Bitcoin Forum>Economy>Trading Discussion
Author

Topic: Question! (Read 1585 times)

makomk
hero member
Activity: 686
Merit: 564
Question!
July 27, 2011, 06:25:24 PM
#12
Quote from: fitty on July 24, 2011, 06:23:31 AM
Because your bookmark is https.

Google bitcoin forum. Click the http:// link. If you set "remember me" when you logged it, you're on the forum, logged in, on http. The only way to get https is by going through a https link back to the forum.
Exactly - if you start on http, all the links are to the http version, and if you start on https all the links are https. Which has a more subtle but nasty security issue: even if you consistently view the forum over https, an active attacker that can modify your network requests can inject content into the next http page you view so that it causes a http request to the forum (for example an img tag referencing http://forum.bitcoin.org) and obtain your unencrypted cookie from that request. This is well within the capabilities of some Tor exit node owners.
fitty
hero member
Activity: 728
Merit: 501
CryptoTalk.Org - Get Paid for every Post!
Re: Question!
July 24, 2011, 06:23:31 AM
#11
Quote from: error on July 23, 2011, 01:34:53 PM
Quote from: makomk on July 23, 2011, 06:49:27 AM
Quote from: error on July 21, 2011, 09:38:40 PM
Fixed. Smiley
Nope, fitty had it right the first time. The login is over https and this stops anyone sniffing your password (so long as you check it is actually https and not http before you enter it), but viewing topics and posting is done over unencrypted http. This means that the cookie used to authenticate you after you've logged in is also sent unencrypted over http and anyone who's sniffing your traffic can clone your cookie and gain access to your account.

This is exactly what the infamous Firesheep extension for Firefox allows an attacker to do; a lot of sites have this issue.

I don't know how you're doing that. Every single access I make to the forum is through https.

Because your bookmark is https.

Google bitcoin forum. Click the http:// link. If you set "remember me" when you logged it, you're on the forum, logged in, on http. The only way to get https is by going through a https link back to the forum.

The forum should force https plain and simple. With the amount of attacks, trojans, wallet stealers, it's a pretty simple fix. The extra load on the server is minor and it gives a lot of security. Global SSL cert is like 195 bucks a year.

Crypto virtual currency network and the wallet/website are unencrypted.
trentzb
sr. member
Activity: 406
Merit: 251
Re: Question!
July 23, 2011, 01:58:54 PM
#10
Quote from: fitty on July 21, 2011, 05:13:35 PM
This forum only uses https for your login. Which means people could sniff your cookie while you browse/post.

No need to sniff it, sometimes people just post their cookie publicly.

http://forum.bitcoin.org/index.php?topic=31094.msg391155#msg391155
error
hero member
Activity: 588
Merit: 500
Re: Question!
July 23, 2011, 01:34:53 PM
#9
Quote from: makomk on July 23, 2011, 06:49:27 AM
Quote from: error on July 21, 2011, 09:38:40 PM
Fixed. Smiley
Nope, fitty had it right the first time. The login is over https and this stops anyone sniffing your password (so long as you check it is actually https and not http before you enter it), but viewing topics and posting is done over unencrypted http. This means that the cookie used to authenticate you after you've logged in is also sent unencrypted over http and anyone who's sniffing your traffic can clone your cookie and gain access to your account.

This is exactly what the infamous Firesheep extension for Firefox allows an attacker to do; a lot of sites have this issue.

I don't know how you're doing that. Every single access I make to the forum is through https.
makomk
hero member
Activity: 686
Merit: 564
Re: Question!
July 23, 2011, 06:49:27 AM
#8
Quote from: error on July 21, 2011, 09:38:40 PM
Fixed. Smiley
Nope, fitty had it right the first time. The login is over https and this stops anyone sniffing your password (so long as you check it is actually https and not http before you enter it), but viewing topics and posting is done over unencrypted http. This means that the cookie used to authenticate you after you've logged in is also sent unencrypted over http and anyone who's sniffing your traffic can clone your cookie and gain access to your account.

This is exactly what the infamous Firesheep extension for Firefox allows an attacker to do; a lot of sites have this issue.
error
hero member
Activity: 588
Merit: 500
Re: Question!
July 21, 2011, 09:38:40 PM
#7
Quote from: fitty on July 21, 2011, 05:13:35 PM
This forum only uses https for your login. Which means people could NOT sniff your cookie while you browse/post.

Fixed. Smiley
fitty
hero member
Activity: 728
Merit: 501
CryptoTalk.Org - Get Paid for every Post!
Re: Question!
July 21, 2011, 05:13:35 PM
#6
Quote from: ones51 on July 21, 2011, 03:57:54 AM
Is it dangerous to use tradehill, mtgox, etc.....on tor?

If it's https it's pretty secure.

If it's http then it is possible for a tor node to sniff the data. Anything you send over http would be visible. Which means logging into a site that doesn't use https you'd expose your login/password. TradeHill, MtGox all use https so that's not a problem. Gmail is 100% https now I believe also. All banks are https.

This forum only uses https for your login. Which means people could sniff your cookie while you browse/post.

Anyway, as long as it's https then you're fine. Anything non-https is less secure then your internet connection at home. The odds of someone sniffing one of your exit nodes, is probably pretty slim.
riceberry
hero member
Activity: 491
Merit: 500
Re: Question!
July 21, 2011, 03:24:41 PM
#5
It's dangerous to go alone......



take this:

1rbgakDLF3nuErQtRTfpRUn1aYKXBJun2
cryptoanarchist
legendary
Activity: 1120
Merit: 1003
Re: Question!
July 21, 2011, 11:10:25 AM
#4
No. Why would it be?

It is, however, very difficult since most exit node IPs on the Tor network have been banned by those sites.
ones51
member
Activity: 70
Merit: 10
Re: Question!
July 21, 2011, 05:42:59 AM
#3
wtf? was that a joke?  Huh
johanatan
member
Activity: 84
Merit: 10
Re: Question!
July 21, 2011, 04:45:59 AM
#2
Quote from: ones51 on July 21, 2011, 03:57:54 AM
Is it dangerous to use tradehill, mtgox, etc.....on tor?

is isn't dangerous on tor but i've heard that it can be a beast on acid.
ones51
member
Activity: 70
Merit: 10
Re: Question!
July 21, 2011, 03:57:54 AM
#1
Is it dangerous to use tradehill, mtgox, etc.....on tor?
Bitcoin Forum>Economy>Trading Discussion
Jump to: