Author Topic: WARNING: Do not download BTSX client from non-https website.  (Read 1943 times)

0 Members and 1 Guest are viewing this topic.

Offline DACSunlimited

  • Full Member
  • ***
  • Posts: 136
    • View Profile
edit:   False alarm. But warnings in this post are still true of course.

I've been warning DSL about this and it looks like it might have happened...

We have reason to suspect that there is a malicious BTSX client being injected when people try to download from the the non-https version of bitshares-x.info.

Legit versions with hashes (still not signed by DSL but w/e at least github should be secure):  https://github.com/dacsunlimited/bitsharesx/releases

Until DSL fixes it to automatically use https, always type it explicitly:
https://bitshares-x.info

Will update when I have more info.

Fixed automatically rewrite to https.
Drop us a mail will be the fastest way if emergency, thanks.

Offline bytemaster

if it's possible to   embedd the bts  client HASHcode to the BTS blockchain & selftest when it runs?

The attacker binary would skip the self test and report it success.
For the latest updates checkout my blog: http://bytemaster.bitshares.org
Anything said on these forums does not constitute an intent to create a legal obligation or contract between myself and anyone else.   These are merely my opinions and I reserve the right to change them at any time.

Offline sudo

  • Hero Member
  • *****
  • Posts: 2255
    • View Profile
  • BitShares: ags
if it's possible to   embedd the bts  client HASHcode to the BTS blockchain & selftest when it runs?

Offline mf-tzo

  • Hero Member
  • *****
  • Posts: 1725
    • View Profile
Quote
don't know how much you guys are prioritizing security features internally, but I think they are really important. We still don't have:
Ability to sign and verify messages using TITAN accounts from the GUI client.
Cold storage with offline transaction signing. I should be able to create a transaction and generate the bundle of all data necessary from my hot client, store it on a flash drive, move it over to another offline computer running a live Linux environment, get the cold client to sign the transaction and store it back on the flash drive, take it back to the hot client and have it broadcast the transaction to the network.
Usable multisig. Not just escrows, but also something like this and this.

These three features are more important to me than voting, on-ramps, or even lightweight clients.

Security for me is as well the most important thing than anything else...

Offline toast

  • Hero Member
  • *****
  • Posts: 4001
    • View Profile
  • BitShares: nikolai
False alarm. But warnings in OP are still true of course.
Do not use this post as information for making any important decisions. The only agreements I ever make are informal and non-binding. Take the same precautions as when dealing with a compromised account, scammer, sockpuppet, etc.

Offline arhag

  • Hero Member
  • *****
  • Posts: 1214
    • View Profile
    • My posts on Steem
  • BitShares: arhag
  • GitHub: arhag
We have reason to suspect that there is a malicious BTSX client being injected when people try to download from the the non-https version of bitshares-x.info.

Wow! That would require someone to actually be attempting man-in-the-middle attacks on the users who are downloading from bitshares-x.info. That is pretty amazing if true, since it would be quite a bit of effort for someone to go through to attack BitShares users (BitShares is getting people's attention :) ).


I don't know how much you guys are prioritizing security features internally, but I think they are really important. We still don't have:
  • Ability to sign and verify messages using TITAN accounts from the GUI client.
  • Cold storage with offline transaction signing. I should be able to create a transaction and generate the bundle of all data necessary from my hot client, store it on a flash drive, move it over to another offline computer running a live Linux environment, get the cold client to sign the transaction and store it back on the flash drive, take it back to the hot client and have it broadcast the transaction to the network.
  • Usable multisig. Not just escrows, but also something like this and this.

These three features are more important to me than voting, on-ramps, or even lightweight clients.
« Last Edit: October 26, 2014, 08:41:53 pm by arhag »

Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12922
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BitShares: xeroc
  • GitHub: xeroc
At least we have a confirmation that BitShares is worth hacking malware into the code .. nice and sad at the same time

Offline toast

  • Hero Member
  • *****
  • Posts: 4001
    • View Profile
  • BitShares: nikolai
edit:   False alarm. But warnings in this post are still true of course.

I've been warning DSL about this and it looks like it might have happened...

We have reason to suspect that there is a malicious BTSX client being injected when people try to download from the the non-https version of bitshares-x.info.

Legit versions with hashes (still not signed by DSL but w/e at least github should be secure):  https://github.com/dacsunlimited/bitsharesx/releases

Until DSL fixes it to automatically use https, always type it explicitly:
https://bitshares-x.info

Will update when I have more info.
« Last Edit: October 26, 2014, 08:48:32 pm by toast »
Do not use this post as information for making any important decisions. The only agreements I ever make are informal and non-binding. Take the same precautions as when dealing with a compromised account, scammer, sockpuppet, etc.