Bitcoin Forum
November 18, 2024, 03:09:47 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: [WARNING] Bitcoinica Claims Process is insecure  (Read 2303 times)
Maged (OP)
Legendary
*
Offline Offline

Activity: 1204
Merit: 1015


View Profile
May 20, 2012, 12:08:07 AM
Last edit: May 20, 2012, 12:35:02 AM by Maged
 #1

Currently, the Bitcoinica claims process is more insecure than anything I've seen here before. Until these issues are resolved, I'd advise that you DO NOT submit any information.

1) The SSL certificate is from a SSL provider that has been compromised.
2) All information submitted is stored in plain text on a server that will almost certainly be re-compromised, especially since it is still on Rackspace. I suspect that the ID submissions are handled in the same manner.
3) Email verifications are sent using a cloud service, again in plain text.

This is not some claims system that was carefully created over several days. At best, I'd say that this took a few hours. Hell, even MtGox handled this better.

Blazr
Hero Member
*****
Offline Offline

Activity: 882
Merit: 1006



View Profile
May 20, 2012, 12:11:50 AM
 #2

Nevermind the fact that the hacker has a copy the database, and has all for info required to make a claim. The only thing protecting you is a verification email and/or a copy of your ID.

This is not some claims system that was carefully created over several days.

In Zhou's own words, he built Bitcoinica in 4 days.

Maged (OP)
Legendary
*
Offline Offline

Activity: 1204
Merit: 1015


View Profile
May 20, 2012, 12:15:42 AM
 #3

This is not some claims system that was carefully created over several days.

In Zhou's own words, he built Bitcoinica in 4 days.
And I'm sure that if he had built the claims system, it would have been significantly more secure.

Maged (OP)
Legendary
*
Offline Offline

Activity: 1204
Merit: 1015


View Profile
May 20, 2012, 12:20:02 AM
 #4

Turns out that they also still use Rackspace. Why am I the one to bring this stuff up?

Maged (OP)
Legendary
*
Offline Offline

Activity: 1204
Merit: 1015


View Profile
May 20, 2012, 12:36:55 AM
 #5

Oh good, some people in the Mega-thread already noticed this:
https://bitcointalk.org/index.php?topic=81045.msg907344#msg907344

theymos
Administrator
Legendary
*
Offline Offline

Activity: 5390
Merit: 13427


View Profile
May 20, 2012, 12:46:18 AM
 #6

1) The SSL certificate is from a SSL provider that has been compromised.

It doesn't matter if a site uses a "weak" certificate authority, since any CA can override any other CA's certificates. (The CA system is terrible.) It's smartest to use the cheapest CA you can.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
zer0
Sr. Member
****
Offline Offline

Activity: 350
Merit: 250



View Profile
May 20, 2012, 12:49:53 AM
 #7

Why doesn't he upload a PGP key to https://privacybox.de/index.en.html and take encrypted claims submissions
rjk
Sr. Member
****
Offline Offline

Activity: 448
Merit: 250


1ngldh


View Profile
May 20, 2012, 12:55:26 AM
 #8

1) The SSL certificate is from a SSL provider that has been compromised.

It doesn't matter if a site uses a "weak" certificate authority, since any CA can override any other CA's certificates. (The CA system is terrible.) It's smartest to use the cheapest CA you can.
StartCom/StartSSL has been compromised? Do please enlighten me - I make extensive use of their services.

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
zer0
Sr. Member
****
Offline Offline

Activity: 350
Merit: 250



View Profile
May 20, 2012, 01:08:10 AM
Last edit: May 20, 2012, 01:20:27 AM by zer0
 #9

1) The SSL certificate is from a SSL provider that has been compromised.

It doesn't matter if a site uses a "weak" certificate authority, since any CA can override any other CA's certificates. (The CA system is terrible.) It's smartest to use the cheapest CA you can.
StartCom/StartSSL has been compromised? Do please enlighten me - I make extensive use of their services.

Basically all SSL is compromised. 90s system that was randomly thought up to secure a handful of sites
http://youtu.be/Z7Wl2FW2TcA  watch this


rjk
Sr. Member
****
Offline Offline

Activity: 448
Merit: 250


1ngldh


View Profile
May 20, 2012, 01:11:34 AM
 #10

1) The SSL certificate is from a SSL provider that has been compromised.

It doesn't matter if a site uses a "weak" certificate authority, since any CA can override any other CA's certificates. (The CA system is terrible.) It's smartest to use the cheapest CA you can.
StartCom/StartSSL has been compromised? Do please enlighten me - I make extensive use of their services.

Basically all SSL is compromised.
http://youtu.be/Z7Wl2FW2TcA  watch this


Yeah OK, well I thought you meant they might have had the private key to their root certificate compromised, or their systems broken into and bad certs issued, or whatever. My projects aren't anything the gubmint is interested it so I'm not really worried.

