Bitcoin Forum

In December 2016, China CERT released a 17-page security audit report of blockchain software. As per the report, the audit was conducted in October 2016 and released later as “open” document. The report examined 25 open-source blockchain projects, categorizing the vulnerabilities found into 9 classes. A total of 746 high-level attack vectors are detected. Ripple is rated the most insecure one with over 223 highly risky bugs.



http://news.8btc.com/blockchain-software-security-report-by-china-cert-ripple-the-worst

Most inaccurate title.....  :-[ :-[ :-[

Did you learn your English from a baby or u must be an illiterate..


BTS is the most secure blockchain

Red Herring much?

Thanks for that post OP!

We now have an official response to this report at https://ripple.com/dev-blog/response-china-cert-report/

"Again, Ripple recognizes the importance of security researchers, and we take any reports of security vulnerabilities very seriously. At this time, we do not feel confident in the accuracy of the CERT report and further, and based on the way in which the report was published, we question the legitimacy of the reporting body. We are confident in our processes and our codebase, and expressly state that this report identifies no actionable items and our review, in response to it, found none either."

Looks like their response is the illiterate one of the two. Fixed that first one for them. And further, am not touching that last sentence. :P

well i can think of atleast one painfully obvious reason why  ;)


which validates the rating  :o

All i would have to think about Ripple is if the system is controlled by a central closed source point..
then if that point is exploited then the whole entire thing falls apart like a house of cards.
Then we could end up with another GOX or Cryptsy going on where they would end up lying for ages and cooking the books behind closed doors.

I would say those are the last coins on earth i would touch.
I have never owned a Ripple coin or Bitshares nor would i.
All records of my activity on any site would prove this easily too.

I don't support ICO scam scheme coins for profit.

Guys, just imagine all those Big Banks the Ripple guys say are using Ripple..
What happens with them when they get hacked ?  :o

That's really quick response.

There are some things common to both Ripple and Bitshares

1. Both are Proof of Stake coin

2. Both have more than  billion tokens

3. Both are centralised

I'm not surprised about the report at all. I think we need independent research like this to expose flaws like this to protect investors

The OP does not know how to read reports


BTS2.0 is the most secure blockchain project as per that report

https://steemit.com/blockchain/@dana-edwards/bitshares-2-0-is-one-of-the-most-secure-blockchain-projects-while-ripple-is-the-least

How about crooked unfair rigged launches ? Does that interest you ?
Funny how i never hear anyone bring up that shit..

Doesn't seem to matter if Zcash has a genius tax for example.
The only REAL question is.. how much ROI'z can i get at Polo for them ?

Did you read my reply? Their methodology appears to be totaling the number of potential issues detected by automated, static analysis. This is almost completely meaningless because the vast majority of issues reported by such tools are false positives with no actual security implications. But it's doubly meaningless when you use it on code that already uses that exact same methodology because every issue that can be identified by this method has already been found and fixed. In fact, due to our use of this very same methodology, we've found and fixed bugs in third-party libraries we use such as RocksDB and Boost.
https://github.com/facebook/rocksdb/pull/333
https://github.com/boostorg/coroutine/pull/20

Why is BTS centralised?

Because it's another ICO scam.

Always healthy to have as much scrutiny from as many different sources, independent and otherwise.

Is Ripple the only one who finds the report and its methodology flawed and, therefore, unactionable? I find it unlikely that ALL these would result in false positives and it seems even Ripple concurs.

For projects that don't use this form of analysis already, typically between 1 to 2 in 100 of these reports on security critical code reflect an actual issue. But without surveying a statistical sample of them in that particular code base, you're really just guessing.

When we ran the first such report on rippled, we debated "fixing" every issue to get the number down to zero. The advantage would be that it would make it easier to scan future versions of the code as you wouldn't have a large number of false positives to wade through. We ultimately decided not to because in many cases it would require making the code harder to understand and maintain.

I wonder, if we had done so, would this report said we were the most secure or would they just have left us out? (And, to be clear, it would have also been absurd to say that a zero count from a tool like this makes us the most secure.)

Nice SIG.. an "employee" of an open source fair launch decentralized free market currency ?
Let me guess you have a CEO and a CTFO etc too  :D

Ripple..  :D

"Big Banks"  ::)  :D

No others in Crypto are as scammy with their scheme and as persistent as Ripple douche nozzles.

How to define the most secure? You heard this from BTS devs? They are braggers, I don't trust them.

Just politely tell the Chinese that Ripple is not a decentralized currency in the first place (such a thing may not even be possible).  Problem solved.

I think it's difficult to draw a line between centralization and decentralization.

My test is usually this one -- is there a head that, if you cut it off, the thing will die even if the folks who are left want it to continue?

So, for example, eBay is somewhat decentralized in that the items are sold by individual people. eBay doesn't have a centralized warehouse. But, of course, if the company stopped operations, the platform would die no matter how much everyone else wanted to continue selling. The company has the secret sauce ... the database, the licenses, the server software, and so on.

Even back when everyone ran the Bitcoin software Gavin told them to, Bitcoin was still decentralized. If Gavin went away, someone else could replace him. He had no legal means to force people to do what he wanted. He held no patent, no restrictive license, no secret sauce. People just ran the software Gavin told them to because a benevolent dictator that everyone chooses to follow is a damn good form of governance, particularly when there aren't that many stakeholders who really care about the platform.

Similarly, Ripple holds no secret sauce. Others can run validators, and do. Others can trust whatever validators they wish to, and do. Generally, people tend to do what we tell them to because we make good decisions and we care about the network more than pretty much anyone else does. But we hold no stick, no legal powers, no secret sauce, no real authority. People follow us because it's easier than making their own decisions and we haven't screwed up badly enough yet for people to justify the effort of doing the work that we do for them.

If we're lucky and the platform becomes more valuable and important, it will be harder and harder to remain the benevolent dictator who keeps everyone happy. Ask Gavin.

If Ripple Inc. stopped (for whatever reason) validating RCL for 1 hour and if (that's a BIG if, since it is not a recommended setting for UNLs right now) consensus moved forward regardless, would you re-join the network at the then current stage or when you left it one hour ago? If it forked, would that influence your decision and if you decided to choose a fork, how would you choose?

Currently, we would accept whichever valid ledger (that is, all transactions follow the correct rules) had the highest weight by rippled's current algorithm. That would mean it would have to pass these tests (oversimplified a tiny bit):
1) It would have to have as a prior ledger whatever the last fully validated ledger was.
2) Each step from that last fully validated ledger to the candidate ledger would have to be replayable. That is, the transactions couldn't violate any gross rules.
Of those valid ledgers, we would accept the one with the highest weight. Factors that influence the weight include trusted validations for that ledger and nodes observed to be running that ledger.
So, effectively, we would take the "majority" ledger of those that don't violate sanity rules.

This code is also the code that helps the network recover from a very rare, but always theoretically possible, potential failure mode. There's a trivial proof that consensus will always have some risk of failing. Typically, only a small percentage of nodes fail each round and the split nodes rejoin the pack quickly and cause no harm. It's like a school of fish where 2% of the fish leave every few seconds and the 2% that split off a while ago rejoin. There's always more than 90% of the fish in the school.

But it is theoretically possible for consensus to fragment very badly. You can reduce the probability of this happening, but the cost is reducing the best case speed, so it's better to tolerate it than to avoid it. Imagine this happens and the network splits into ten groups each with 10% of the network and each in their own consensus round. This is effectively the same situation as the one you are hypothesizing, just over a smaller period of time. You need some avalanche of ledgers to get the network back to being able to fully validate a ledger.

Interestingly, this doesn't hurt the transaction rate. Ledgers still close at the same speed. But it does hurt confirmation latency, since you could go several ledgers without any ledger fully validating.

It's a pity a clearly smart mind is put to waste on such a horrible coin project idea.
Not sure how you as a dev can justify the glaring issues commonly complained about.
Dev guy.. you wonder why people do not like Ripple ?
Did that occur to you when you guys started making it ?

I do bet you love the climate now though.
You know as well as i do when you launched it, it was laughed off the Forum here.
Why ?

Why did Cryptsy refuse to add it for a year as it sat on the add-a-coin voting list ?
..even though it had more paid votes then every other coin on the massive list combined.

I smell an air of deniability.
And i think that you Ripple guys are going for it NOW because you see how corrupt all of crypto is.
You seen the scene change from anti-IPO shitcoin to now ICO's are somehow legit.
And now you Ripple guys are trying slide right in and pull an Ethereum after waiting a couple years.

I guess in a couple more years the bar will be lowered so much MORE that...
LEO Coin will be considered legit and you all will be buying them up eh ?

Great to hear. This is quite theoretical anyways, since probably a lot of validators would not reach quorum once your nodes are down, so manual intervention would likely be necessary while no ledgers are being validated.

@troll above: You're getting boring.

I simply echo history.. i don't see anyone disputing what i said.
Want to challenge me ? If i HAVE TO i will go dig up the early topics on Ripple/Bitshares and quote them proving my point. (that both had a majority verbal reaction and market reaction that they were indeed unfair and unwanted)

That is called being honest ..not Trolling.
And since i am one of the few people who did not leave the Altcoin scene in disgust as it sinks in scammyness, then i was here to witness a lot of older ALT drama bs.
And you guys hate that and wish i would just go away so you can lower the bar more for more profits and more ICO's and more ROI'z  ::)

Point here is almost no one ever dares challenge anything i say.
For example i point out how ICO's are scammy and they simply ignore it and make more.
Are they a better way to distrib coins over the BTC model ?
It can't be the same so it's either better or worse.. so which is it.. ?
Show your mouthy face's and back up your mouth and defend your stance !
I contend EARTH and the billions of people ignore ICO coins because.. they are scammy bullshit.
Which is why ADOPTION is doomed with any ICO.

PS:
Who ever did explain the great Ripple giveaway fraud shenanigans ?
Remember that ? i sure as fucking hell do.. i was here LOL

That's definitely a fair criticism. We tried, but we did make an awful lot of mistakes. It turns out that it's *really* hard. We got better as time went on, but honestly not that much better. I'm convinced now that giveaways of the types that we were initially trying are just a mistake, even if you could do them well.