Bitcoin Forum
December 09, 2016, 05:55:25 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 [3]  All
  Print  
Author Topic: Dwolla's SSL certificate has been revoked  (Read 5249 times)
DublinBrian
Full Member
***
Offline Offline

Activity: 197


View Profile
July 22, 2012, 08:15:40 PM
 #41

how does one know they can trust the 'network notary' server?
Because the user chooses that notary themselves.

1481306126
Hero Member
*
Offline Offline

Posts: 1481306126

View Profile Personal Message (Offline)

Ignore
1481306126
Reply with quote  #2

1481306126
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
sadpandatech
Hero Member
*****
Offline Offline

Activity: 504



View Profile
July 22, 2012, 08:21:10 PM
 #42

how does one know they can trust the 'network notary' server?
Because the user chooses that notary themselves.



yea, that does not quite cut it though. It's not like choosing your partner or something that you know all about. How is the list made to choose from? What verifies that the list is trustworthy natoaries? I'd assume this service decides that list, and if so does not do anything to reduce any trust issues with just using the standard CA's. It instead would increase trust issues unless there is some really indepth method for listing trusted notaries.

If you're not excited by the idea of being an early adopter 'now', then you should come back in three or four years and either tell us "Told you it'd never work!" or join what should, by then, be a much more stable and easier-to-use system. - GA
It is being worked on by smart people. -DamienBlack
niko
Hero Member
*****
Offline Offline

Activity: 742


There is more to Bitcoin than bitcoins.


View Profile
July 22, 2012, 09:52:08 PM
 #43

So, does anyone know why the certificate was revoked by verisign? It seems like this caught dwolla by surprise.

They're there, in their room.
Your mining rig is on fire, yet you're very calm.
MagicalTux
VIP
Hero Member
*
Offline Offline

Activity: 617


Working on new MtGox features


View Profile WWW
July 23, 2012, 01:05:14 AM
 #44

Just a note, it seems that Dwolla switched to GoDaddy (known to be more trustworthy than Verisign?).

Dwolla, before:


Dwolla, after:

check_status
Full Member
***
Offline Offline

Activity: 196


Web Dev, Db Admin, Computer Technician


View Profile
July 23, 2012, 01:24:09 AM
 #45

Who owns GoDaddy?

For Bitcoin to be a true global currency the value of BTC needs always to rise.
If BTC became the global currency & money supply = 100 Trillion then ⊅1.00 BTC = $4,761,904.76.
P2Pool Server List | How To's and Guides Mega List |  1EndfedSryGUZK9sPrdvxHntYzv2EBexGA
EnergyVampire
Full Member
***
Offline Offline

Activity: 210



View Profile
July 23, 2012, 01:45:03 AM
 #46

Who owns GoDaddy?

According to Wikipedia it's owned by KKR, Silver Lake Partners and Technology Crossover Ventures.

check_status
Full Member
***
Offline Offline

Activity: 196


Web Dev, Db Admin, Computer Technician


View Profile
July 23, 2012, 02:00:30 AM
 #47

That explains how stuxnet got into Iran. A Massad agent is CEO of 3 domain name registration companies, GoDaddy is just one.

This change in domains smells like manipulation/backroom deal shennanigans.

For Bitcoin to be a true global currency the value of BTC needs always to rise.
If BTC became the global currency & money supply = 100 Trillion then ⊅1.00 BTC = $4,761,904.76.
P2Pool Server List | How To's and Guides Mega List |  1EndfedSryGUZK9sPrdvxHntYzv2EBexGA
rjk
Sr. Member
****
Offline Offline

Activity: 420


1ngldh


View Profile
August 01, 2012, 01:36:31 AM
 #48

Bumping this with the text of an email that I sent them via their contact submission form, as follows:

Quote
I would like to know what's going on with your SSL certificate. The following statement is made at this link: http://help.dwolla.com/customer/portal/articles/86685-security-partner-overview

"VeriSign EV Certificate and Encryption

Extended Validation SSL Certificates give high-security web browsers information to clearly identify a web site’s organizational identity. VeriSign is an industry leading EV solution provider.  Our certificate provides a 128-bit minimum to 256-bit encryption."

but you are actually using a cheap Godaddy certificate. I see that one or more EV certificates from Verisign have been revoked.... Have you had a security incident that you should have warned customers about? Certificates don't just get revoked without a damn good reason, and I feel that this is something extremely important that you need to address.