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
zer0
Sr. Member
****
Offline Offline

Activity: 350
Merit: 250



View Profile
May 20, 2012, 01:18:19 AM
Last edit: May 20, 2012, 01:28:55 AM by zer0
 #11

1) The SSL certificate is from a SSL provider that has been compromised.

It doesn't matter if a site uses a "weak" certificate authority, since any CA can override any other CA's certificates. (The CA system is terrible.) It's smartest to use the cheapest CA you can.
StartCom/StartSSL has been compromised? Do please enlighten me - I make extensive use of their services.

Basically all SSL is compromised.
http://youtu.be/Z7Wl2FW2TcA  watch this


Yeah OK, well I thought you meant they might have had the private key to their root certificate compromised, or their systems broken into and bad certs issued, or whatever. My projects aren't anything the gubmint is interested it so I'm not really worried.

You don't have to worry about the gubmint, you have to worry about the hacker (or rackpace admin /tinfoil) getting your claims info so they can steal your coins again for the second time. And I guess, having your phone number and other information spread all over the internets
rjk
Sr. Member
****
Offline Offline

Activity: 448
Merit: 250


1ngldh


View Profile
May 20, 2012, 01:52:28 AM
 #12

You don't have to worry about the gubmint, you have to worry about the hacker (or rackpace admin /tinfoil) getting your claims info so they can steal your coins again for the second time. And I guess, having your phone number and other information spread all over the internets
Um, that is a new certificate (did you look?) generated 5/16/2012 by Patrick's personal account. After the hack. Presumably the previous cert was compromised and then revoked afterwards, but I don't have a copy of the fingerprint so I can't check its revocation status.

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
Maged (OP)
Legendary
*
Offline Offline

Activity: 1204
Merit: 1015


View Profile
May 20, 2012, 04:07:53 AM
 #13

1) The SSL certificate is from a SSL provider that has been compromised.

It doesn't matter if a site uses a "weak" certificate authority, since any CA can override any other CA's certificates. (The CA system is terrible.) It's smartest to use the cheapest CA you can.
StartCom/StartSSL has been compromised? Do please enlighten me - I make extensive use of their services.
It has been compromised in the past, so it likely will again in the future. You should simply just not use StartCom, especially after you've been hacked yourself. StartCom should have been completely blacklisted in browsers.

rjk
Sr. Member
****
Offline Offline

Activity: 448
Merit: 250


1ngldh


View Profile
May 20, 2012, 05:09:29 AM
 #14

1) The SSL certificate is from a SSL provider that has been compromised.

It doesn't matter if a site uses a "weak" certificate authority, since any CA can override any other CA's certificates. (The CA system is terrible.) It's smartest to use the cheapest CA you can.
StartCom/StartSSL has been compromised? Do please enlighten me - I make extensive use of their services.
It has been compromised in the past, so it likely will again in the future. You should simply just not use StartCom, especially after you've been hacked yourself. StartCom should have been completely blacklisted in browsers.
Ah yes, I remember that incident now, it was during the Comodo debacle -

Quote from: theregister
[...]"StartCom was lucky enough, I already connected to their HSM, got access to their HSM, sent my request, but lucky Eddy [StartCom CEO Eddy Nigg] was sitting behind HSM and was doing manual verification."[...]

Yeah this is lame. I wonder if there is a list of CA's that can definitely and for sure say that they have never been breached. I bet it is fairly short.

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
theymos
Administrator
Legendary
*
Offline Offline

Activity: 5390
Merit: 13427


View Profile
May 20, 2012, 05:14:09 AM
 #15

It has been compromised in the past, so it likely will again in the future. You should simply just not use StartCom, especially after you've been hacked yourself. StartCom should have been completely blacklisted in browsers.

Comodo, USER-TRUST, and even Verisign have also been compromised in the past, and there's no chance that they'll be removed from browsers because they're so popular. Lots of governments also have their own probably-insecure CAs which are accepted by all browsers. The CA system is a lost cause.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
acoindr
Legendary
*
Offline Offline

Activity: 1050
Merit: 1002


View Profile
May 20, 2012, 10:03:07 PM
 #16

It has been compromised in the past, so it likely will again in the future. You should simply just not use StartCom, especially after you've been hacked yourself. StartCom should have been completely blacklisted in browsers.

Comodo, USER-TRUST, and even Verisign have also been compromised in the past, and there's no chance that they'll be removed from browsers because they're so popular. Lots of governments also have their own probably-insecure CAs which are accepted by all browsers. The CA system is a lost cause.

Did everyone watch the video @zer0 linked above?

http://youtu.be/Z7Wl2FW2TcA

I think the Convergence system is what everyone should be pushing toward.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!