Topic: GLBSE 2.0 open for testing - page 5. (Read 51741 times)

i don't have 2-factor auth, but  here is what i experienced:

when glbse promts to login while showing login form in main white area - every attempt has failed for me.
when i click glbse logo and end up having login form in dark top header area, signing in from there works like a charm

I still keep failing the first-attempt login w/2-factor, every single time

I've found a serious bug that needs to be fixed before continuing.

Is there an ETA on GLBSE coming back online?

Doesn't it bother you Nefario that people access GLBSE though CloudFlare, which creates a technical risk of a man-in-the middle attack, since CloudFlare has access to an unencrypted connection?

I mean, I do understand the reasons and all the advantages of using CloudFlare, but I am wondering about your reasoning to trust this specific service.
As much as I do trust you, I wouldn't want to discover one day that my money has been withdrawn to a different address from the one I entered into the form and there is no way to prove it...
I hope you understand my concerns.

No
If you go to the "settings" page it has a button to "enable 2 factor auth"
Then you download the app for your phone and input the code.

In glbse-account i dont find such possibility. Isnt that only for google mail?

Always use 2 factor google auth if you can enable it on your account too.

It was only down a couple of minutes, actually a few longer than planned (was supposed to be switch off and back on again, hoping no one would notice, didn't pan out that way).

Anyway, site should be a lot faster now, this is just a stopgap measure though. More speed improvements on the way.

its back... so maybe it was the optimizing he spoke of in the thread. But that the site will be down completely should be annonced...

maybe they are moving to a new server, but without announcement - i am feared

Edit: On again 

Whats wrong with the website? First there was the website gone showing a standard-index. And now its even 502 bad gateway...
I hope its only some update...
Edit: Now its "Connection failed"...

No... dont take this as a threat. Im only feeling insecure regarding bitcoinwebsites because mtgox once was the biggest holder of bitcoins and even this website could be hacked. So im only asking to get a feeling about how seriously you take the threats coming from crackers.

Now, after reading your explainations i think you take it serious and are behind it. I trust the website more now. So thanks alot for your explaination!

This almost sounds like a threat.

If you have any information on any vulnerabilities in the GLBSE system them please let me know and I'll address them immediately.

GLBSE has been running in it's variations for nearly a year and 1/2, we've had a few bumps along the way where unique bugs (that could be exploited) were found (and patched immediately).

I'm not a "security expert", I have no qualification or official training. I have only show the current GLBSE code to 2 other people, neither of which were security experts.

What I am though is nothing short of paranoid, and have lost quite a lot of my hairline ensuring that GLBSE is as secure as I can make it.

We don't suffer from some of the more run of the mill security vulnerabilities such as SQL injections, CSRF and XSS. We don't run our site on a VPS (although we do use VPS's to serve content). Passwords are bcrypt stored, although we could probably do with adding a few more rounds than what is currently there *mental note*.

I'm the only person who has access to the server (bar the staff at the datacenter), I only use SSH keys and not passwords. We keep less than 1500BTC in our hot wallet, our main server is behind cloudflare CDN.

The database itself is backed up every couple of hours to an encrypted file storage utility.

A large part of the horrible performance of GLBSE over the last couple of months is not just that the number of users (and bots) have grown dramatically, but also that the architecture of the system as it was didn't allow for safe parallel computing (i.e. running it on more than one machine). It's created a major bottleneck that is only now about to be bypassed, all for the sake of security.

I'm not going to go out there and trump about how awesome our security is as that's only going to tempt fate, we'll just sit here, quietly doing our job.


As a user (of any bitcoin service, not just GLBSE) I would say to keep as little of your bitcoin in the site as you need to, keep the rest offline. Never re-use a password. GLBSE accounts do get compromised and it is always as a result of password re-use.

Thanks a lot Nefario!

Regarding the security... im feeling still a bit insecure about the safety of the platform. I mean there once was a big platform mtgox that seemed to be very professional but still there was a way to hack it.
So can you say some words about how good you or your coder are regarding making a website safe against being hacked? Or if someone that knows how to secure it tested it against vulnerabilities?

That's great news

YAY, finally. I love you Nefario !
This was one of the features I loved in GLBSE V1, and I think and hope it will bring more stability and less spread in the market
//DeaDTerra

BTC reserve is going to be removed tomorrow guys.

As long as you have enough BTC to cover an order you'll be allowed to place it. When an order is processed that's going to remove any other orders where there aren't enough funds to cover.

End of the week comes options BETA, and end of next week options goes live.

Nefario.

Hm... i hope this can be changed. I mean the check for the fee could be applied to when it matches an offer instantly only.

So now there always have to be money in the wallet that cant be used.

It's a known issue.
No matter if your order goes to the book or is instantly matched - either case, you need to have +0.5% to place it.
If it went to the book, the fee is eventually returned to you after somebody takes your order later, or you cancel it.