Author

Topic: [PSA] Bitcoin Gambling SSL Security (Read 1137 times)

legendary
Activity: 1904
Merit: 1074
May 01, 2015, 11:56:53 AM
#11
Telling people SSL / RSA is safe, would give them a false sense of security. We have seen how the NSA has exploited SSL and we still believe that it's safe.

Watch this and see if you agree with me ----> https://www.youtube.com/watch?v=CJNxbpbHA-I

Using VPN's are even less safe.  Shocked .... Let's agree on one thing... SSL will not stop expert hackers.  Tongue
hero member
Activity: 672
Merit: 502
May 01, 2015, 09:11:38 AM
#10
This is exactly what I asked on primedice announcement thread yesterday. I knew about TOR and that it can get your account compromised if you're not careful and you can end up getting your coins stolen but I was confused about VPN. Thanks for this.

Great post. It should also be noted having a SSL does NOT make a website more "trustworthy" at all. Anyone can purchase a SSL and they're usually pretty cheap. I only bring this up because I've seen other sites try to mislead visitors before with SSL.

If hacker uses a SSL to impersonate a site, will the site address still show up as it does originally in the address bar? I mean the green/blue glowed up name with the favicon and the padlock? Ex.


If you are not using SSL, the URL will look correct, but there will not be a padlock, and the url will start with http:// rather than https://

If you are using SSL, there will be a padlock and https and your connection is encrypted and you are reasonably safe. Just pay attention to any popups you might get about "expired ceritificates" and such, and also check the fingerprint of the SSL cert for extra safety as OP mentioned.

I would recommend the browser addon HTTPS Everywhere, which will check the fingerprints automatically for you and also force your browser to use SSL on most websites. This will mitigate the risk of this kind of attack significantly without you needing to do anything.

Note that this kind of attack can happen to anyone using the internet, however it is most frequently seen on Tor, VPN's, proxies and public wifi as it is easier for an attacker to get "in-the-middle" of your internet connection. The NSA have used backbone internet routers to execute these attacks, these routers relay vast amount of the internets traffic so they can do this to almost any connection, so this kind of thing can happen to anyone.

I have that extension installed already. I was just asking that because he said that hackers can imitate SSL as well and most people including me will not check certificates and will think that it is the right site, if it shows https:// and the glowing site name/favicon with the padlock.
hero member
Activity: 812
Merit: 1000
May 01, 2015, 07:15:18 AM
#9
Great bit of information for people using Tor/Vpn and other such services, every little precaution is necessary when it comes to protecting your sensitive information and Bitcoins.

I've always used the GRC's site to check cert hashes every now and then
https://www.grc.com/fingerprints.htm

Didn't know about this, will defo use this to check fingerprints to make sure I am visiting the correct site. Thanks
hero member
Activity: 882
Merit: 1006
May 01, 2015, 06:31:28 AM
#8
This is exactly what I asked on primedice announcement thread yesterday. I knew about TOR and that it can get your account compromised if you're not careful and you can end up getting your coins stolen but I was confused about VPN. Thanks for this.

Great post. It should also be noted having a SSL does NOT make a website more "trustworthy" at all. Anyone can purchase a SSL and they're usually pretty cheap. I only bring this up because I've seen other sites try to mislead visitors before with SSL.

If hacker uses a SSL to impersonate a site, will the site address still show up as it does originally in the address bar? I mean the green/blue glowed up name with the favicon and the padlock? Ex.


If you are not using SSL, the URL will look correct, but there will not be a padlock, and the url will start with http:// rather than https://

If you are using SSL, there will be a padlock and https and your connection is encrypted and you are reasonably safe. Just pay attention to any popups you might get about "expired ceritificates" and such, and also check the fingerprint of the SSL cert for extra safety as OP mentioned.

I would recommend the browser addon HTTPS Everywhere, which will check the fingerprints automatically for you and also force your browser to use SSL on most websites. This will mitigate the risk of this kind of attack significantly without you needing to do anything.

Note that this kind of attack can happen to anyone using the internet, however it is most frequently seen on Tor, VPN's, proxies and public wifi as it is easier for an attacker to get "in-the-middle" of your internet connection. The NSA have used backbone internet routers to execute these attacks, these routers relay vast amount of the internets traffic so they can do this to almost any connection, so this kind of thing can happen to anyone.
hero member
Activity: 546
Merit: 500
May 01, 2015, 06:17:44 AM
#7
Noted. Gald that I'm using the HTTPS version of Bitcointalk.org and many other sites.

If you are using Chrome you can always use this extension in order to force the https to all the sites: https://chrome.google.com/webstore/detail/https-everywhere/gcbommkclmclpchllfjekcdonpmejbdp
member
Activity: 109
Merit: 10
May 01, 2015, 05:13:19 AM
#6
Great post. It should also be noted having a SSL does NOT make a website more "trustworthy" at all. Anyone can purchase a SSL and they're usually pretty cheap. I only bring this up because I've seen other sites try to mislead visitors before with SSL.

Thoughtful, an SSL is never a sure gurantee
An one should take this up in every best possible means. An informative post by the way
hero member
Activity: 672
Merit: 502
April 30, 2015, 11:02:44 PM
#5
This is exactly what I asked on primedice announcement thread yesterday. I knew about TOR and that it can get your account compromised if you're not careful and you can end up getting your coins stolen but I was confused about VPN. Thanks for this.

Great post. It should also be noted having a SSL does NOT make a website more "trustworthy" at all. Anyone can purchase a SSL and they're usually pretty cheap. I only bring this up because I've seen other sites try to mislead visitors before with SSL.

If hacker uses a SSL to impersonate a site, will the site address still show up as it does originally in the address bar? I mean the green/blue glowed up name with the favicon and the padlock? Ex.
legendary
Activity: 1120
Merit: 1000
April 30, 2015, 10:37:03 PM
#4
Great post. It should also be noted having a SSL does NOT make a website more "trustworthy" at all. Anyone can purchase a SSL and they're usually pretty cheap. I only bring this up because I've seen other sites try to mislead visitors before with SSL.
legendary
Activity: 1484
Merit: 1001
Personal Text Space Not For Sale
April 30, 2015, 08:44:01 PM
#3
Noted. Gald that I'm using the HTTPS version of Bitcointalk.org and many other sites.
newbie
Activity: 19
Merit: 0
April 30, 2015, 08:39:00 PM
#2
I've always used the GRC's site to check cert hashes every now and then
https://www.grc.com/fingerprints.htm
newbie
Activity: 52
Merit: 0
April 30, 2015, 05:16:35 PM
#1
When using any site that involves money, from online shopping, to bitcoin web wallets, to bitcoin gaming, one recurring risk which has been seen is the Man in the Middle Attack (MITM).  This is when an attacker, somewhere between your computer and the website you are accessing, intercepts your connection and impersonates the website you are trying to access.  The MITM attack has been seen on the Tor network, when a malicious exit node will impersonate certain bitcoin sites to try and steal a user's bitcoins when they put their login information into the fake site.  So what is the solution to make sure you are secure?

SSL and HTTPS

SSL is a method of end to end encryption that makes sure the information between your computer and the site you are accessing is unable to be altered in transit.  People using VPN's and the Tor program to access various bitcoin sites are at higher risk due to putting more systems in between your computer and the site you are accessing.  By verifying you are connecting to a domain that begins with https with the lock icon next to it, you can ensure that your connection to the site is not being intercepted.  For further security, you can verify the certificate they are presenting you is a valid certificate.

https://i.imgur.com/DUqDAV8.png?1

Common Bitcoin SSL Certificate Hashes (4/30/2015)

PrimeDice - https://primedice.com

SHA-256 Fingerprint: 98:3A:82:A8:50:19:48:19:32:BD:90:19:D6:8C:3E:00:4C:75:FF:69:65:C7:64:B0:8C:86:D2:76:AA:B5:54:D5
SHA1 Fingerprint: 8A:D6:87:4B:99:B2:E1:31:CD:60:A9:BA:72:EF:92:00:4D:40:94:64

Just-Dice - https://just-dice.com

SHA-256 Fingerprint: 78:9B:E9:39:C8:9B:8F:FA:7A:7B:9F:A2:93:B1:79:B4:EA:F7:DF:9C:42:22:4C:5E:2E:18:39:70:3C:EF:0D:1F
SHA1 Fingerprint: 63:31:BA:A9:E0:B3:E3:2A:35:3B:4B:91:35:BC:7D:AF:CA:19:60:CC

Blockchain.info - https://blockchain.info

SHA-256 Fingerprint: D0:3F:04:0B:D9:85:5F:F0:B3:C9:78:89:2B:31:36:8E:D4:C3:76:AA:D5:26:02:9C:33:42:F2:B7:93:F2:85:E1
SHA1 Fingerprint: 94:10:81:EB:E4:62:B5:BD:7B:03:DE:79:C7:A6:4D:91:30:13:7B:E0
Jump to: