Is there a way to sign myetherwallet.com code?
#21
Comments
|
Github is serving directly to http://kvhnuke.github.io/etherwallet/ and https://www.myetherwallet.com (our domain with SSL). You can verify its hosted at github by using http://viewdns.info/dnsrecord/?domain=myetherwallet.com - last two A record IPs are owned by github for their custom domain hosting. You can also download the zip from Github and run it locally. Download the zip from https://github.com/kvhnuke/etherwallet, unzip the file, double-click on "index.html". |
|
How about ipns / ipfs? |
|
Instead of serving it from myetherwallet.com, how about serving it directly from https://kvhnuke.github.io/etherwallet/ to eliminate another point of trust – DNS. You can have myetherwallet.com redirect to https://kvhnuke.github.io/etherwallet/ for backward compatibility. |
|
@uzyn They serving directly from github. You can use whichever URL you like, or download the repo to your computer and run it locally. MyEtherWallet.com is just a CNAME record pointing to Github's servers. |
|
@tayvano Yes I understand that. I'm usually using github.io domain. Just by default, I think it would be better if this is served via github.io to increase the trust and simply have myetherwallet.com redirect to github.io for BC. This eliminates the extra point of trust that myetherwallet.com is not hijacked. Regarding github.io, we have to trust GitHub anyway, so it does not really matter. |
|
So the hypothetical situation we are preventing is MyEtherWallet.com getting hacked and pointing to a different place and serving malicious code, instead of the code from github. If we had a redirect set up and someone were to access the domain they could just as easily turn off that redirect and I'm not entirely sure how many people would notice / care. I think a hash of the github and a hash of the site is a more foolproof way of preventing this, but even then a majority of our users are not going to notice / care / check. We can add it to our never-ending to-do list either way and include in our version 2.0 (which is coming soon™). |
|
I agree that hash would be the best and I also agree that majority of users would not bother to check. A redirect is more easily verifiable to users as one would just have to look at the address bar and notice that it's kvhnuke.github.io and that the cert is green. But one can also argue that if the domain is hacked, the hacker can easily set up a malicious clone hosted on a similar looking username on github, say kvhnvke.github.io, and get myetherwallet.com redirected there. 1 thing that does help is that by using a redirect instead of a CNAME, if you bookmark it, you would be saving the resulting URL (kvhnuke.github.io) instead of the myetherwallet.com. Anyway, thanks for all of the work! Let's not have this stopping 2.0. |
|
I think there are a couple of things that could be improved:
|
|
Closing this for inactivity |
It'd be nice to verify that myetherwallet.com is running the code that's publicly available on github.
Not implying there's anything untrustworthy about the author, just proposing this given the spirit of the trustlessness of cryptocurrencies and Ether.
The text was updated successfully, but these errors were encountered: