Author [EN] [ZH] [ES] [PT] [IT] [DE] [FR] [NL] [TR] [SR] [AR] [RU] [EN] [ZH] [ES] [PT] [IT] [DE] [FR] [NL] [TR] [SR] [AR] [RU] [EN] [ZH] [ES] [PT] [IT] [DE] [FR] [NL] [TR] [SR] [AR] [RU] Topic: WARNING: Do not download BTSX client from non-https website.  (Read 514 times)

0 Members and 1 Guest are viewing this topic.

Offline toast

WARNING: Do not download BTSX client from non-https website.
« on: October 26, 2014, 08:22:22 PM »

edit:   False alarm. But warnings in this post are still true of course.

I've been warning DSL about this and it looks like it might have happened...

We have reason to suspect that there is a malicious BTSX client being injected when people try to download from the the non-https version of bitshares-x.info.

Legit versions with hashes (still not signed by DSL but w/e at least github should be secure):  https://github.com/dacsunlimited/bitsharesx/releases

Until DSL fixes it to automatically use https, always type it explicitly:
https://bitshares-x.info

Will update when I have more info.
« Last Edit: October 26, 2014, 08:48:32 PM by toast »
Do not use this post as information for making any important decisions. The only agreements I ever make are informal and non-binding. Take the same precautions as when dealing with a compromised account, scammer, sockpuppet, etc.

Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12242
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BTS: xeroc
  • GitHub: xeroc
Re: WARNING: Do not download BTSX client from non-https website.
« Reply #1 on: October 26, 2014, 08:32:23 PM »
At least we have a confirmation that BitShares is worth hacking malware into the code .. nice and sad at the same time
Give BitShares a try! Use the http://testnet.bitshares.eu provided by http://bitshares.eu powered by ChainSquad GmbH

Offline arhag

  • Hero Member
  • *****
  • Posts: 1214
    • View Profile
    • My posts on Steem
  • BTS: arhag
  • GitHub: arhag
Re: WARNING: Do not download BTSX client from non-https website.
« Reply #2 on: October 26, 2014, 08:37:21 PM »
We have reason to suspect that there is a malicious BTSX client being injected when people try to download from the the non-https version of bitshares-x.info.

Wow! That would require someone to actually be attempting man-in-the-middle attacks on the users who are downloading from bitshares-x.info. That is pretty amazing if true, since it would be quite a bit of effort for someone to go through to attack BitShares users (BitShares is getting people's attention :) ).


I don't know how much you guys are prioritizing security features internally, but I think they are really important. We still don't have:
  • Ability to sign and verify messages using TITAN accounts from the GUI client.
  • Cold storage with offline transaction signing. I should be able to create a transaction and generate the bundle of all data necessary from my hot client, store it on a flash drive, move it over to another offline computer running a live Linux environment, get the cold client to sign the transaction and store it back on the flash drive, take it back to the hot client and have it broadcast the transaction to the network.
  • Usable multisig. Not just escrows, but also something like this and this.

These three features are more important to me than voting, on-ramps, or even lightweight clients.
« Last Edit: October 26, 2014, 08:41:53 PM by arhag »

Offline toast

Re: WARNING: Do not download BTSX client from non-https website.
« Reply #3 on: October 26, 2014, 08:48:10 PM »
False alarm. But warnings in OP are still true of course.
Do not use this post as information for making any important decisions. The only agreements I ever make are informal and non-binding. Take the same precautions as when dealing with a compromised account, scammer, sockpuppet, etc.

Offline mf-tzo

  • Hero Member
  • *****
  • Posts: 1693
    • View Profile
Re: WARNING: Do not download BTSX client from non-https website.
« Reply #4 on: October 26, 2014, 08:57:37 PM »
Quote
don't know how much you guys are prioritizing security features internally, but I think they are really important. We still don't have:
Ability to sign and verify messages using TITAN accounts from the GUI client.
Cold storage with offline transaction signing. I should be able to create a transaction and generate the bundle of all data necessary from my hot client, store it on a flash drive, move it over to another offline computer running a live Linux environment, get the cold client to sign the transaction and store it back on the flash drive, take it back to the hot client and have it broadcast the transaction to the network.
Usable multisig. Not just escrows, but also something like this and this.

These three features are more important to me than voting, on-ramps, or even lightweight clients.

Security for me is as well the most important thing than anything else...

Offline sudo

  • Hero Member
  • *****
  • Posts: 2219
    • View Profile
  • BTS: ags
Re: WARNING: Do not download BTSX client from non-https website.
« Reply #5 on: October 27, 2014, 03:09:34 AM »
if it's possible to   embedd the bts  client HASHcode to the BTS blockchain & selftest when it runs?

Offline bytemaster

Re: WARNING: Do not download BTSX client from non-https website.
« Reply #6 on: October 27, 2014, 03:40:12 AM »
if it's possible to   embedd the bts  client HASHcode to the BTS blockchain & selftest when it runs?

The attacker binary would skip the self test and report it success.
For the latest updates checkout my blog: http://bytemaster.bitshares.org
Anything said on these forums does not constitute an intent to create a legal obligation or contract between myself and anyone else.   These are merely my opinions and I reserve the right to change them at any time.

Offline DACSunlimited

  • Full Member
  • ***
  • Posts: 136
    • View Profile
Re: WARNING: Do not download BTSX client from non-https website.
« Reply #7 on: October 27, 2014, 07:29:26 AM »
edit:   False alarm. But warnings in this post are still true of course.

I've been warning DSL about this and it looks like it might have happened...

We have reason to suspect that there is a malicious BTSX client being injected when people try to download from the the non-https version of bitshares-x.info.

Legit versions with hashes (still not signed by DSL but w/e at least github should be secure):  https://github.com/dacsunlimited/bitsharesx/releases

Until DSL fixes it to automatically use https, always type it explicitly:
https://bitshares-x.info

Will update when I have more info.

Fixed automatically rewrite to https.
Drop us a mail will be the fastest way if emergency, thanks.

 

Google+