You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When accessing the lnbits.com wallet over the Tor network yesterday (2021-09-30) I noticed that CloudFlare was used (got the captcha treatment).
This is bad security practice for a number of reasons; first off you expose every wallet accessed to a "Man In The Middle" (MITM) since you are sharing keys with CloudFlare related to HTTPS, also consider information about lnbits.com users will be given by CloudFlare on government requests (this is an established fact https://www.cloudflare.com/transparency). The security is already low considering all you need to access the wallet is a valid URL, exposing that URL to a third party makes it even worse.
CloudFlare has leaked information in the past due to a bug, this is possible because their cache and DDOS prevention technology lacks memory isolation between customers for performance reasons. The leak was confirmed in CloudBleed: https://en.wikipedia.org/wiki/Cloudbleed
The text was updated successfully, but these errors were encountered:
Sure. lnbits.com is a playground for experimenting with the service, not a stable service, so it shouldnt be used for anything important. lnbits.com is also a private service, and like many private services it chooses to use cloudflare to prevent attacks.
A way you could contribute from your experience, is setup a guide for running lnbits with ddos protection and a CDN without using something like cloudflare
When accessing the lnbits.com wallet over the Tor network yesterday (2021-09-30) I noticed that CloudFlare was used (got the captcha treatment).
This is bad security practice for a number of reasons; first off you expose every wallet accessed to a "Man In The Middle" (MITM) since you are sharing keys with CloudFlare related to HTTPS, also consider information about lnbits.com users will be given by CloudFlare on government requests (this is an established fact https://www.cloudflare.com/transparency). The security is already low considering all you need to access the wallet is a valid URL, exposing that URL to a third party makes it even worse.
CloudFlare has leaked information in the past due to a bug, this is possible because their cache and DDOS prevention technology lacks memory isolation between customers for performance reasons. The leak was confirmed in CloudBleed: https://en.wikipedia.org/wiki/Cloudbleed
The text was updated successfully, but these errors were encountered: