Comments (9)
I think there are a couple of things that could be improved:
- let the browser verify included javascript by including Subresource Integrity hashes
- add a Content Security Policy and Strict-Transport-Security header to enforce tls
- combine this with Public Key Pinning
from etherwallet.
Github is serving directly to http://kvhnuke.github.io/etherwallet/ and https://www.myetherwallet.com (our domain with SSL). You can verify its hosted at github by using http://viewdns.info/dnsrecord/?domain=myetherwallet.com - last two A record IPs are owned by github for their custom domain hosting.
You can also download the zip from Github and run it locally. Download the zip from https://github.com/kvhnuke/etherwallet, unzip the file, double-click on "index.html".
from etherwallet.
How about ipns / ipfs?
from etherwallet.
Instead of serving it from myetherwallet.com, how about serving it directly from https://kvhnuke.github.io/etherwallet/ to eliminate another point of trust β DNS.
You can have myetherwallet.com redirect to https://kvhnuke.github.io/etherwallet/ for backward compatibility.
from etherwallet.
@uzyn They serving directly from github. You can use whichever URL you like, or download the repo to your computer and run it locally. MyEtherWallet.com is just a CNAME record pointing to Github's servers.
from etherwallet.
@tayvano Yes I understand that. I'm usually using github.io domain.
Just by default, I think it would be better if this is served via github.io to increase the trust and simply have myetherwallet.com redirect to github.io for BC.
This eliminates the extra point of trust that myetherwallet.com is not hijacked. Regarding github.io, we have to trust GitHub anyway, so it does not really matter.
from etherwallet.
So the hypothetical situation we are preventing is MyEtherWallet.com getting hacked and pointing to a different place and serving malicious code, instead of the code from github. If we had a redirect set up and someone were to access the domain they could just as easily turn off that redirect and I'm not entirely sure how many people would notice / care.
I think a hash of the github and a hash of the site is a more foolproof way of preventing this, but even then a majority of our users are not going to notice / care / check. We can add it to our never-ending to-do list either way and include in our version 2.0 (which is coming soonβ’).
from etherwallet.
I agree that hash would be the best and I also agree that majority of users would not bother to check.
A redirect is more easily verifiable to users as one would just have to look at the address bar and notice that it's kvhnuke.github.io and that the cert is green. But one can also argue that if the domain is hacked, the hacker can easily set up a malicious clone hosted on a similar looking username on github, say kvhnvke.github.io, and get myetherwallet.com redirected there.
1 thing that does help is that by using a redirect instead of a CNAME, if you bookmark it, you would be saving the resulting URL (kvhnuke.github.io) instead of the myetherwallet.com.
Anyway, thanks for all of the work! Let's not have this stopping 2.0.
from etherwallet.
Closing this for inactivity
from etherwallet.
Related Issues (20)
- Offline signing transaction hash link always goes to main net Ether Scan
- Does not work with Ledger Nano S ETC application
- ETC Transcation won't go through, Trezor model T 2.0.10: "user cancelled tx" HOT 2
- Mix-Blockchain is missing in NETWORK selection in new redesigned release
- REOSC ecosystem is missing in NETWORK selection in new redesigned release HOT 1
- Vintage repo links to the new version HOT 1
- Storj Transaction not found in MyEtherWallet HOT 1
- myetherwallet JESON file issue HOT 1
- MyEtherWallet new template ? HOT 2
- New MEW does not handle array of address properly
- Etherwallet connecting to private eth chain
- Hacked Account
- Can not find the address of my MEW wallet HOT 6
- Hiveterminal Token (HVN) name changed
- Configuration HOT 2
- Public key for the .sig file HOT 1
- Mew v5.0.13 HOT 1
- MEW Adderss is not the same, help? HOT 1
- hello I want to make DAO / ETH change
- Please don't remove this repository
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from etherwallet.