The only public communication that I have been able to find in regards to this issue is a single Twitter message that says the following:

"‏@dwolla

Working with our partners at @verisign and @symantec to look into a certificate issue some of our users are reporting. Still secure."

but absolutely no communication after that message, posted on the 21st of July, 2012, 10 days ago.

I would appreciate your prompt response in regards to this matter so that I can be assured of your continued security and the security of any data about me that you have stored there.

Thank you and regards,

It's been 10 days since this incident, with nothing more said.

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
notme
Legendary
*
Offline Offline

Activity: 1526


View Profile
August 01, 2012, 01:43:13 AM
 #49

I quit using them months ago.  Still glad I did.  I hope this doesn't turn nasty for anyone exposed.

https://www.bitcoin.org/bitcoin.pdf
While no idea is perfect, some ideas are useful.
12jh3odyAAaR2XedPKZNCR4X4sebuotQzN
rjk
Sr. Member
****
Offline Offline

Activity: 420


1ngldh


View Profile
August 01, 2012, 05:08:29 PM
 #50

They responded with this:
Quote
Dwolla’s SSL certificate had a minor issue. The SSL certificate was purchased for one year, however, was given a two-year expiration date. This is part of our routine monitoring.

Dwolla realized this error and migrated the certificate to another vendor as an interim solution. Dwolla will revert to our old SSL vendor, a two-year, paid certificate, later this week.

So Verisign issued a 2 year cert, even though Dwolla only paid for one? That's odd, wonder if it was actually the other way around.

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
niko
Hero Member
*****
Offline Offline

Activity: 742


There is more to Bitcoin than bitcoins.


View Profile
August 01, 2012, 08:27:21 PM
 #51

They responded with this:
Quote
Dwolla’s SSL certificate had a minor issue. The SSL certificate was purchased for one year, however, was given a two-year expiration date. This is part of our routine monitoring.

Dwolla realized this error and migrated the certificate to another vendor as an interim solution. Dwolla will revert to our old SSL vendor, a two-year, paid certificate, later this week.

So Verisign issued a 2 year cert, even though Dwolla only paid for one? That's odd, wonder if it was actually the other way around.
  See what Tux posted above. It was issued with a two-year validity. Apparently they revoke it if you miss a payment.

They're there, in their room.
Your mining rig is on fire, yet you're very calm.
rjk
Sr. Member
****
Offline Offline

Activity: 420


1ngldh


View Profile
August 01, 2012, 08:30:58 PM
 #52

Apparently they revoke it if you miss a payment.
Interesting, most CAs that I have met require a payment for the full validity period, but maybe Verisign has a payment plan because they are so damn expensive for EV certs.

Also, epic fail not paying bills. Roll Eyes

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
unclemantis
Member
**
Offline Offline

Activity: 98


(:firstbits => "1mantis")


View Profile
August 01, 2012, 09:47:45 PM
 #53

Apparently they revoke it if you miss a payment.
Interesting, most CAs that I have met require a payment for the full validity period, but maybe Verisign has a payment plan because they are so damn expensive for EV certs.

Also, epic fail not paying bills. Roll Eyes

A bank not paying their bills? Wow!

Good thing I am going with direct ACH payments when I can!

PHP, Ruby, Rails, ASP, JavaScript, SQL
20+ years experience w/ Internet Technologies
Bitcoin OTC | GPG Public Key                                                                               thoughts?
Pages: « 1 2 [3]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!