The only attack you can do is intercepting a http bitcointalk request and preventing https upgrade.
This means that you can prevent them from using SSL in the first place, which was my point! Christ, what a dipshit.
Topic: Forum avatar is BROKEN (Read 1213 times)
This means that you can prevent them from using SSL in the first place, which was my point! Christ, what a dipshit.
You clearly have no idea what you are talking about, because I've done it before. An attacker can strip out HTTPS. You should have checked out Moxie Marlinspike's SSLStrip before making yourself look like an idiot.
You clearly have no idea what you're talking about. A quick search of "SSLStrip" on google reveals:Quote
It will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links.
Too bad bitcointalk's traffic is in https. Next time, actually read your references so you don't end up looking like a dumbass.I've actually USED SSLStrip before. Had you watched the demonstration, you would have noticed that SSLStrip does just what its name implies, that is, feed the victim HTTP data while connecting to the victim's intended destination using HTTPS to get the data. It works on PayPal, which is why they started fucking with Marlinspike.
Okay, again, who cares? If you have a MITM on your connection, he can modify an image. Oh, noes!
You know what he can also do? He can proxy your connection, and connect using HTTPS to the site where you want to go, then send you HTTP data. No browsers will warn, it just won't show that the site is HTTPS, and most users won't notice.
You clearly do not understand how https works. Since the page is loaded with https, all references to external resources will be secured against tampering. An attacker won't be able to modify the image link to a "proxy". The best he can do is intercept the request, but since he doesn't have the certificate, the browser will show a warning.You know what he can also do? He can proxy your connection, and connect using HTTPS to the site where you want to go, then send you HTTP data. No browsers will warn, it just won't show that the site is HTTPS, and most users won't notice.
So, you're saying it's intentionally broken because some users might get warnings?
It's not "some" users, it's most browsers. And it's not "intentionally broken", it's a feature to prevent warnings and preserve https integrity.If there is insecure content on a page...
on chromium based browsers, the lock symbol in the address bar will have a red strikeout
on firefox, there won't be a lock symbol
on internet explorer, the user will be asked whether to load the insecure content
safari, opera probably has similar warnings
Okay, again, who cares? If you have a MITM on your connection, he can modify an image. Oh, noes!
You know what he can also do? He can proxy your connection, and connect using HTTPS to the site where you want to go, then send you HTTP data. No browsers will warn, it just won't show that the site is HTTPS, and most users won't notice.
Why does it matter so much?
Because dynamic avatars are nice, and there's no reason not to have them.
I've actually USED SSLStrip before. Had you watched the demonstration, you would have noticed that SSLStrip does just what its name implies, that is, feed the victim HTTP data while connecting to the victim's intended destination using HTTPS to get the data. It works on PayPal, which is why they started fucking with Marlinspike.
How dense are you? Did you even read my argument? Bitcointalk's traffic is in https. HTTPS traffic can not be tampered with in transit, nor can it be downgraded. SSLStrip only intercepts http pages, and replaces any https references. The only attack you can do is intercepting a http bitcointalk request and preventing https upgrade. You can intercept any embedded http image requests, but the tampering will be limited to the image. Your claim of using SSLStrip are red herrings, so is your claim of being able to hack paypal because they do not refute my central point (SSLstrip is limited to http traffic). If you read the fucking documentation for sslstrip instead of glancing over the name, you would know that. You clearly have no idea what you are talking about, because I've done it before. An attacker can strip out HTTPS. You should have checked out Moxie Marlinspike's SSLStrip before making yourself look like an idiot.
You clearly have no idea what you're talking about. A quick search of "SSLStrip" on google reveals:Quote
It will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links.
Too bad bitcointalk's traffic is in https. Next time, actually read your references so you don't end up looking like a dumbass. Okay, again, who cares? If you have a MITM on your connection, he can modify an image. Oh, noes!
You know what he can also do? He can proxy your connection, and connect using HTTPS to the site where you want to go, then send you HTTP data. No browsers will warn, it just won't show that the site is HTTPS, and most users won't notice.
You clearly do not understand how https works. Since the page is loaded with https, all references to external resources will be secured against tampering. An attacker won't be able to modify the image link to a "proxy". The best he can do is intercept the request, but since he doesn't have the certificate, the browser will show a warning. You know what he can also do? He can proxy your connection, and connect using HTTPS to the site where you want to go, then send you HTTP data. No browsers will warn, it just won't show that the site is HTTPS, and most users won't notice.
I think the amount of madness in this thread is nowhere related to the issue significance
So, you're saying it's intentionally broken because some users might get warnings?
It's not "some" users, it's most browsers. And it's not "intentionally broken", it's a feature to prevent warnings and preserve https integrity.If there is insecure content on a page...
on chromium based browsers, the lock symbol in the address bar will have a red strikeout
on firefox, there won't be a lock symbol
on internet explorer, the user will be asked whether to load the insecure content
safari, opera probably has similar warnings
Okay, again, who cares? If you have a MITM on your connection, he can modify an image. Oh, noes!
You know what he can also do? He can proxy your connection, and connect using HTTPS to the site where you want to go, then send you HTTP data. No browsers will warn, it just won't show that the site is HTTPS, and most users won't notice.
Why does it matter so much?
But wait, don't we post pics from plain http sites like postimg.org?
[test for this board:]
and here's php-generated content from another site (reload page for new pic):
Edit: nevermind, i see the browser warning.
[test for this board:]
and here's php-generated content from another site (reload page for new pic):
Edit: nevermind, i see the browser warning.
So, you're saying it's intentionally broken because some users might get warnings?
It's not "some" users, it's most browsers. And it's not "intentionally broken", it's a feature to prevent warnings and preserve https integrity.If there is insecure content on a page...
on chromium based browsers, the lock symbol in the address bar will have a red strikeout
on firefox, there won't be a lock symbol
on internet explorer, the user will be asked whether to load the insecure content
safari, opera probably has similar warnings
Having http images (or https images with invalid certificates) on an https site results in warnings on a lot of browsers. I allow it with [img] tags because they're more rare.
Some day I'd like to have something like:
which would cause the forum to periodically fetch the textual data from the given URL and insert it into the post. This is a very low priority, though.
Some day I'd like to have something like:
Code:
[fetch]http://mining.com/my_stats.txt[/fetch]
which would cause the forum to periodically fetch the textual data from the given URL and insert it into the post. This is a very low priority, though.
I'm pretty sure a hostile image cannot inject JS to the page (for modern browsers of course). However, if you already know my IP, you can know when I read a post / etc.
Just buy a security certificate for your domain, that costs $9 and takes literally 10 minutes before you get a cert in email.
Proxy the image.
Total time taken:
15 minutes
Cost: $9
Just buy a security certificate for your domain, that costs $9 and takes literally 10 minutes before you get a cert in email.
Proxy the image.
Total time taken:
15 minutes
Cost: $9
WHO CARES IF IT'S NOT SSL? As a matter of fact, you CAN'T use https links in there, IIRC.
non https links =/= non https images. Images are loaded by default by browsers. If all the page's content is not loaded via https, it is possible for an attacker to eavesdrop or modify the page.for more info, see: https://bitcointalksearch.org/topic/bitcointalk-https-is-not-staying-secure-69891
dynamic or offsite avatars are not allowed because they are not guaranteed to be SSL.
So?
So upload it.
I think the problem here is that he wants a PHP-generated (from his hashrate I suppose) picture as his avatar 
So upload it.
dynamic or offsite avatars are not allowed because they are not guaranteed to be SSL.
NaN.
Jump to: