Pages:
Author

Topic: Cloudflare (Read 14889 times)

legendary
Activity: 4760
Merit: 1283
December 03, 2013, 03:26:27 PM
#53
watching.  (sorry.)
Click the watch and the notify links at the top or bottom of the thread...

Off-topic for this thread, but on-topic for this board:

I want it on my 'new replies to your posts' list.  I don't want it on my 'watchlist', and I certainly don't want to get spammed via e-mail.  It would be nice if there were a toggle such that the flag could be added without making a post...and especially subtracted if one had made a post.

sr. member
Activity: 263
Merit: 250
December 03, 2013, 03:25:04 PM
#52
I jokingly suggested that theymos sell personal openvpn certs for paranoid users to access BitcoinTalk without any reliance on SSL.  He's considering it.
legendary
Activity: 1708
Merit: 1020
December 03, 2013, 02:53:31 PM
#51
The CA system sucks in general.
It would be nice if you could add bitcointalk.bit as an external domain so that it can be used as a backup. Of course I would be happy to send you the name.

Also I added the forum fingerprint so Namecoin TLS should work with the Namecoin TLS firefox plugin - authorized, encrypted, decentralized.  Grin
hero member
Activity: 616
Merit: 500
Firstbits.com/1fg4i :)
December 03, 2013, 08:34:00 AM
#50
watching.  (sorry.)
Click the watch and the notify links at the top or bottom of the thread...
legendary
Activity: 1372
Merit: 1008
1davout
December 03, 2013, 02:57:23 AM
#49
My understanding is that they're not easy to get if you're not a typical institution. It might not be possible for the forum to get one.

Any kind of shell company will be just fine.
staff
Activity: 4284
Merit: 8808
December 02, 2013, 11:41:56 PM
#48
Extended validation costs more, but it's worth much more.
My understanding is that they're not easy to get if you're not a typical institution. It might not be possible for the forum to get one.
legendary
Activity: 2646
Merit: 1722
https://youtu.be/DsAVx0u9Cw4 ... Dr. WHO < KLF
December 02, 2013, 09:13:55 PM
#47
I've only just installed it, so I'm not sure how well it works in practice - but judging by the screenshots it looks like it saves the cert of every site you visit (not just a fingerprint) so that on detecting a changed certificate you can actually view both the old and new certs.
It works very well. It's one of the few ways to make HTTPS suck less.

https://www.youtube.com/watch?v=pDmj_xe7EIQ

http://convergence.io/

...

I'd go with customizing ModSecurity: http://www.modsecurity.org/ if you have the 'money' and the time.

I use CloudFlare on my USA proxy websites, but I don't use it for SSL and choose to keep the https on a sub-domain.

https://wikipedia.org/wiki/CloudFlare

"On February 13, 2013, a comparative penetration testing analysis report was published by Zero Science Lab, showing that ModSecurity is more effective than CloudFlare and Incapsula. In fact, out of the three, CloudFlare was the least effective."
legendary
Activity: 4760
Merit: 1283
December 02, 2013, 08:19:27 PM
#46
watching.  (sorry.)
hero member
Activity: 756
Merit: 522
December 02, 2013, 06:32:12 PM
#45
The CA infrastructure stinks and is proven compromised and alternatives should be invented but PKI is a decades old problem and has never been satisfactorily solved anywhere.

I can't readily grasp the confusion of ideas and general brokenness of a brain that farts this proposition, to implement something known to be dysfunctional. Let's prolong the life of a broken piece of crap that should never have existed in the first place and in any event should have died long ago. Let's continuate as much of the stupidity of the old world as humanly possible.

Roughly equivalent, let's put three ounces of dog shit inside the car's tire, because there's no clear mechanism through which food would be contaminated by this, and therefore why not. So there you have the power rangers, on their hands and knees in a parking lot somewhere, huddled around this old rusty clunker of a car missing one door, stuffing dog shit through the air intake.

If this is the sort of ideas you'd entertain it's at least understandable why you wouldn't see what the problem is with them.
hero member
Activity: 563
Merit: 500
December 02, 2013, 05:12:48 PM
#44
The Certificate Patrol plug-in for Firefox looks interesting - it's supposed to tell you whenever a site's cert changes. https://addons.mozilla.org/en-US/firefox/addon/certificate-patrol/

I've only just installed it, so I'm not sure how well it works in practice - but judging by the screenshots it looks like it saves the cert of every site you visit (not just a fingerprint) so that on detecting a changed certificate you can actually view both the old and new certs.

Of course, it's not that useful because in reality you often don't have enough information to determine if it's a legitimate change or not.

roy
hero member
Activity: 616
Merit: 500
Firstbits.com/1fg4i :)
December 02, 2013, 04:19:33 PM
#43
Just gotta make sure you remember to renew the certificate in time though; false positives can be almost just as bad as failing to notice an attack.
sr. member
Activity: 322
Merit: 250
Supersonic
December 02, 2013, 04:04:35 PM
#42
I see the forum uses HSTS
Code:
Strict-Transport-Security: max-age=3000000

If im not mistaken, there are some certificate pinning features available which tells the (modern) browsers to trust only the current certificate(or public key) for a predefined time... If thats implemented, trying to pull off a similar MiTM would probably result in some sort of warning... Not sure the status of this extension..
legendary
Activity: 1372
Merit: 1008
1davout
December 02, 2013, 12:33:00 PM
#41
What's not to like?

The fact that my cert sits AES encrypted on my production servers, in clear in its RAM and nowhere else.
In the security/convenience trade-off I'd rather get DDoS'd from time to time than to get MITM'd permanently.

EDIT : Assuming of course that the service doesn't work simply by looking at the encrypted traffic flow, in which case you can obviously disregard the previous comment :-)
sr. member
Activity: 269
Merit: 250
December 02, 2013, 12:04:31 PM
#40
For the next ~20 hours, you should only log into the forum if you're quite sure that you're talking to the correct server. This can be done by adding '109.201.133.195 bitcointalk.org' to your hosts file (remember to remove it later!), or by using some browser plugin to ensure that you're talking to the server with TLS certificate SHA1 fingerprint of:
29:0E:CC:82:2B:3C:CE:0A:73:94:35:A0:26:15:EC:D3:EB:1F:46:6B

FYI - you can check the thumbprint in google chrome browser by clicking the green lock in the address bar, choosing the connection tab, clicking the "Certificate information" link, clicking the "Details" tab, and then selecting "Thumbprint" (near the bottom of the list)

scotjam
jr. member
Activity: 31
Merit: 10
December 02, 2013, 11:56:31 AM
#39
We have to remember that the people behind cloudflare previously ran a project called projecthoneypot.org, a pretty useless project that thought it could stop spam.
They had financial issues when someone suddenly came around and said "Oh we could do a lot of interesting things with your datas". They then magically appeared with 20 millions dollars...
Cloudflare pretends a lot of things which are misleading people, for example they tell that they operate 23 datacenters around the world, this is definitely a lie as it is known that cloudflare usually only runs a router and a few servers in already existing datacenters.
They over exaggerate their capacity, they also tried to pretended to have developed their own httpd but it is only a lightly modified version of nginx.
It was also previously written in their TOS that they allow themselves to look at the datas to build some statistics and other things out of your traffic.

I would be very careful with this company.
hero member
Activity: 728
Merit: 540
December 02, 2013, 07:28:21 AM
#38
If I may, using DNSSEC would probably be the solution. And it's quite easy to implement.

http://dnssec-debugger.verisignlabs.com/bitcointalk.org
legendary
Activity: 1372
Merit: 1008
1davout
December 02, 2013, 04:48:52 AM
#37
All these threats exist
No. Mythical nonsense threats— things like the claims that supporting x509 signed payment requests will allow CA's to monitor transactions— which are structurally impossible do not exist.

[...]

If you've got an actual threat that people would be exposed to, please spell it out. Otherwise, cut the black-helicopter FUD. It's seriously demotivating and inevitably harmful to people's security.

Chill out, I'm not interested in drama.
I was referring to the *other* threats. I'm not going to waste my time on the nonsensical ones like you just did.

The CA system is bullshit, banks manage to somewhat handle it with chargebacks and wire recalls, Bitcoin deserves much better, and sometimes "much better" means "nothing at all".
This merchant stuff solves an imaginary problem in a broken way, what's next in the core tree? Discount codes? Loyalty programs?
staff
Activity: 4284
Merit: 8808
December 02, 2013, 04:21:39 AM
#36
All these threats exist
No. Mythical nonsense threats— things like the claims that supporting x509 signed payment requests will allow CA's to monitor transactions— which are structurally impossible do not exist.

Just because something has some facility for checking some signing key was signed by another key and pretty printing a name doesn't magically give the root signer the ability to print money, monitor transactions, track users, or whatever other insipid nonsense people have convinced themselves of in their paranoia orgy.  All it means is that they could impersonate that party in the pretty printing, but absent the existence of the facility _anyone_ could impersonate.

The CA infrastructure stinks and is proven compromised and alternatives should be invented but PKI is a decades old problem and has never been satisfactorily solved anywhere.

The fantastical, confused, and— in some cases— personally violent arguments made about the x509 signing in the payment protocol are beyond the pale, even in this sometimes cesspool of a forum. Having a real commitment to security means also being  aggressive in refusing nonsense insecurity claims. Sorting out the signal from the non-man-made noise is already very hard. There is no excuse for additional noise.  Trolling secure systems with paranoia and FUD would be a fantastic counter-security move for a well funded attacker, and we must be robust against it.

If you've got an actual threat that people would be exposed to, please spell it out. Otherwise, cut the black-helicopter FUD. It's seriously demotivating and inevitably harmful to people's security.

Theymos, any chance you could contact Globalsign — cloudflare's CA partner— and point out we believe their relationship with cloudflare may have been used to fraudulently issue a certificate for bitcointalk.org, ask them if they did— and if they did, to please list that certificate in their CRLs?
If it happened the way theymos described it's a waste of time, except maybe for getting the cert revoked.
If the DNS was changed it won't be a fraudulent request from their PoV.
It would be good to have some evidence about the system being abused in order to get improvements to the way things are done. More selfishly, it would be easier to argue for adding BCT to the browser cert pins with that kind of information. Perhaps not worth the time, but I thought I'd ask.
legendary
Activity: 1372
Merit: 1008
1davout
December 02, 2013, 02:51:47 AM
#35
or other such threats that don't exist.

It's kind funny you'd say such a thing, in this very thread.
All these threats exist and the vulnerabilities will be exploited eventually, better do something about it.
For my part I'll look for a flag in the Makefile to disable the whole invoicing crap, if there's none I'll patch it back to oblivion.


Theymos, any chance you could contact Globalsign — cloudflare's CA partner— and point out we believe their relationship with cloudflare may have been used to fraudulently issue a certificate for bitcointalk.org, ask them if they did— and if they did, to please list that certificate in their CRLs?

If it happened the way theymos described it's a waste of time, except maybe for getting the cert revoked.
If the DNS was changed it won't be a fraudulent request from their PoV.
staff
Activity: 4284
Merit: 8808
December 02, 2013, 02:26:31 AM
#34
I looked at the darn cert, but didn't save it.  Geotrust vs Globalsign ... I'm sure I wouldn't remember the difference. I was looking for something like "cloudflare".

It remains true that anyone who could respond to a http request as the server (e.g. someone at the hosting provider or an upstream ISP) to a CA could get a cert issued in the site's name, since several CAs do nothing more than request a page with a specific name. So even without the cloudflare turbo compromise ... the CA universe stinks. Sad
Pages:
Jump to: