theymos

Legendary



Offline



Activity: 3878

Merit: 7917







AdministratorLegendaryActivity: 3878Merit: 7917 Re: Cloudflare December 02, 2013, 12:55:40 AM #22 -----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA256



Here's what we think happened:



8-14 hours ago, an attacker used a flaw in the forum's AnonymousSpeech registrar to change the forum's DNS to point to 108.162.197.161 (exact details unknown). Sirius noticed this 8 hours ago and immediately transferred bitcointalk.org to a different registrar. However, such changes take about 24 hours to propagate.



Because the HTTPS protocol is pretty terrible, this alone could have allowed the attacker to intercept and modify encrypted forum transmissions, allowing them to see passwords sent during login, authentication cookies, PMs, etc. Your password only could have been intercepted if you actually entered it while the forum was affected. I invalidated all security codes, so you're not at risk of having your account stolen if you logged in using the "remember me" feature without actually entering your password.



For the next ~20 hours, you should only log into the forum if you're quite sure that you're talking to the correct server. This can be done by adding '109.201.133.195 bitcointalk.org' to your hosts file (remember to remove it later!), or by using some browser plugin to ensure that you're talking to the server with TLS certificate SHA1 fingerprint of:

29:0E:CC:82:2B:3C:CE:0A:73:94:35:A0:26:15:EC:D3:EB:1F:46:6B



Simultaniously, the forum has been the target of a massive DDoS attack. These two events are probably related, though I'm not yet sure why an attacker would do both of these things at once.

-----BEGIN PGP SIGNATURE-----



iF4EAREIAAYFAlKb2nkACgkQxlVWk9q1kefhTwD+Ni5k7CUrHjvzG29wO3Gx4Am+

MV5tdw8zE1AAWvbstt8BAIrndOXCYmawoXN+VeSZkLXHnCyQbR8IOftQnpl2aXYs

=465T

-----END PGP SIGNATURE-----

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD

gmaxwell

Legendary



Offline



Activity: 3178

Merit: 4298









StaffLegendaryActivity: 3178Merit: 4298 Re: Cloudflare December 02, 2013, 03:29:38 AM #29 Quote from: eldentyrell on December 02, 2013, 01:19:24 AM Gee I wonder why.

Because there isn't any functional alternative at the moment. But the only thing its used for is so you can have a "payment requests signed by XYZ.com", thats it. In not case is it weaker than not having it, excluding arguments perhaps about false senses of security. The payment protocol stuff is fully extensible so if someone shows up with a more useful PKI it can easily be added.



Seriously, I'm one of the last guys to think the situation with x509 isn't a complete farce but I don't see any problem with the payment protocol supporting x509 signing of invoices. You'd not adding to the quality of discourse with that "wonder why" bullshit. Especially because there are a lot of ignorant people out there who have absolutely no idea how it works and think that supporting CA authentication of a signing key will somehow make all their transactions visible to the CA or other such threats that don't exist.

Because there isn't any functional alternative at the moment. But the only thing its used for is so you can have a "payment requests signed by XYZ.com", thats it. In not case is it weaker than not having it, excluding arguments perhaps about false senses of security. The payment protocol stuff is fully extensible so if someone shows up with a more useful PKI it can easily be added.Seriously, I'm one of the last guys to think the situation with x509 isn't a complete farce but I don't see any problem with the payment protocol supporting x509 signing of invoices. You'd not adding to the quality of discourse with that "wonder why" bullshit. Especially because there are a lot of ignorant people out there who have absolutely no idea how it works and think that supporting CA authentication of a signing key will somehow make all their transactions visible to the CA or other such threats that don't exist.

gmaxwell

Legendary



Offline



Activity: 3178

Merit: 4298









StaffLegendaryActivity: 3178Merit: 4298 Re: Cloudflare December 02, 2013, 04:21:43 AM

Last edit: December 02, 2013, 05:36:38 AM by gmaxwell #30



(1) Get a shiny new SSL cert with a CA that has a strong security policy. (e.g. won't give certs to cloudflare), the current one may be adequate

(2) Get browser vendors to pin that CA for this domain.

(3) HSTS the site.





(2) would be a somewhat amusing discussion. As Bitcointalk is a much lower traffic than most of the other sites that have been CA pinned in chrome. OTOH, we can point out that a redirect to cloudflare attack was actually performed on us, ... while most of the other pinned sites are not known to have been attacked.

Looks like there is no way to escape a "cloudflare mediated attack": short of(1) Get a shiny new SSL cert with a CA that has a strong security policy. (e.g. won't give certs to cloudflare), the current one may be adequate(2) Get browser vendors to pin that CA for this domain.(3) HSTS the site.(2) would be a somewhat amusing discussion. As Bitcointalk is a much lower traffic than most of the other sites that have been CA pinned in chrome. OTOH, we can point out that a redirect to cloudflare attack was actually performed on us, ... while most of the other pinned sites are not known to have been attacked.

gmaxwell

Legendary



Offline



Activity: 3178

Merit: 4298









StaffLegendaryActivity: 3178Merit: 4298 Re: Cloudflare December 02, 2013, 05:39:26 AM #31 Theymos, any chance you could contact Globalsign  cloudflare's CA partner and point out we believe their relationship with cloudflare may have been used to fraudulently issue a certificate for bitcointalk.org, ask them if they did and if they did, to please list that certificate in their CRLs?



theymos

Legendary



Offline



Activity: 3878

Merit: 7917







AdministratorLegendaryActivity: 3878Merit: 7917 Re: Cloudflare December 02, 2013, 06:40:35 AM #32 Quote from: gmaxwell on December 02, 2013, 05:39:26 AM Theymos, any chance you could contact Globalsign  cloudflare's CA partner and point out we believe their relationship with cloudflare may have been used to fraudulently issue a certificate for bitcointalk.org, ask them if they did and if they did, to please list that certificate in their CRLs?



Did anyone actually save a MITM cert? I only have a few reports of unusual behavior -- nothing too solid. Personally, I observed 108.162.197.161 proxying the traffic verbatim, without touching the cert. Did anyone actually save a MITM cert? I only have a few reports of unusual behavior -- nothing too solid. Personally, I observed 108.162.197.161 proxying the traffic verbatim, without touching the cert. 1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD

rme



Offline



Activity: 742

Merit: 501









Hero MemberActivity: 742Merit: 501 Re: Cloudflare December 02, 2013, 06:45:49 AM #33 Quote from: theymos on December 02, 2013, 06:40:35 AM Quote from: gmaxwell on December 02, 2013, 05:39:26 AM Theymos, any chance you could contact Globalsign  cloudflare's CA partner and point out we believe their relationship with cloudflare may have been used to fraudulently issue a certificate for bitcointalk.org, ask them if they did and if they did, to please list that certificate in their CRLs?



Did anyone actually save a MITM cert? I only have a few reports of unusual behavior -- nothing too solid. Personally, I observed 108.162.197.161 proxying the traffic verbatim, without touching the cert.

Did anyone actually save a MITM cert? I only have a few reports of unusual behavior -- nothing too solid. Personally, I observed 108.162.197.161 proxying the traffic verbatim, without touching the cert.



I dont save it, but I can assure that when bitcointalk.org was under cloudflare a valid SSL certificate was been served.



I dont save it, but I can assure that when bitcointalk.org was under cloudflare a valid SSL certificate was been served.

gmaxwell

Legendary



Offline



Activity: 3178

Merit: 4298









StaffLegendaryActivity: 3178Merit: 4298 Re: Cloudflare December 02, 2013, 07:26:31 AM #34



It remains true that anyone who could respond to a http request as the server (e.g. someone at the hosting provider or an upstream ISP) to a CA could get a cert issued in the site's name, since several CAs do nothing more than request a page with a specific name. So even without the cloudflare turbo compromise ... the CA universe stinks.

I looked at the darn cert, but didn't save it. Geotrust vs Globalsign ... I'm sure I wouldn't remember the difference. I was looking for something like "cloudflare".It remains true that anyone who could respond to a http request as the server (e.g. someone at the hosting provider or an upstream ISP) to a CA could get a cert issued in the site's name, since several CAs do nothing more than request a page with a specific name. So even without the cloudflare turbo compromise ... the CA universe stinks.

gmaxwell

Legendary



Offline



Activity: 3178

Merit: 4298









StaffLegendaryActivity: 3178Merit: 4298 Re: Cloudflare December 02, 2013, 09:21:39 AM #36 Quote from: davout on December 02, 2013, 07:51:47 AM All these threats exist No. Mythical nonsense threats things like the claims that supporting x509 signed payment requests will allow CA's to monitor transactions which are structurally impossible do not exist.



Just because something has some facility for checking some signing key was signed by another key and pretty printing a name doesn't magically give the root signer the ability to print money, monitor transactions, track users, or whatever other insipid nonsense people have convinced themselves of in their paranoia orgy. All it means is that they could impersonate that party in the pretty printing, but absent the existence of the facility _anyone_ could impersonate.



The CA infrastructure stinks and is proven compromised and alternatives should be invented but PKI is a decades old problem and has never been satisfactorily solved anywhere.



The fantastical, confused, and in some cases personally violent arguments made about the x509 signing in the payment protocol are beyond the pale, even in this sometimes cesspool of a forum. Having a real commitment to security means also being aggressive in refusing nonsense insecurity claims. Sorting out the signal from the non-man-made noise is already very hard. There is no excuse for additional noise. Trolling secure systems with paranoia and FUD would be a fantastic counter-security move for a well funded attacker, and we must be robust against it.



If you've got an actual threat that people would be exposed to, please spell it out. Otherwise, cut the black-helicopter FUD. It's seriously demotivating and inevitably harmful to people's security.



Quote Quote from: gmaxwell on December 02, 2013, 05:39:26 AM Theymos, any chance you could contact Globalsign  cloudflare's CA partner and point out we believe their relationship with cloudflare may have been used to fraudulently issue a certificate for bitcointalk.org, ask them if they did and if they did, to please list that certificate in their CRLs?

If it happened the way theymos described it's a waste of time, except maybe for getting the cert revoked.

If the DNS was changed it won't be a fraudulent request from their PoV.

If it happened the way theymos described it's a waste of time, except maybe for getting the cert revoked.If the DNS was changed it won't be a fraudulent request from their PoV.

. Mythical nonsense threats things like the claims that supporting x509 signed payment requests will allow CA's to monitor transactions which areJust because something has some facility for checking some signing key was signed by another key and pretty printing a name doesn't magically give the root signer the ability to print money, monitor transactions, track users, or whatever other insipid nonsense people have convinced themselves of in their paranoia orgy. All it means is that they could impersonate that party in the pretty printing, but absent the existence of the facility _anyone_ could impersonate.The CA infrastructure stinks and is proven compromised and alternatives should be invented but PKI is a decades old problem and has never been satisfactorily solved anywhere.The fantastical, confused, and in some cases personally violent arguments made about the x509 signing in the payment protocol are beyond the pale, even in this sometimes cesspool of a forum. Having a real commitment to security means also being aggressive in refusing nonsensesecurity claims. Sorting out the signal from the non-man-made noise is already very hard. There is no excuse for additional noise. Trolling secure systems with paranoia and FUD would be a fantastic counter-security move for a well funded attacker, and we must be robust against it.If you've got an actual threat that people would be exposed to, please spell it out. Otherwise, cut the black-helicopter FUD. It's seriously demotivating and inevitably harmful to people's security.It would be good to have some evidence about the system being abused in order to get improvements to the way things are done. More selfishly, it would be easier to argue for adding BCT to the browser cert pins with that kind of information. Perhaps not worth the time, but I thought I'd ask.

flynn



Offline



Activity: 728

Merit: 540









Hero MemberActivity: 728Merit: 540 Re: Cloudflare December 02, 2013, 12:28:21 PM #38



http://dnssec-debugger.verisignlabs.com/bitcointalk.org If I may, using DNSSEC would probably be the solution. And it's quite easy to implement. intentionally left blank

Wy9o2Y3s



Offline



Activity: 28

Merit: 0







NewbieActivity: 28Merit: 0 Re: Cloudflare December 02, 2013, 04:56:31 PM #39 We have to remember that the people behind cloudflare previously ran a project called projecthoneypot.org, a pretty useless project that thought it could stop spam.

They had financial issues when someone suddenly came around and said "Oh we could do a lot of interesting things with your datas". They then magically appeared with 20 millions dollars...

Cloudflare pretends a lot of things which are misleading people, for example they tell that they operate 23 datacenters around the world, this is definitely a lie as it is known that cloudflare usually only runs a router and a few servers in already existing datacenters.

They over exaggerate their capacity, they also tried to pretended to have developed their own httpd but it is only a lightly modified version of nginx.

It was also previously written in their TOS that they allow themselves to look at the datas to build some statistics and other things out of your traffic.



I would be very careful with this company.