BitShares Forum
Main => General Discussion => Topic started by: toast on October 26, 2014, 08:22:22 pm
-
edit: False alarm. But warnings in this post are still true of course.
I've been warning DSL about this and it looks like it might have happened...
We have reason to suspect that there is a malicious BTSX client being injected when people try to download from the the non-https version of bitshares-x.info.
Legit versions with hashes (still not signed by DSL but w/e at least github should be secure): https://github.com/dacsunlimited/bitsharesx/releases
Until DSL fixes it to automatically use https, always type it explicitly:
https://bitshares-x.info
Will update when I have more info.
-
At least we have a confirmation that BitShares is worth hacking malware into the code .. nice and sad at the same time
-
We have reason to suspect that there is a malicious BTSX client being injected when people try to download from the the non-https version of bitshares-x.info.
Wow! That would require someone to actually be attempting man-in-the-middle attacks on the users who are downloading from bitshares-x.info. That is pretty amazing if true, since it would be quite a bit of effort for someone to go through to attack BitShares users (BitShares is getting people's attention :) ).
I don't know how much you guys are prioritizing security features internally, but I think they are really important. We still don't have:
- Ability to sign and verify messages using TITAN accounts from the GUI client.
- Cold storage with offline transaction signing. I should be able to create a transaction and generate the bundle of all data necessary from my hot client, store it on a flash drive, move it over to another offline computer running a live Linux environment, get the cold client to sign the transaction and store it back on the flash drive, take it back to the hot client and have it broadcast the transaction to the network.
- Usable multisig. Not just escrows, but also something like this (https://bitsharestalk.org/index.php?topic=9994.msg130019#msg130019) and this (https://bitsharestalk.org/index.php?topic=9994.msg131084#msg131084).
These three features are more important to me than voting, on-ramps, or even lightweight clients.
-
False alarm. But warnings in OP are still true of course.
-
don't know how much you guys are prioritizing security features internally, but I think they are really important. We still don't have:
Ability to sign and verify messages using TITAN accounts from the GUI client.
Cold storage with offline transaction signing. I should be able to create a transaction and generate the bundle of all data necessary from my hot client, store it on a flash drive, move it over to another offline computer running a live Linux environment, get the cold client to sign the transaction and store it back on the flash drive, take it back to the hot client and have it broadcast the transaction to the network.
Usable multisig. Not just escrows, but also something like this and this.
These three features are more important to me than voting, on-ramps, or even lightweight clients.
Security for me is as well the most important thing than anything else...
-
if it's possible to embedd the bts client HASHcode to the BTS blockchain & selftest when it runs?
-
if it's possible to embedd the bts client HASHcode to the BTS blockchain & selftest when it runs?
The attacker binary would skip the self test and report it success.
-
edit: False alarm. But warnings in this post are still true of course.
I've been warning DSL about this and it looks like it might have happened...
We have reason to suspect that there is a malicious BTSX client being injected when people try to download from the the non-https version of bitshares-x.info.
Legit versions with hashes (still not signed by DSL but w/e at least github should be secure): https://github.com/dacsunlimited/bitsharesx/releases
Until DSL fixes it to automatically use https, always type it explicitly:
https://bitshares-x.info
Will update when I have more info.
Fixed automatically rewrite to https.
Drop us a mail will be the fastest way if emergency, thanks.