Monthly Archives: June 2014

The security fail blockchain won’t tell you about

The blockchain.info model is usually presented as the best available to store money easily. It’s nicely summed-up in its description:

The amazing part is the encryption is all done within your browser, before it is saved on our servers, so not even we have access to your account!

Which is a bit misleading: if the wallet code is served dynamically, it can also be dynamically and selectively changed in order to leak keys.[1]

It goes further when one realizes that Blockchain.info uses the DDoS-mitigation service of CloudFlare. It is a trade-off, in exchange for protection, you have to give up a great deal of security.[2]

Because it has to terminate the TLS tunnel, CloudFlare gets to see and alter all the traffic flowing both ways.

That can not only be used to alter the data on-the-fly, but more importantly to sniff signed transactions and AES-encrypted wallet blobs.

In other words, CloudFlare can, without ever being detected:

  • know which wallets are fat and ripe, and apply offline brute-force key cracking techniques on their specific AES blobs[3],
  • de-anonymize Bitcoin addresses by mapping them to the IPs from which signed transactions originate.

It’s ok though, the NSA doesn’t care.

 

[1] The way this is usually dismissed is by arguing that clients can run a client-side code verifier, which is theoretically true.

[2] See: The CloudFlare MITM

[3] Think your password is strong? Think again.

X.EUR June 15th 2014 statement

Starting today June 15th, X.EUR monthly data will be published here.

The reported close shall be the price of the last trade that happened prior to the rollover, the implied EUR/BTC shall be calculated as 1/close.

The reported VWAP is, not very surprisingly, calculated as the sum of all trade prices times the traded quantity, divided by the sum of traded quantities.

The open interest is the number of contracts currently held by parties other than the market maker, aka myself.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

X.EUR 15/06/2014 report

Close              : 0.00226585 BTC
Close imp. EUR/BTC : 441.34 EUR/BTC
Volume             : 16,817 contracts
VWAP               : 0.00235050 BTC
VWAP imp. EUR/BTC  : 425.44 EUR/BTC
Open interest      : 1,234 contracts (+293 since 15/05)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Darwin)

iQEcBAEBAgAGBQJTneO0AAoJEBMojqsBcTQofTgH/ArygYQzgXcjTKSW5itmfbk8
7ODM3TArOYNUWbgC5azBOV/vAC3Z16qUiG4wg23mPbjegNyiGiBzmQtHzGmmrzOX
0DIHduHLE5cI+aWwglKP+SSgChqnbmLi4H025n0R+YBXvCj6/p7WLlg7r80xxy00
t/qogsK6KntjSYpwwhFGycfDQv+PLv6iP0YKDKKAYW7Vg/Av7+KpzqFBiBcdmN9y
KY8/1AuMJzEdUbAHx+s83oQ8Dvbvej2IxOpOoUJc2WYWwxFnYuw0IsU7yeGKmsfu
mWSvkkSTLAopiOgvuvhEh1n0z2r9+0BWctbZ4AIjfSW1+XD77ATzqB1mVN0xC2Q=
=4h9x
-----END PGP SIGNATURE-----