You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Nov 6, 2020. It is now read-only.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The reason will be displayed to describe this comment to others. Learn more.
Privacy note: ~~~~this doesn't do much;~~~~ the MITM still sees that you're connecting to Etherscan.io (and therefore, that you're interested in Ethereum). Edit: They can still see that you're running an Ethereum client, based on connections to other known Ethereum nodes.
However, now they don't know that you're checking the PRICE of Ethereum.
Edit: They are now also unable to alter the response, which is a significant improvement.
The reason will be displayed to describe this comment to others. Learn more.
@danuker I still find it a valuable improvement — with https enabled we can (to some reasonable extent) rely on authenticity of the prices fetched from Etherscan.
And this authenticity closes, for example, the "price-manipulation" attack vectors, where the client is tricked into sending more money than they should, because some third party was able to alter the content of the Etherscan response mid-flight.
I also think that connecting to Etherscan is far from being the only indicator of the user's interest in Ethereum, given they run a Parity node — and I don't think that it's too hard to determine the fact of running Parity if one have a capability to eavesdrop on the client's traffic.
The reason will be displayed to describe this comment to others. Learn more.
@kirushik Wow! I didn't think of authenticity. You are absolutely right.
You are also right about detection, I suppose it would be easy to tell that a user is running Parity, or any other client, given their traffic. I guess I had a long day and I'm tired for not realizing that.
ab7335dThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Privacy note: ~~~~this doesn't do much;~~~~ the MITM still sees that you're connecting to Etherscan.io (and therefore, that you're interested in Ethereum). Edit: They can still see that you're running an Ethereum client, based on connections to other known Ethereum nodes.
However, now they don't know that you're checking the PRICE of Ethereum.
Edit: They are now also unable to alter the response, which is a significant improvement.
ab7335dThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@danuker I still find it a valuable improvement — with
httpsenabled we can (to some reasonable extent) rely on authenticity of the prices fetched from Etherscan.And this authenticity closes, for example, the "price-manipulation" attack vectors, where the client is tricked into sending more money than they should, because some third party was able to alter the content of the Etherscan response mid-flight.
I also think that connecting to Etherscan is far from being the only indicator of the user's interest in Ethereum, given they run a Parity node — and I don't think that it's too hard to determine the fact of running Parity if one have a capability to eavesdrop on the client's traffic.
ab7335dThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kirushik Wow! I didn't think of authenticity. You are absolutely right.
You are also right about detection, I suppose it would be easy to tell that a user is running Parity, or any other client, given their traffic. I guess I had a long day and I'm tired for not realizing that.