Bitcointalk Mobile Browser presented by IRLBTC™

>> (p.1)

Author

Topic: [WARNING] Bitcoinica Claims Process is insecure (Read 2319 times)

Maged (OP)

Legendary

Offline

Activity: 1204
Merit: 1015

[WARNING] Bitcoinica Claims Process is insecure

May 20, 2012, 12:08:07 AM
Last edit: May 20, 2012, 12:35:02 AM by Maged

Currently, the Bitcoinica claims process is more insecure than anything I've seen here before. Until these issues are resolved, I'd advise that you DO NOT submit any information.

1) The SSL certificate is from a SSL provider that has been compromised.
2) All information submitted is stored in plain text on a server that will almost certainly be re-compromised, especially since it is still on Rackspace. I suspect that the ID submissions are handled in the same manner.
3) Email verifications are sent using a cloud service, again in plain text.

This is not some claims system that was carefully created over several days. At best, I'd say that this took a few hours. Hell, even MtGox handled this better.

Like my posts? Donate!
1MagedVeZqDtU4Jh5BdgvHpcWk9dXFzZY8

Blazr

Hero Member

Offline

Activity: 882
Merit: 1008

Re: Bitcoinica Claims Process is insecure

May 20, 2012, 12:11:50 AM

Nevermind the fact that the hacker has a copy the database, and has all for info required to make a claim. The only thing protecting you is a verification email and/or a copy of your ID.

Quote from: Maged on May 20, 2012, 12:08:07 AM

This is not some claims system that was carefully created over several days.

In Zhou's own words, he built Bitcoinica in 4 days.

My PGP key: 0x5C34AC7629163393 || Keybase

Maged (OP)

Legendary

Offline

Activity: 1204
Merit: 1015

Re: Bitcoinica Claims Process is insecure

May 20, 2012, 12:15:42 AM

Quote from: Blazr on May 20, 2012, 12:11:50 AM

Quote from: Maged on May 20, 2012, 12:08:07 AM

This is not some claims system that was carefully created over several days.

In Zhou's own words, he built Bitcoinica in 4 days.

And I'm sure that if he had built the claims system, it would have been significantly more secure.

Like my posts? Donate!
1MagedVeZqDtU4Jh5BdgvHpcWk9dXFzZY8

Maged (OP)

Legendary

Offline

Activity: 1204
Merit: 1015

Re: Bitcoinica Claims Process is insecure

May 20, 2012, 12:20:02 AM

Turns out that they also still use Rackspace. Why am I the one to bring this stuff up?

Like my posts? Donate!
1MagedVeZqDtU4Jh5BdgvHpcWk9dXFzZY8

Maged (OP)

Legendary

Offline

Activity: 1204
Merit: 1015

Re: [WARNING] Bitcoinica Claims Process is insecure

May 20, 2012, 12:36:55 AM

Oh good, some people in the Mega-thread already noticed this:
https://bt.irlbtc.com/view/81045.msg907344#msg907344

Like my posts? Donate!
1MagedVeZqDtU4Jh5BdgvHpcWk9dXFzZY8

theymos

Administrator
Legendary

Offline

Activity: 5642
Merit: 14461

Re: [WARNING] Bitcoinica Claims Process is insecure

May 20, 2012, 12:46:18 AM

Quote from: Maged on May 20, 2012, 12:08:07 AM

1) The SSL certificate is from a SSL provider that has been compromised.

It doesn't matter if a site uses a "weak" certificate authority, since any CA can override any other CA's certificates. (The CA system is terrible.) It's smartest to use the cheapest CA you can.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD

zer0

Sr. Member

Offline

Activity: 350
Merit: 250

Re: [WARNING] Bitcoinica Claims Process is insecure

May 20, 2012, 12:49:53 AM

Why doesn't he upload a PGP key to https://privacybox.de/index.en.html and take encrypted claims submissions

rjk

Sr. Member

Offline

Activity: 462
Merit: 250

1ngldh

Re: [WARNING] Bitcoinica Claims Process is insecure

May 20, 2012, 12:55:26 AM

Quote from: theymos on May 20, 2012, 12:46:18 AM

Quote from: Maged on May 20, 2012, 12:08:07 AM

1) The SSL certificate is from a SSL provider that has been compromised.

It doesn't matter if a site uses a "weak" certificate authority, since any CA can override any other CA's certificates. (The CA system is terrible.) It's smartest to use the cheapest CA you can.

StartCom/StartSSL has been compromised? Do please enlighten me - I make extensive use of their services.

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!

zer0

Sr. Member

Offline

Activity: 350
Merit: 250

Re: [WARNING] Bitcoinica Claims Process is insecure

May 20, 2012, 01:08:10 AM
Last edit: May 20, 2012, 01:20:27 AM by zer0

Quote from: rjk on May 20, 2012, 12:55:26 AM

Quote from: theymos on May 20, 2012, 12:46:18 AM

Quote from: Maged on May 20, 2012, 12:08:07 AM

1) The SSL certificate is from a SSL provider that has been compromised.

It doesn't matter if a site uses a "weak" certificate authority, since any CA can override any other CA's certificates. (The CA system is terrible.) It's smartest to use the cheapest CA you can.

StartCom/StartSSL has been compromised? Do please enlighten me - I make extensive use of their services.

Basically all SSL is compromised. 90s system that was randomly thought up to secure a handful of sites
http://youtu.be/Z7Wl2FW2TcA watch this

rjk

Sr. Member

Offline

Activity: 462
Merit: 250

1ngldh

Re: [WARNING] Bitcoinica Claims Process is insecure

May 20, 2012, 01:11:34 AM

#10

Quote from: zer0 on May 20, 2012, 01:08:10 AM

Quote from: rjk on May 20, 2012, 12:55:26 AM

Quote from: theymos on May 20, 2012, 12:46:18 AM

Quote from: Maged on May 20, 2012, 12:08:07 AM

1) The SSL certificate is from a SSL provider that has been compromised.

It doesn't matter if a site uses a "weak" certificate authority, since any CA can override any other CA's certificates. (The CA system is terrible.) It's smartest to use the cheapest CA you can.

StartCom/StartSSL has been compromised? Do please enlighten me - I make extensive use of their services.

Basically all SSL is compromised.
http://youtu.be/Z7Wl2FW2TcA watch this

Yeah OK, well I thought you meant they might have had the private key to their root certificate compromised, or their systems broken into and bad certs issued, or whatever. My projects aren't anything the gubmint is interested it so I'm not really worried.

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!

zer0

Sr. Member

Offline

Activity: 350
Merit: 250

Re: [WARNING] Bitcoinica Claims Process is insecure

May 20, 2012, 01:18:19 AM
Last edit: May 20, 2012, 01:28:55 AM by zer0

#11

Quote from: rjk on May 20, 2012, 01:11:34 AM

Quote from: zer0 on May 20, 2012, 01:08:10 AM

Quote from: rjk on May 20, 2012, 12:55:26 AM

Quote from: theymos on May 20, 2012, 12:46:18 AM

Quote from: Maged on May 20, 2012, 12:08:07 AM

1) The SSL certificate is from a SSL provider that has been compromised.

It doesn't matter if a site uses a "weak" certificate authority, since any CA can override any other CA's certificates. (The CA system is terrible.) It's smartest to use the cheapest CA you can.

StartCom/StartSSL has been compromised? Do please enlighten me - I make extensive use of their services.

Basically all SSL is compromised.
http://youtu.be/Z7Wl2FW2TcA watch this

You don't have to worry about the gubmint, you have to worry about the hacker (or rackpace admintinfoil) getting your claims info so they can steal your coins again for the second time. And I guess, having your phone number and other information spread all over the internets

rjk

Sr. Member

Offline

Activity: 462
Merit: 250

1ngldh

Re: [WARNING] Bitcoinica Claims Process is insecure

May 20, 2012, 01:52:28 AM

#12

Quote from: zer0 on May 20, 2012, 01:18:19 AM

Um, that is a new certificate (did you look?) generated 5/16/2012 by Patrick's personal account. After the hack. Presumably the previous cert was compromised and then revoked afterwards, but I don't have a copy of the fingerprint so I can't check its revocation status.

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!

Maged (OP)

Legendary

Offline

Activity: 1204
Merit: 1015

Re: [WARNING] Bitcoinica Claims Process is insecure

May 20, 2012, 04:07:53 AM

#13

Quote from: rjk on May 20, 2012, 12:55:26 AM

Quote from: theymos on May 20, 2012, 12:46:18 AM

Quote from: Maged on May 20, 2012, 12:08:07 AM

1) The SSL certificate is from a SSL provider that has been compromised.

It doesn't matter if a site uses a "weak" certificate authority, since any CA can override any other CA's certificates. (The CA system is terrible.) It's smartest to use the cheapest CA you can.

StartCom/StartSSL has been compromised? Do please enlighten me - I make extensive use of their services.

It has been compromised in the past, so it likely will again in the future. You should simply just not use StartCom, especially after you've been hacked yourself. StartCom should have been completely blacklisted in browsers.

Like my posts? Donate!
1MagedVeZqDtU4Jh5BdgvHpcWk9dXFzZY8

rjk

Sr. Member

Offline

Activity: 462
Merit: 250

1ngldh

Re: [WARNING] Bitcoinica Claims Process is insecure

May 20, 2012, 05:09:29 AM

#14

Quote from: Maged on May 20, 2012, 04:07:53 AM

Quote from: rjk on May 20, 2012, 12:55:26 AM

Quote from: theymos on May 20, 2012, 12:46:18 AM

Quote from: Maged on May 20, 2012, 12:08:07 AM

1) The SSL certificate is from a SSL provider that has been compromised.

It doesn't matter if a site uses a "weak" certificate authority, since any CA can override any other CA's certificates. (The CA system is terrible.) It's smartest to use the cheapest CA you can.

StartCom/StartSSL has been compromised? Do please enlighten me - I make extensive use of their services.

Ah yes, I remember that incident now, it was during the Comodo debacle -

Quote from: theregister

[...]"StartCom was lucky enough, I already connected to their HSM, got access to their HSM, sent my request, but lucky Eddy [StartCom CEO Eddy Nigg] was sitting behind HSM and was doing manual verification."[...]

Yeah this is lame. I wonder if there is a list of CA's that can definitely and for sure say that they have never been breached. I bet it is fairly short.

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!

theymos

Administrator
Legendary

Offline

Activity: 5642
Merit: 14461

Re: [WARNING] Bitcoinica Claims Process is insecure

May 20, 2012, 05:14:09 AM

#15

Quote from: Maged on May 20, 2012, 04:07:53 AM

Comodo, USER-TRUST, and even Verisign have also been compromised in the past, and there's no chance that they'll be removed from browsers because they're so popular. Lots of governments also have their own probably-insecure CAs which are accepted by all browsers. The CA system is a lost cause.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD

acoindr

Legendary

Offline

Activity: 1050
Merit: 1002

Re: [WARNING] Bitcoinica Claims Process is insecure

May 20, 2012, 10:03:07 PM

#16

Quote from: theymos on May 20, 2012, 05:14:09 AM

Quote from: Maged on May 20, 2012, 04:07:53 AM

Did everyone watch the video @zer0 linked above?

http://youtu.be/Z7Wl2FW2TcA

I think the Convergence system is what everyone should be pushing toward.

Pages: [1]

Page 1

Viewing Page: 1