anyone publishing bitcoin address on a web site. use ssl!

RodeoX

legendary

Activity: 3066

Merit: 1147

The revolution will be monetized!

Quote from: SgtSpike on April 29, 2011, 07:23:55 PM

Quote from: RodeoX on April 28, 2011, 07:26:59 PM

Quote from: SgtSpike on April 28, 2011, 07:03:06 PM

AaronM and RodeoX are already breaking that rule...

huh

Because of the address in my sig? I was more thinking about how someone might misrepresent who's address it was. The one in my signature will change if I ever get an offer to "work for bitcoins".

But it's posted on a non-HTTPS website, so potentially, it could be at risk for such attacks as the one described. Not likely, but hey, you never know...

Also, a forum moderator/admin could change your signature to include their own address instead, and hope you don't notice, though I suppose that a risk inherent with any posts on any forums.

I was thinking that my login password here provides some protection. But your right, MITM attack would work and admins here might switch addresses. As a security check, try sending me 100BTC and I'll post here if I receive it. Grin

theymos

administrator

Activity: 5222

Merit: 13032

Quote from: casascius on April 29, 2011, 07:48:38 PM

But of course a MITM is super easy for the Bitcoin forums, with that silly self-signed cert, 90% won't notice if it is replaced with a different one.

A MITM attack is only easy the first time you access bitcoin.org with HTTPS. After that, your browser will warn you about changes in the cert.

SgtSpike

legendary

Activity: 1400

Merit: 1005

Quote from: bitlotto on April 29, 2011, 10:10:51 PM

Quote from: SgtSpike on April 29, 2011, 10:02:59 PM

"Oops! Google Chrome could not find bitlotto.com"

Thanks. I shouldn't have touched those DNS settings...dang it. It will come back, I promise! At least I didn't do it on draw date!! Shocked

At least you're not taking the money and running!

bitlotto

hero member

Activity: 672

Merit: 500

BitLotto - best odds + best payouts + cheat-proof

Quote from: SgtSpike on April 29, 2011, 10:02:59 PM

"Oops! Google Chrome could not find bitlotto.com"

Thanks. I shouldn't have touched those DNS settings...dang it. It will come back, I promise! At least I didn't do it on draw date!! Shocked

SgtSpike

legendary

Activity: 1400

Merit: 1005

Quote from: bitlotto on April 29, 2011, 08:09:07 PM

Quote from: casascius on April 29, 2011, 07:48:38 PM

But of course a MITM is super easy for the Bitcoin forums, with that silly self-signed cert, 90% won't notice if it is replaced with a different one.

If I'm using TOR, what would be safer? using plain http and risking a MITM attack or risking one from the forum?

Your website is failing at life...

"Oops! Google Chrome could not find bitlotto.com"

TiagoTiago

hero member

Activity: 616

Merit: 500

Firstbits.com/1fg4i :)

With plain http you got both risks, with ssl only the forum one

bitlotto

hero member

Activity: 672

Merit: 500

BitLotto - best odds + best payouts + cheat-proof

Quote from: casascius on April 29, 2011, 07:48:38 PM

But of course a MITM is super easy for the Bitcoin forums, with that silly self-signed cert, 90% won't notice if it is replaced with a different one.

If I'm using TOR, what would be safer? using plain http and risking a MITM attack or risking one from the forum?

casascius

vip

Activity: 1386

Merit: 1140

The Casascius 1oz 10BTC Silver Round (w/ Gold B)

Quote from: bitlotto on April 29, 2011, 07:45:42 PM

Just browse the forum using https. So according to me they didn't break the rule! Wink

But of course a MITM is super easy for the Bitcoin forums, with that silly self-signed cert, 90% won't notice if it is replaced with a different one.

bitlotto

hero member

Activity: 672

Merit: 500

BitLotto - best odds + best payouts + cheat-proof

Quote from: SgtSpike on April 29, 2011, 07:23:55 PM

Quote from: RodeoX on April 28, 2011, 07:26:59 PM

Quote from: SgtSpike on April 28, 2011, 07:03:06 PM

AaronM and RodeoX are already breaking that rule...

huh

Because of the address in my sig? I was more thinking about how someone might misrepresent who's address it was. The one in my signature will change if I ever get an offer to "work for bitcoins".

But it's posted on a non-HTTPS website, so potentially, it could be at risk for such attacks as the one described. Not likely, but hey, you never know...

Also, a forum moderator/admin could change your signature to include their own address instead, and hope you don't notice, though I suppose that a risk inherent with any posts on any forums.

Just browse the forum using https. So according to me they didn't break the rule! Wink

SgtSpike

legendary

Activity: 1400

Merit: 1005

Quote from: RodeoX on April 28, 2011, 07:26:59 PM

Quote from: SgtSpike on April 28, 2011, 07:03:06 PM

AaronM and RodeoX are already breaking that rule...

huh

Because of the address in my sig? I was more thinking about how someone might misrepresent who's address it was. The one in my signature will change if I ever get an offer to "work for bitcoins".

But it's posted on a non-HTTPS website, so potentially, it could be at risk for such attacks as the one described. Not likely, but hey, you never know...

Also, a forum moderator/admin could change your signature to include their own address instead, and hope you don't notice, though I suppose that a risk inherent with any posts on any forums.

bitlotto

hero member

Activity: 672

Merit: 500

BitLotto - best odds + best payouts + cheat-proof

Know of any free hosts that have ssl for logging in and having my website in?

RodeoX

legendary

Activity: 3066

Merit: 1147

The revolution will be monetized!

Quote from: SgtSpike on April 28, 2011, 07:03:06 PM

AaronM and RodeoX are already breaking that rule...

huh

Because of the address in my sig? I was more thinking about how someone might misrepresent who's address it was. The one in my signature will change if I ever get an offer to "work for bitcoins".

SgtSpike

legendary

Activity: 1400

Merit: 1005

AaronM and RodeoX are already breaking that rule...

RodeoX

legendary

Activity: 3066

Merit: 1147

The revolution will be monetized!

I can envision all sorts of deceptions being applied to get people to send money to the wrong address. Variations of the things scamers use now. "Donate to the red cross to help flood victims: f6UG92n8k..."

It's sad we think so much about all this security stuff. Undecided

AaronM

member

Activity: 76

Merit: 10

Yes, SSL is very important for Tor users. Tor exit nodes have been caught doing shenanigans like stealing webmail passwords, and this is no more difficult for a malicious exit node.

fetokun

full member

Activity: 210

Merit: 100

Presale is live!

is this kind of attack really that easy?

asdf

hero member

Activity: 527

Merit: 500

I've noticed some web sites are publishing addresses on their sites for donations, etc. over unencrypted connections. I thought I'd point out, to anyone who doesn't realise it, that you are vulnerable to man in the middle attacks.

Any MITM can rewrite your address to theirs and receive all your payments! Especially tor exit nodes, which are known to engage in this behavior.

Any payment related pages should be treated the same as a credit card payment gateway, in security terms. That means use SSL!

Topic: anyone publishing bitcoin address on a web site. use ssl! (Read 2048 times)