Author

Topic: SSL certificates are changing on Bitcoin websites (Read 2168 times)

legendary
Activity: 1526
Merit: 1134
Running a hidden service doesn't stop DoS attacks. If anything it makes them harder to stop because you can't block connections on Tor anywhere near as easily as with regular web sites (no IP address blocking).
full member
Activity: 182
Merit: 100
Obviously you are being MITM attacked by the government for participating in a subversive p2p network currency.  

You think you're joking but that's exactly what's happening lol

http://exiledonline.com/isucker-big-brother-internet-culture/
Quote
...CloudFlare’s CEO Matthew Prince made a weird, glib admission that he decided to start the company only after the Department of Homeland Security gave him a call in 2007 and suggested he take the technology behind Project Honey Pot one step further…

+1 CloudFlare the ultimate man in the middle attack and people don't even seem to care ...

Edit:
This reminded me of following article written in 2009, it seems like all the concerns they had where valid and have or are becoming the main issue with freedom on the internet.

Quote from: Can we reinvent the internet ?
They are concerned that control could be shifting from the edges of the Internet toward the service providers at the center, which would allow the providers to have “gatekeeper” capacity and would contradict the Internet's “end-to-end” principle
http://www.sciencemag.org/content/325/5939/396.short
newbie
Activity: 56
Merit: 0
Code:
apt-get install tor
apt-get install ettercap

Ettercap is a program that allows you to perform a man in the middle attack. It can do so by redirecting traffic or if you already are the gateway(such as with tor) then it can perform the attack wouthout needing to reroute.

It is capable of generating an ssl certificate on the fly and attempt to get you to connect to them. This will cause a browser warning that something is fishy, many ignore it.

I would not be suprised if someone was running a tor node just to attempt to steal wallet passwords.
hero member
Activity: 784
Merit: 1009
firstbits:1MinerQ
Because those of us not doing anything illegal and not being overly paranoid(*) think that using TOR is inconvenient and slow.  

(*) And that may be a significant fraction of all bitcointers.
Then people who don't want it wouldn't need to use the hidden service, but those who don't trust cloudflare would have an alternative.

You don't need to have a website behind Tor in order to use Tor to access it and protect yourself as far as I understand it..
All other things being equal a hidden service is safer, and sometimes faster, than using Tor to browse a regular web site. Traffic between your computer and a hidden service doesn't leave the internal Tor network so you aren't exposed to potentially malicious and/or congested exit nodes and (most importantly) it's impossible for an intermediate node to perform a MITM attack.
They probably don't know how easy it is to set up.
eg. Install Tor (apt-get install tor), add a web server cfg to listen on some localhost port and edit the line in the torrc file to associate the hidden service dir with local port. Restart Tor.

But also, if they're using cloudflare to spread load (and I don't know if that's the reason) then I guess handling some small portion of traffic via the local Tor proxy may be seen as hindering that.
legendary
Activity: 1400
Merit: 1013
Because those of us not doing anything illegal and not being overly paranoid(*) think that using TOR is inconvenient and slow.  

(*) And that may be a significant fraction of all bitcointers.
Then people who don't want it wouldn't need to use the hidden service, but those who don't trust cloudflare would have an alternative.

You don't need to have a website behind Tor in order to use Tor to access it and protect yourself as far as I understand it..
All other things being equal a hidden service is safer, and sometimes faster, than using Tor to browse a regular web site. Traffic between your computer and a hidden service doesn't leave the internal Tor network so you aren't exposed to potentially malicious and/or congested exit nodes and (most importantly) it's impossible for an intermediate node to perform a MITM attack.
newbie
Activity: 29
Merit: 0
The SAN field on the certificate for bitcoin.de is pretty interesting:
Or maybe not, maybe they need to be able to read the traffic in order to be able to filter out ddos attacks..
DNS Name=ssl2669.cloudflare.com
DNS Name=*.ukashvip.com
DNS Name=ukashvip.com
DNS Name=bookmakers.com.au
DNS Name=*.calendars.com
DNS Name=calendars.com
DNS Name=subeta.net
DNS Name=*.subeta.net
DNS Name=*.goldenarium.com
DNS Name=*.hellocq.com
DNS Name=*.bookmakers.com.au
DNS Name=*.pcbooster.com
DNS Name=*.hosthack.com
DNS Name=hosthack.com
DNS Name=*.aitec.ee
DNS Name=greenpolkadotbox.com
DNS Name=pcbooster.com
DNS Name=goldenarium.com
DNS Name=testwanda.com
DNS Name=bitinstant.com
DNS Name=*.testwanda.com
DNS Name=bitcoin.de
DNS Name=*.bitcoin.de
DNS Name=president.gov.ph
DNS Name=*.greenpolkadotbox.com
DNS Name=aitec.ee
DNS Name=*.president.gov.ph
DNS Name=*.bitinstant.com
DNS Name=hellocq.com
DNS Name=*.tangostress.info
DNS Name=tangostress.info
legendary
Activity: 1078
Merit: 1003
I still don't understand why all bitcoin-related websites don't make access via a hidden service a standard feature.
Because those of us not doing anything illegal and not being overly paranoid(*) think that using TOR is inconvenient and slow. 

(*) And that may be a significant fraction of all bitcointers. 

You don't need to have a website behind Tor in order to use Tor to access it and protect yourself as far as I understand it..
hero member
Activity: 547
Merit: 500
Decor in numeris
I still don't understand why all bitcoin-related websites don't make access via a hidden service a standard feature.
Because those of us not doing anything illegal and not being overly paranoid(*) think that using TOR is inconvenient and slow. 

(*) And that may be a significant fraction of all bitcointers. 

legendary
Activity: 1400
Merit: 1013
Cloudflare is a US entity, and as such subject to the US PATRIOT act. Making the Web insecure pushes more people towards cloudflare, which in turn provides more opportunities for massive data surveilance by the US government. Imagine the reaction if Chinese government was trying to route as much traffic as possible through Chinese-operated infrastructure...
I still don't understand why all bitcoin-related websites don't make access via a hidden service a standard feature.
hero member
Activity: 756
Merit: 501
There is more to Bitcoin than bitcoins.
It seems they moved to cloudflare, possibly due to ddos or similar problems. Nothing alarming. What psy pointed out is interesting, though.  Cloudflare is a US entity, and as such subject to the US PATRIOT act. Making the Web insecure pushes more people towards cloudflare, which in turn provides more opportunities for massive data surveilance by the US government. Imagine the reaction if Chinese government was trying to route as much traffic as possible through Chinese-operated infrastructure...
full member
Activity: 157
Merit: 101
There are known trojan's in the wild now infecting chrome on MS.  Cert signature errors are a very common sign.
legendary
Activity: 1834
Merit: 1019
Obviously you are being MITM attacked by the government for participating in a subversive p2p network currency.  

You think you're joking but that's exactly what's happening lol

http://exiledonline.com/isucker-big-brother-internet-culture/
Quote
...CloudFlare’s CEO Matthew Prince made a weird, glib admission that he decided to start the company only after the Department of Homeland Security gave him a call in 2007 and suggested he take the technology behind Project Honey Pot one step further…

damn lol
legendary
Activity: 1358
Merit: 1002
Obviously you are being MITM attacked by the government for participating in a subversive p2p network currency.  

You think you're joking but that's exactly what's happening lol

http://exiledonline.com/isucker-big-brother-internet-culture/
Quote
...CloudFlare’s CEO Matthew Prince made a weird, glib admission that he decided to start the company only after the Department of Homeland Security gave him a call in 2007 and suggested he take the technology behind Project Honey Pot one step further…
newbie
Activity: 28
Merit: 0
Obviously you are being MITM attacked by the government for participating in a subversive p2p network currency.  

You should sound the alarm, because if indeed that were the case, this would not be too late anyway.  /sarcasm

SSL key changes are routine.  If you trust the PKI, then it's fine.  If you don't trust the PKI, it wasn't fine before anyway.
cjp
full member
Activity: 210
Merit: 124
Recently, bitcoin.de changed its SSL certificate (twice), while the old one wasn't expired yet. Also, the certificate authority changed. bitcoin.de now seems to be some kind of alias(?) of ssl2669.cloudflare.com, and Certificate Patrol shows it like:

- GlobalSign Root CA
  - GlobalSign Organization Validation CA - G2
    - ssl2669.cloudflare.com

For bitcoin.de, this might have had something to do with the recent DDOS attack (but then, who would gain anything with a DDOS attack?). But now I also got a new certificate for bitinstant,com, also while the old certificate wasn't expired yet, and also pointing to ssl2669.cloudflare.com.

Can someone please explain what is going on here?
Jump to: