Cloudbleed PSA: BitSharestalk.org affected. CHANGE YOUR PASSWORDS

[paliboy]

Not that I'm paranoid or anything, you know I'm the tinfoil guy, but is there another 2FA app out there besides the google authenticator? An open source app that does not rely on SMS messages? Maybe even one that does not require internet access?

If you want to solve mobile client side, the alternative could be https://freeotp.github.io/. There are also open source alternatives for server-side.

[xeroc]

Anyone know https://bitshares.org/wallet affected or not?

I'd imagine yes. I remember avoiding bitshares.org because it used cloudflare in the past (annoying captchas that require javascript to be turned on, and even if they didn't, more to do than endlessly train google AI)

No sensitive data is ever transmitted when using a bitshares-ui wallet .. not the password, nor any keys can be compromised this way ... worst could have been a code injection .. but i highly doubt that has happend

[karnal]

Anyone know https://bitshares.org/wallet affected or not?

I'd imagine yes. I remember avoiding bitshares.org because it used cloudflare in the past (annoying captchas that require javascript to be turned on, and even if they didn't, more to do than endlessly train google AI)

[karnal]

SSL broken by design?

Well, definitely if you add a MiTM purposefully to the equation ..

https://bitsharestalk.org/index.php/topic,21695.0.html

[abit]

Anyone know https://bitshares.org/wallet affected or not?

[kenCode]

here's a larger list of affected sites:
https://github.com/pirate/sites-using-cloudflare/blob/master/README.md

[fav]

Not that I'm paranoid or anything, you know I'm the tinfoil guy, but is there another 2FA app out there besides the google authenticator? An open source app that does not rely on SMS messages? Maybe even one that does not require internet access?

yup, https://doc.satoshilabs.com/trezor-user/u2f.html

[iHashFury]

I will be buying a Trezor when the ChainSquad release the code for graphene 

[kenCode]

Not that I'm paranoid or anything, you know I'm the tinfoil guy, but is there another 2FA app out there besides the google authenticator? An open source app that does not rely on SMS messages? Maybe even one that does not require internet access?

[fav]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

as a consequence, any traffic that went through cloudflare (even https) could potentially be leaked. that includes your passwords in plain text.

ssl is broken design, and it was just a matter of time until that bubble burst big time.

affected sites (among many more)

bitsharestalk
poloniex
localbitcoins
kraken
reddit

please change your passwords immediately and re-enable 2fa.

fav
24/02/2017
-----BEGIN PGP SIGNATURE-----
Version: Keybase OpenPGP v2.0.64
Comment: https://keybase.io/crypto

wsFcBAABCgAGBQJYr9MMAAoJEKRF7oTcH7KX8UkQAJz2CZm03DZkyUpMlVBmZmKb
Tux0tGIaZ9LHzNn3q5jYWRGi36vhQcoO1R3iuk04SOGCarrgAmw9VUKO2GwD9I8m
Sq6oypOX6cdIIB9sM6MLaIxfk0yKkTq5uPrpGUzgL1MBXSW5+vSWFvu6+qxAdodG
XDe2gYHmpdB2vB3bY1JbDQSBru3d6FHeL/cgE3j0yexM0lS8Lxmeu3ngRXWfzX6K
raXbjrWtMNvnxJ3xTiZeLerxw+CnEdtWUHPkMTLEJi52Ji9upUZI1qM9FKcfp1Wl
Pn7HvzT+0H2WzjpcErd9xD/yTW/HunuZalUf1pcvRelg/t05mj+m7zmWzs0lqFqZ
emzF5EGXz5VIzs0v+gCBbvIyjRK9LTX9tMaW7MqFweERyd6s1VsN2e83pZ8Uaqxe
2ejfyhrkjZsUlDHK2tEoMpoBm67pXPdVh8guu6C1LCVUYFE6iC/VOWClkk1+QYOV
uyLHwfzkgdXJeT9WBJxFDIXrUFFOgi2T+ZdC2Iq1dEIN2xkZMmt5oIwcH8zfqP6S
dYX3GAKAtA7fRELMAF1e6mCxf88J2BBFLJcl7404FQlst1WhXw0iDrQoolQrwhS9
244HaTzt8bJlqSSCdwRDN9mwS8S0v0akGJJtWyX6iAiW+sIDi0sTjNcKjKv+hKRu
t6KUkQUCf9wyyfTLUM6d
=Jl4J
-----END PGP SIGNATURE-----