Bitcoin Forum>Bitcoin>Bitcoin Discussion
Author

Topic: [WARNING] Bitcoinica Claims Process is insecure (Read 2305 times)

acoindr
legendary
Activity: 1050
Merit: 1002
[WARNING] Bitcoinica Claims Process is insecure
May 20, 2012, 05:03:07 PM
#16
Quote from: theymos on May 20, 2012, 12:14:09 AM
Quote from: Maged on May 19, 2012, 11:07:53 PM
It has been compromised in the past, so it likely will again in the future. You should simply just not use StartCom, especially after you've been hacked yourself. StartCom should have been completely blacklisted in browsers.

Comodo, USER-TRUST, and even Verisign have also been compromised in the past, and there's no chance that they'll be removed from browsers because they're so popular. Lots of governments also have their own probably-insecure CAs which are accepted by all browsers. The CA system is a lost cause.

Did everyone watch the video @zer0 linked above?

http://youtu.be/Z7Wl2FW2TcA

I think the Convergence system is what everyone should be pushing toward.
theymos
administrator
Activity: 5222
Merit: 13032
Re: [WARNING] Bitcoinica Claims Process is insecure
May 20, 2012, 12:14:09 AM
#15
Quote from: Maged on May 19, 2012, 11:07:53 PM
It has been compromised in the past, so it likely will again in the future. You should simply just not use StartCom, especially after you've been hacked yourself. StartCom should have been completely blacklisted in browsers.

Comodo, USER-TRUST, and even Verisign have also been compromised in the past, and there's no chance that they'll be removed from browsers because they're so popular. Lots of governments also have their own probably-insecure CAs which are accepted by all browsers. The CA system is a lost cause.
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
Re: [WARNING] Bitcoinica Claims Process is insecure
May 20, 2012, 12:09:29 AM
#14
Quote from: Maged on May 19, 2012, 11:07:53 PM
Quote from: rjk on May 19, 2012, 07:55:26 PM
Quote from: theymos on May 19, 2012, 07:46:18 PM
Quote from: Maged on May 19, 2012, 07:08:07 PM
1) The SSL certificate is from a SSL provider that has been compromised.

It doesn't matter if a site uses a "weak" certificate authority, since any CA can override any other CA's certificates. (The CA system is terrible.) It's smartest to use the cheapest CA you can.
StartCom/StartSSL has been compromised? Do please enlighten me - I make extensive use of their services.
It has been compromised in the past, so it likely will again in the future. You should simply just not use StartCom, especially after you've been hacked yourself. StartCom should have been completely blacklisted in browsers.
Ah yes, I remember that incident now, it was during the Comodo debacle -

Quote from: theregister
[...]"StartCom was lucky enough, I already connected to their HSM, got access to their HSM, sent my request, but lucky Eddy [StartCom CEO Eddy Nigg] was sitting behind HSM and was doing manual verification."[...]

Yeah this is lame. I wonder if there is a list of CA's that can definitely and for sure say that they have never been breached. I bet it is fairly short.
Maged
legendary
Activity: 1204
Merit: 1015
Re: [WARNING] Bitcoinica Claims Process is insecure
May 19, 2012, 11:07:53 PM
#13
Quote from: rjk on May 19, 2012, 07:55:26 PM
Quote from: theymos on May 19, 2012, 07:46:18 PM
Quote from: Maged on May 19, 2012, 07:08:07 PM
1) The SSL certificate is from a SSL provider that has been compromised.

It doesn't matter if a site uses a "weak" certificate authority, since any CA can override any other CA's certificates. (The CA system is terrible.) It's smartest to use the cheapest CA you can.
StartCom/StartSSL has been compromised? Do please enlighten me - I make extensive use of their services.
It has been compromised in the past, so it likely will again in the future. You should simply just not use StartCom, especially after you've been hacked yourself. StartCom should have been completely blacklisted in browsers.
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
Re: [WARNING] Bitcoinica Claims Process is insecure
May 19, 2012, 08:52:28 PM
#12
Quote from: zer0 on May 19, 2012, 08:18:19 PM
You don't have to worry about the gubmint, you have to worry about the hacker (or rackpace admin /tinfoil) getting your claims info so they can steal your coins again for the second time. And I guess, having your phone number and other information spread all over the internets
Um, that is a new certificate (did you look?) generated 5/16/2012 by Patrick's personal account. After the hack. Presumably the previous cert was compromised and then revoked afterwards, but I don't have a copy of the fingerprint so I can't check its revocation status.
zer0
sr. member
Activity: 350
Merit: 250
Re: [WARNING] Bitcoinica Claims Process is insecure
May 19, 2012, 08:18:19 PM
#11
Quote from: rjk on May 19, 2012, 08:11:34 PM
Quote from: zer0 on May 19, 2012, 08:08:10 PM
Quote from: rjk on May 19, 2012, 07:55:26 PM
Quote from: theymos on May 19, 2012, 07:46:18 PM
Quote from: Maged on May 19, 2012, 07:08:07 PM
1) The SSL certificate is from a SSL provider that has been compromised.

It doesn't matter if a site uses a "weak" certificate authority, since any CA can override any other CA's certificates. (The CA system is terrible.) It's smartest to use the cheapest CA you can.
StartCom/StartSSL has been compromised? Do please enlighten me - I make extensive use of their services.

Basically all SSL is compromised.
http://youtu.be/Z7Wl2FW2TcA  watch this


Yeah OK, well I thought you meant they might have had the private key to their root certificate compromised, or their systems broken into and bad certs issued, or whatever. My projects aren't anything the gubmint is interested it so I'm not really worried.

You don't have to worry about the gubmint, you have to worry about the hacker (or rackpace admin /tinfoil) getting your claims info so they can steal your coins again for the second time. And I guess, having your phone number and other information spread all over the internets
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
Re: [WARNING] Bitcoinica Claims Process is insecure
May 19, 2012, 08:11:34 PM
#10
Quote from: zer0 on May 19, 2012, 08:08:10 PM
Quote from: rjk on May 19, 2012, 07:55:26 PM
Quote from: theymos on May 19, 2012, 07:46:18 PM
Quote from: Maged on May 19, 2012, 07:08:07 PM
1) The SSL certificate is from a SSL provider that has been compromised.

It doesn't matter if a site uses a "weak" certificate authority, since any CA can override any other CA's certificates. (The CA system is terrible.) It's smartest to use the cheapest CA you can.
StartCom/StartSSL has been compromised? Do please enlighten me - I make extensive use of their services.

Basically all SSL is compromised.
http://youtu.be/Z7Wl2FW2TcA  watch this


Yeah OK, well I thought you meant they might have had the private key to their root certificate compromised, or their systems broken into and bad certs issued, or whatever. My projects aren't anything the gubmint is interested it so I'm not really worried.
zer0
sr. member
Activity: 350
Merit: 250
Re: [WARNING] Bitcoinica Claims Process is insecure
May 19, 2012, 08:08:10 PM
#9
Quote from: rjk on May 19, 2012, 07:55:26 PM
Quote from: theymos on May 19, 2012, 07:46:18 PM
Quote from: Maged on May 19, 2012, 07:08:07 PM
1) The SSL certificate is from a SSL provider that has been compromised.

It doesn't matter if a site uses a "weak" certificate authority, since any CA can override any other CA's certificates. (The CA system is terrible.) It's smartest to use the cheapest CA you can.
StartCom/StartSSL has been compromised? Do please enlighten me - I make extensive use of their services.

Basically all SSL is compromised. 90s system that was randomly thought up to secure a handful of sites
http://youtu.be/Z7Wl2FW2TcA  watch this


rjk
sr. member
Activity: 448
Merit: 250
1ngldh
Re: [WARNING] Bitcoinica Claims Process is insecure
May 19, 2012, 07:55:26 PM
#8
Quote from: theymos on May 19, 2012, 07:46:18 PM
Quote from: Maged on May 19, 2012, 07:08:07 PM
1) The SSL certificate is from a SSL provider that has been compromised.

It doesn't matter if a site uses a "weak" certificate authority, since any CA can override any other CA's certificates. (The CA system is terrible.) It's smartest to use the cheapest CA you can.
StartCom/StartSSL has been compromised? Do please enlighten me - I make extensive use of their services.
zer0
sr. member
Activity: 350
Merit: 250
Re: [WARNING] Bitcoinica Claims Process is insecure
May 19, 2012, 07:49:53 PM
#7
Why doesn't he upload a PGP key to https://privacybox.de/index.en.html and take encrypted claims submissions
theymos
administrator
Activity: 5222
Merit: 13032
Re: [WARNING] Bitcoinica Claims Process is insecure
May 19, 2012, 07:46:18 PM
#6
Quote from: Maged on May 19, 2012, 07:08:07 PM
1) The SSL certificate is from a SSL provider that has been compromised.

It doesn't matter if a site uses a "weak" certificate authority, since any CA can override any other CA's certificates. (The CA system is terrible.) It's smartest to use the cheapest CA you can.
Maged
legendary
Activity: 1204
Merit: 1015
Re: [WARNING] Bitcoinica Claims Process is insecure
May 19, 2012, 07:36:55 PM
#5
Oh good, some people in the Mega-thread already noticed this:
https://bitcointalksearch.org/topic/m.907344
Maged
legendary
Activity: 1204
Merit: 1015
Re: [WARNING] Bitcoinica Claims Process is insecure
May 19, 2012, 07:20:02 PM
#4
Turns out that they also still use Rackspace. Why am I the one to bring this stuff up?
Maged
legendary
Activity: 1204
Merit: 1015
Re: [WARNING] Bitcoinica Claims Process is insecure
May 19, 2012, 07:15:42 PM
#3
Quote from: Blazr on May 19, 2012, 07:11:50 PM
Quote from: Maged on May 19, 2012, 07:08:07 PM
This is not some claims system that was carefully created over several days.

In Zhou's own words, he built Bitcoinica in 4 days.
And I'm sure that if he had built the claims system, it would have been significantly more secure.
Blazr
hero member
Activity: 882
Merit: 1006
Re: [WARNING] Bitcoinica Claims Process is insecure
May 19, 2012, 07:11:50 PM
#2
Nevermind the fact that the hacker has a copy the database, and has all for info required to make a claim. The only thing protecting you is a verification email and/or a copy of your ID.

Quote from: Maged on May 19, 2012, 07:08:07 PM
This is not some claims system that was carefully created over several days.

In Zhou's own words, he built Bitcoinica in 4 days.
Maged
legendary
Activity: 1204
Merit: 1015
Re: [WARNING] Bitcoinica Claims Process is insecure
May 19, 2012, 07:08:07 PM
#1
Currently, the Bitcoinica claims process is more insecure than anything I've seen here before. Until these issues are resolved, I'd advise that you DO NOT submit any information.

1) The SSL certificate is from a SSL provider that has been compromised.
2) All information submitted is stored in plain text on a server that will almost certainly be re-compromised, especially since it is still on Rackspace. I suspect that the ID submissions are handled in the same manner.
3) Email verifications are sent using a cloud service, again in plain text.

This is not some claims system that was carefully created over several days. At best, I'd say that this took a few hours. Hell, even MtGox handled this better.
Bitcoin Forum>Bitcoin>Bitcoin Discussion
Jump to: