Topic: Chipmixer.com SSL cert Domain value (Read 512 times)
If a hacker could hack the domain of chipmixer just like what happened to etherdelta. They will stole a huge number of Bitcoin. Chipmixer is a handy tool of thieves to break the connection from blockchain and getting traced from money laundering, and hacked money.
Jumping in from a completely uneducated pov here but has CM ever responded to any of these in the past? My personal feeling is that they're not unaware of possible modes of attack, but even if successful -- and not being rhetorical here, genuinely asking -- what's the worst-case scenario for a US user if the Feds were successful in such an attack?
Your faith in humanity is like that of Buddha. I respect you, and believe in your belief in others. I too, will read a few more tutorials to try and keep up.
But don't worry. Read a few more tutorials and watch a few more youtube videos, and you'll also be able to find a huuuuuge vulnerability. I believe in you.
Your faith in humanity is like that of Buddha. I respect you, and believe in your belief in others. I too, will read a few more tutorials to try and keep up.
P.S. Just ignore me, I don't know anything about crypto or infosec ...
That's the most important part here.
You are able to enter an URL into the bar of another website. Congratulations.
With that, you are almost as technically experienced as the guy who claimed to have found an incredibly dangerous vulnerability on a betting site.
This was a XSS on the (community hosted) forum instead of the actual betting site.
But don't worry. Read a few more tutorials and watch a few more youtube videos, and you'll also be able to find a huuuuuge vulnerability. I believe in you.
...snip...
Would anyone able to analyze and provide genuine TLS signature value of Chipmixer?
thanks!
Would anyone able to analyze and provide genuine TLS signature value of Chipmixer?
thanks!
I tried to inform chip mixer about this stuff around a year ago or so ...
@ChipMixer
"Re: Anonymous Bitcoins"
- https://bitcointalksearch.org/topic/m.54641364
Notification - Kindly fix up your Lets Encrypt SSL Certificate ... it is currently capped to a grade B ...
- https://www.ssllabs.com/ssltest/analyze.html?d=chipmixer.com&hideResults=on
SSL Labs Grade Change for TLS 1.0 and TLS 1.1 Protocols ...
- https://blog.qualys.com/ssllabs/2018/11/19/grade-change-for-tls-1-0-and-tls-1-1-protocols
Has insecure cypher suites ...
- https://en.wikipedia.org/wiki/Cipher_suite
Is therefore vulnerable to the BEAST attack ...
- https://blog.qualys.com/ssllabs/2013/09/10/is-beast-still-a-threat
Your also using an RSA 2048 bits publickey certificate despite Lets Encrypt supporting RSA 4096 bits publickey certificates, out-of-the box ...
...
How to Guide ...
See: https://ssl-config.mozilla.org/#server=nginx&version=1.14.0&config=intermediate&openssl=1.1.1d&hsts=false&ocsp=false&guideline=5.4
Example;
You need to update the # intermediate configuration ssl_protocols and ssl_ciphers .
Then use certbot to upgrade your certificate publickey to RSA 4096 bit
Cheers!
Also review your torrc for 'compliance' here (donations welcome!) ...
- https://bitcointalksearch.org/topic/m.52455267
"Re: Anonymous Bitcoins"
- https://bitcointalksearch.org/topic/m.54641364
Notification - Kindly fix up your Lets Encrypt SSL Certificate ... it is currently capped to a grade B ...
- https://www.ssllabs.com/ssltest/analyze.html?d=chipmixer.com&hideResults=on
SSL Labs Grade Change for TLS 1.0 and TLS 1.1 Protocols ...
- https://blog.qualys.com/ssllabs/2018/11/19/grade-change-for-tls-1-0-and-tls-1-1-protocols
Has insecure cypher suites ...
- https://en.wikipedia.org/wiki/Cipher_suite
Is therefore vulnerable to the BEAST attack ...
- https://blog.qualys.com/ssllabs/2013/09/10/is-beast-still-a-threat
Your also using an RSA 2048 bits publickey certificate despite Lets Encrypt supporting RSA 4096 bits publickey certificates, out-of-the box ...
...
How to Guide ...
See: https://ssl-config.mozilla.org/#server=nginx&version=1.14.0&config=intermediate&openssl=1.1.1d&hsts=false&ocsp=false&guideline=5.4
Example;
Code:
# generated 2020-06-18, Mozilla Guideline v5.4, nginx 1.14.0, OpenSSL 1.1.1d, intermediate configuration, no HSTS, no OCSP
# https://ssl-config.mozilla.org/#server=nginx&version=1.14.0&config=intermediate&openssl=1.1.1d&hsts=false&ocsp=false&guideline=5.4
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
ssl_dhparam /path/to/dhparam;
# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
}
You need to update the # intermediate configuration ssl_protocols and ssl_ciphers .
Then use certbot to upgrade your certificate publickey to RSA 4096 bit
Code:
sudo certbot --nginx -d chipmixer.com --rsa-key-size 4096
Cheers!
Also review your torrc for 'compliance' here (donations welcome!) ...
- https://bitcointalksearch.org/topic/m.52455267
P.S. Just ignore me, I don't know anything about crypto or infosec ...
I wish Tor meek-azure works.. it dosn't (I work from shenzhen)
When I use a us based tor bridge a spoof TLS certs were presented and that is what I saw.
3e e6 c2 42 02
When I use a us based tor bridge a spoof TLS certs were presented and that is what I saw.
3e e6 c2 42 02
I think Feds might be actively figuring out ways to hi-jack Chipmixer non-onion .com site and interdict chipmixer users. It didn't happen often before, but now occasionally I am getting invalid cert warning on Chipmixer's .com site.
so far since chipmixer isn't using CDN network such as cloudflare and Akamai; harvesting (or "leaks") of user session and address data isn't exactly easy (common tactics used in the past against crypto exchanges).
However, manually hijack and present an fake SSL using specialized MITM appliances to stole and to analyze chipmixer user's fund should be deemed plausible given mass surveillance and maturity of man-in-the-side operations given the past cyber incidents. (i.e., Fed Spy on chipmixer user, once session data's btc address were observed and funded, lets hit that and put it up for federal auction)
Would anyone able to analyze and provide genuine TLS signature value of Chipmixer?
thanks!
so far since chipmixer isn't using CDN network such as cloudflare and Akamai; harvesting (or "leaks") of user session and address data isn't exactly easy (common tactics used in the past against crypto exchanges).
However, manually hijack and present an fake SSL using specialized MITM appliances to stole and to analyze chipmixer user's fund should be deemed plausible given mass surveillance and maturity of man-in-the-side operations given the past cyber incidents. (i.e., Fed Spy on chipmixer user, once session data's btc address were observed and funded, lets hit that and put it up for federal auction)
Would anyone able to analyze and provide genuine TLS signature value of Chipmixer?
thanks!
Jump to: