Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Experiment with ENS security measures by Jim McDonald #1913

Open
danfinlay opened this issue Aug 14, 2017 · 9 comments
Open

Experiment with ENS security measures by Jim McDonald #1913

danfinlay opened this issue Aug 14, 2017 · 9 comments
Labels
type-discussion type-enhancement type-security

Comments

@danfinlay
Copy link
Contributor

danfinlay commented Aug 14, 2017
edited
Loading

At the ENS Workshop, Jim McDonald gave an excellent discussion on a variety of attacks that can be waged against the ENS, and how we can help address them.

One of those ways is an API he's set up for detecting a variety of homoglyph attacks, which he's sent to me, but rather than posting it here, I'm making it a note, to respect his api privacy for now.

This issue represents the intention to experiment with that API and see if we can do something useful with it, before exploring how to ramp it up to production readiness.
@danfinlay danfinlay mentioned this issue Apr 15, 2018
Closed
@danfinlay
Copy link
Contributor Author

This could be a good bounty research topic, although we would need to specify the scope of the research before agreeing to a price.

@danfinlay
Copy link
Contributor Author

We could just post a bounty for a successful implementation that is resistant to identical characters (coloring them, or throwing errors when trying to render a multi-language string), ideally working without a centralized API, but if the database was huge, it would have to be acceptable.

Bonus points if we came up with a peer to peer network for sharding the homoglyph database and peer gossiping it. (Just dreaming now)

@danfinlay
Copy link
Contributor Author

danfinlay commented Apr 15, 2018
edited
Loading

We should maybe just add to the MyCrypto bounty for this:

MyCryptoHQ/MyCrypto#382

@owocki owocki mentioned this issue Apr 17, 2018
Closed
@dternyak
Copy link

@danfinlay We'd certainly love to parter up on this! @pakaplace should be opening a PR against https://github.com/MyCryptoHQ/ens-validation today, so we can collaborate there if that works :)

@danfinlay
Copy link
Contributor Author

Let us know how we can help, @dternyak!

@danfinlay
Copy link
Contributor Author

For the reverse-resolution, MyCrypto's changes have been merged!

A simple ascii pre-conversion ensures minimal funny business, and warnings can be given otherwise:
ensdomains/ens-validation#2

I wonder if there's an equivalent measure we could take for other languages...

@dternyak
Copy link

@danfinlay That's awesome! :) congrats!

@danfinlay
Copy link
Contributor Author

Oh hey @dternyak I need a chat line with you. You weren't in MyCrypto slack anymore to my surprise!

Anyways, I've published your module, but will pass over the npm ownership if you want. Just wanted it published for easier use.

I actually was just pointing out your module was finished, not that we'd integrated it yet. Great work!

@dternyak
Copy link

Pinged on Slack!

@whymarrh whymarrh mentioned this issue Sep 17, 2019
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type-discussion type-enhancement type-security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@danfinlay @2-am-zzz @Gudahtt @dternyak