Security Comparison of Bitcoin-Denominated Instruments Exchanges

Monday, 27 August, Year 4 d.Tr. | Author: Mircea Popescu
I. Interference with the client-server relationship.
I.1. Dictionary attack.
MPEx A dictionary attack has not yet been deployed successfully against GPG.
GLBSE Recent user account compromise through dictionary attack (could also have been user error). Mitigation includes reCaptcha, a system which was defeated in the field (notably by 4chan in the moot on Time 100 incident) and optionally Security token (Yubikey).
Cryptostocks No mitigation.
icbit No mitigation.
I.2. Session stealing.
MPEx No sessions to steal.
GLBSE Theoretically possible.
Cryptostocks Theoretically possible.
icbit Theoretically possible.
I.3. Man in the middle attack.
MPEx As strong as GPG (successful attack never demonstrated so far).
GLBSE As strong as https (at least one particular form of successful attack demonstrated at Blackhat Conference 2009).
Cryptostocks As strong as https (-"-).
icbit As strong as https (-"-).
I.4. Data leakage.
MPEx No foreign properties embedded on page.
GLBSE Leaks user details through Google Analytics javascript and Twitter image embed.
Cryptostocks Leaks user details through Google Analytics javascript.
icbit Leaks user details through Google Analytics javascript.
II. Interference with the server.
II.1. Server rooted.
MPEx List of user keyids and assets exposed. No emails (other than embedded in signature). No passwords. Server does not run bitcoin client.
GLBSE Emails (salted & hashed ?), user passwords (presumably bcrypted ?) and assets exposed. Hot wallet (unknown limits).
Cryptostocks Emails (hashed ?) and user passwords (presumably bcrypted ?) and assets exposed. Hot wallet ?
icbit -"-
II.2. DNS poisoning / stealing.
MPEx Maintains its own DNS servers.
GLBSE Uses CloudFlare (4chan was recently defaced by UGNazi through partial attack on CloudFlare using flaws in Google Auth).
Cryptostocks Godaddy DNS servers.
icbit DNS by
II.3. Server uptime.
MPEx 100% past 30 days.
GLBSE ~98% past 30 days.
Cryptostocks 100% past 30 days.
icbit 100% past 30 days.
III. Non-technical threats.
III.1. Legal.
MPEx Unregistered. Public face seems to be a Romanian national located in Romania (EU).
GLBSE Unregistered. Public face seems to be an English national located in China. Either the exchange itself, the public face or both may be identified at a later date as Does in the Cartmell - Bitcoinica lawsuit. Holds personally indentifying information of users without a license (an offense in the EU).
Cryptostocks Unregistered. Seems to be subsidiary of Vircurex (BTC exchange, ~150 BTC monthly volume).
icbit Unregistered. Owner unknown.
III.2. Inheritance of assets.
MPEx Can suspend activity cleanly by providing asset owners with list of holders' signatures and shareholders signed/encrypted lists of their own assets.
GLBSE Suspension of activity would likely include an account claiming procedure, similar to Bitcoinica's.
Cryptostocks -"-
icbit -"-
III.3. Fraudulent assets.
MPEx Theoretically possible. No self-serve procedure for asset creation by users. No self-serve procedure for share creation by asset owners. Detailed, GPG signed contracts.
GLBSE Over half of assets listed historically turned fraudulent. Changes in asset creating process might have reduced but are unlikely to have completely eliminated the listing of such. Few assets have actual contracts associated. The rights of shareholders are not protected against arbitrary contract modifications. Asset creators have the ability to create more shares and thus to dillute any asset.
Cryptostocks No actual assets.
icbit No actual assets.
Category: Meta psihoza
Comments feed : RSS 2.0. Leave your own comment below, or send a trackback.

6 Responses

  1. Mircea Popescu`s avatar
    Mircea Popescu 
    Monday, 3 September 2012

    Quote from: nedbert9 on Today at 02:32:40 PM
    DiabloD3's comment about enabling 2FA for each and every GLBSE activity is very good advice. By 2FA design, even if your session is hijacked the attacker will not have the 2FA auth code to take any action within your account. Here's the scary part. GLBSE's 2FA measures might be buggy. Take a look at this quote.

    Quote from: SmiGueL on August 30, 2012, 05:18:18 PM
    Even if you,after you totaly CLOSE Internet Explorer or Firefox, (I don't use Chrome, so can't test it) go to GLBSE your session is still active/logged in.

    Actually, after you restart your computer, it is still logged in..

    I have 2FA activated, but only have to fill in the auth-key when I use a 'new' computer..

    I emphasize *might* be buggy. It is not for me to say.

    Problem is three fold. First, 2FA enabled does not require 2FA for every action, you have to click ALL the boxes to do this. Second, there is no 2FA option for buying/selling, only transferring assets between GLBSE accounts and withdrawing BTC and password changing and logging in, thus flash crashes using your assets is still possible. Third, GLBSE can (but doesn't) set cookies for session only, which means closing the browser clears the session cookies, but you should manually log out anyhow so this is the least problematic of the three.

    I have brought this up with nefario before, he has not fixed it yet.


  2. Mircea Popescu`s avatar
    Mircea Popescu 
    Saturday, 6 October 2012

    Aaaand... it's gone.

  1. [...] mici de tranzactionare (0.2% doar pentru vinzari, 0% pentru cumparari), volumul semnificativ, insemnatele avantaje de securitate, viteza si disponibilitate, diverse alte avantaje (transferuri de valori gratis, margin etc) vor [...]

  2. [...] (aka GLBSE) was for a time trying to sell itself as "the Bitcoin Stock Exchange", in spite of glaring flaws and general incompetence. The situation came to a head recently, and the fallout is quite amusing [...]

  3. [...] that happens to be the criteria I use. Nevertheless, they do figure nominally, for instance in my Security Comparison of Bitcoin-Denominated Instruments Exchanges piece from two months ago (and what busy months they [...]

  4. [...] September 3, 2012 It was said before, it will need (apparently) to be said again: GLBSE is a bad choice for security and other [...]

Add your cents! »
    If this is your first comment, it will wait to be approved. This usually takes a few hours. Subsequent comments are not delayed.