use the cheapest CA you can. StartCom/StartSSL has been compromised? Do please enlighten me - I make extensive use of their services. Basically all SSL is compromised. http://youtu.be/Z7Wl2FW2TcA watch this Yeah OK, well I thought you meant they might have had the private key to their root certificate compromised, or their systems broken into and bad certs issued, or whatever. My projects aren't anything the gubmint is interested it so I'm not really worried.
|
|
|
|
zer0
|
|
May 20, 2012, 01:18:19 AM Last edit: May 20, 2012, 01:28:55 AM by zer0 |
|
1) The SSL certificate is from a SSL provider that has been compromised.
It doesn't matter if a site uses a "weak" certificate authority, since any CA can override any other CA's certificates. (The CA system is terrible.) It's smartest to use the cheapest CA you can. StartCom/StartSSL has been compromised? Do please enlighten me - I make extensive use of their services. Basically all SSL is compromised. http://youtu.be/Z7Wl2FW2TcA watch this Yeah OK, well I thought you meant they might have had the private key to their root certificate compromised, or their systems broken into and bad certs issued, or whatever. My projects aren't anything the gubmint is interested it so I'm not really worried. You don't have to worry about the gubmint, you have to worry about the hacker (or rackpace admin /tinfoil) getting your claims info so they can steal your coins again for the second time. And I guess, having your phone number and other information spread all over the internets
|
|
|
|
rjk
Sr. Member
Offline
Activity: 448
Merit: 250
1ngldh
|
|
May 20, 2012, 01:52:28 AM |
|
You don't have to worry about the gubmint, you have to worry about the hacker (or rackpace admin /tinfoil) getting your claims info so they can steal your coins again for the second time. And I guess, having your phone number and other information spread all over the internets
Um, that is a new certificate (did you look?) generated 5/16/2012 by Patrick's personal account. After the hack. Presumably the previous cert was compromised and then revoked afterwards, but I don't have a copy of the fingerprint so I can't check its revocation status.
|
|
|
|
Maged (OP)
Legendary
Offline
Activity: 1204
Merit: 1015
|
|
May 20, 2012, 04:07:53 AM |
|
1) The SSL certificate is from a SSL provider that has been compromised.
It doesn't matter if a site uses a "weak" certificate authority, since any CA can override any other CA's certificates. (The CA system is terrible.) It's smartest to use the cheapest CA you can. StartCom/StartSSL has been compromised? Do please enlighten me - I make extensive use of their services. It has been compromised in the past, so it likely will again in the future. You should simply just not use StartCom, especially after you've been hacked yourself. StartCom should have been completely blacklisted in browsers.
|
|
|
|
rjk
Sr. Member
Offline
Activity: 448
Merit: 250
1ngldh
|
|
May 20, 2012, 05:09:29 AM |
|
1) The SSL certificate is from a SSL provider that has been compromised.
It doesn't matter if a site uses a "weak" certificate authority, since any CA can override any other CA's certificates. (The CA system is terrible.) It's smartest to use the cheapest CA you can. StartCom/StartSSL has been compromised? Do please enlighten me - I make extensive use of their services. It has been compromised in the past, so it likely will again in the future. You should simply just not use StartCom, especially after you've been hacked yourself. StartCom should have been completely blacklisted in browsers. Ah yes, I remember that incident now, it was during the Comodo debacle - [...]"StartCom was lucky enough, I already connected to their HSM, got access to their HSM, sent my request, but lucky Eddy [StartCom CEO Eddy Nigg] was sitting behind HSM and was doing manual verification."[...] Yeah this is lame. I wonder if there is a list of CA's that can definitely and for sure say that they have never been breached. I bet it is fairly short.
|
|
|
|
theymos
Administrator
Legendary
Offline
Activity: 5404
Merit: 13498
|
|
May 20, 2012, 05:14:09 AM |
|
It has been compromised in the past, so it likely will again in the future. You should simply just not use StartCom, especially after you've been hacked yourself. StartCom should have been completely blacklisted in browsers.
Comodo, USER-TRUST, and even Verisign have also been compromised in the past, and there's no chance that they'll be removed from browsers because they're so popular. Lots of governments also have their own probably-insecure CAs which are accepted by all browsers. The CA system is a lost cause.
|
1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
|
|
|
acoindr
Legendary
Offline
Activity: 1050
Merit: 1002
|
|
May 20, 2012, 10:03:07 PM |
|
It has been compromised in the past, so it likely will again in the future. You should simply just not use StartCom, especially after you've been hacked yourself. StartCom should have been completely blacklisted in browsers.
Comodo, USER-TRUST, and even Verisign have also been compromised in the past, and there's no chance that they'll be removed from browsers because they're so popular. Lots of governments also have their own probably-insecure CAs which are accepted by all browsers. The CA system is a lost cause. Did everyone watch the video @zer0 linked above? http://youtu.be/Z7Wl2FW2TcA I think the Convergence system is what everyone should be pushing toward.
|
|
|
|
|