User:Gmaxwell/insecure sites

From Bitcoin Wiki
Revision as of 20:52, 28 June 2011 by Gmaxwell (talk | contribs) (re)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Because of the cash like liquidity of bitcoin combined with its digital nature financial institutions handling it can be a more attractive target for attack than ones dealing in other valuable commodities. Yet because bitcoin is a young and uncertain system many important services are being operated on shoestring budgets an often by inexperienced parties.

When a site accepting bitcoin has poor security their compromises may shake confidence in bitcoin a little, but they suffer the most for their mistakes. When a site like a pool, web-wallet, or an exchange suffers a compromise than many other people are hurt.

Because bitcoin financial institutions currently lacks the regulatory requirements which traditional institutions are subject the community must police itself by refusing to do business with insecure operators. Unfortunately, security is a lemon market: we can't really tell if a site is secure or not until its too late. But we can at least demand some standards related to the things we can see.

This page documents high profile sites who handle other people's bitcoin who objectively fail to meet basic security requirements.

This is just personal notes for now, but I hope more people contribute to it.

Basic Web security hygiene for high value sites

Site HTTPS HSTS Sandboxed third party scripting Answerable
MTGOX Pass Fail N/A Pass
BTCGuild Pass Fail Fail  ?
exchange.bitparking Pass Fail  ? Pass
mining.bitcoin.cz (Slush's pool) Fail Fail  ?  ?
mybitcoin.com Pass Fail  ?  ?

Rationale

  • HTTPS: Without HTTPS anyone between you and the far-side (including attackers at the site's ISP or yours) can sniff or modify any of your traffic without detection. A few lines of code in a proxy could replace every bitcoin address displayed with ones an attacker controls. Sites with self-signed certs are treated as failures because most users will just click through them blindly if they are normal and expected.
  • HSTS: Unfortunately, HTTPS isn't enough, the same attacker as above can simply block https and proxy you via HTTP. Considering many bitcoin sites have not offered HTTP at all, this won't stop victims from disclosing secret information at all. HSTS stops this attack dead for people with modern browsers.
  • Sandboxed third party scripting: All the XSS resistance in the world doesn't do you a darn bit of good if you're explicitly accepting scripting (e.g. ads), embedded videos, etc, from third party sites without proper sandboxing.
  • Answerable: Anonymous persons, minors, and people who have played various jurisdictional games may be invulnerable to remedy (be it a civil suit, or a good ole' fashion libertarian lynching) for fraudulent or negligent dealing. Reputations are cheap, especially in such a new economy so losing yours isn't much of a deterrent to taking the money and running. Any money put in the hands of such a party is subject to atypically great risk. The operators of sites that handle money for other people should be adults with known identity.