Bounty - Github page to monitor online wallets.

[Aleksei Richards]

I would like a github page created that does the following.

1. Downloads the carbon wallet home page via the url http://carbonwallet.com/ using Ajax. (You will probably need to use YQL to achieve this)
2. Gets all the script tags from the page.
3. Checks that javascript in the script tags matches the JavaScript from github. https://github.com/carbonwallet/carbonwallet.github.io

So basically anyone that visits the page can check the integrity of carbon wallet similar to the blockchain.info wallet checker. https://github.com/blockchain/My-Wallet-Integrity-Checker

This would be a valuable service to the community. I'm looking to pay around $100 or equivalent in BTC.

[tumak]

Since your site is hosted via github pages, what's the point?

An attacker who will compromise github will just modify the repo - the site will change along with it

gh-pages lacks ssl support though, so i guess this is (rather strange) way to close the door for evil-hostpot-mitm injection attacks?

I'd prefer just old fashioned chrome extension (that is actually strong guarantee) and ssl for mobile devices.

That being said, the wallet looks nice and the code is nicely clean, very impressive!

Will try to use it with some pocket change for a while

[Aleksei Richards]

Since your site is hosted via github pages, what's the point?

An attacker who will compromise github will just modify the repo - the site will change along with it

gh-pages lacks ssl support though, so i guess this is (rather strange) way to close the door for evil-hostpot-mitm injection attacks?

I'd prefer just old fashioned chrome extension (that is actually strong guarantee) and ssl for mobile devices.

Other than that, the wallet looks nice, will try to use it with some pocket change for a while

Thanks for the reply.

This app would be there to re-assure users that the code loaded from the domain is the same as that on the repository. It's possible to redirect the domain away from the repository and therefore deliver a different set of JS files to the user. This would assure them that this had not happened.

I chose a HTML page rather than a chrome extension just because it's easier to use (i.e. not everyone has chrome). To repackage the page as an extension would be rather trivial I think.

Also the CarbonWallet is a 1 page app with no server. Therefore SSL is not required as the only communication is retrieving TX information and sending TX which are all public knowledge anyway.

[tumak]

Since your site is hosted via github pages, what's the point?

An attacker who will compromise github will just modify the repo - the site will change along with it

gh-pages lacks ssl support though, so i guess this is (rather strange) way to close the door for evil-hostpot-mitm injection attacks?

I'd prefer just old fashioned chrome extension (that is actually strong guarantee) and ssl for mobile devices.

Other than that, the wallet looks nice, will try to use it with some pocket change for a while

Thanks for the reply.

This app would be there to re-assure users that the code loaded from the domain is the same as that on the repository. It's possible to redirect the domain away from the repository and therefore deliver a different set of JS files to the user. This would assure them that this had not happened.

I chose a HTML page rather than a chrome extension just because it's easier to use (i.e. not everyone has chrome). To repackage the page as an extension would be rather trivial I think.

Also the site is a 1 page app with no server. Therefore SSL is not required as the only communication is retrieving TX information and sending TX which are all public knowledge anyway.

I see.

There is problem with that ajax part - what you really want is cross-domain XHR, with no proxies (YQL). However github will not send the necessary header for that to work - github won't send access-control-allow-origin: *.

What you're saying would make sense if you hosted the site at your server, and you'd send the necessary header. I'll do the checker then for you

Another option may be some sort of bookmarklet, but thats rather user-unfriendly :/

[Aleksei Richards]

There is problem with that ajax part - what you really want is cross-domain XHR, with no proxies (YQL). However github will not send the necessary header for that to work - github won't send access-control-allow-origin: *.

YQL handles cross domain see http://ajaxian.com/archives/using-yql-as-a-proxy-for-cross-domain-ajax

I agree it would be better without the proxy. Perhaps when it is packaged as a chrome extension the proxy could be bypassed.

[tumak]

There is problem with that ajax part - what you really want is cross-domain XHR, with no proxies (YQL). However github will not send the necessary header for that to work - github won't send access-control-allow-origin: *.

YQL handles cross domain see http://ajaxian.com/archives/using-yql-as-a-proxy-for-cross-domain-ajax

I agree it would be better without the proxy. Perhaps when it is packaged as a chrome extension the proxy could be bypassed.

I assume you started carbonwallet because you dont want to repeat piuk's mistakes, or am I wrong?

Yeah proxies sucks because you can special-case the yahoo ip range. The checker must be indistiguishable from regular browser. Basically, you need to do this:

Code:

#!/bin/bash
curl -s https://raw.github.com/carbonwallet/carbonwallet.github.io/master/index.html | grep 'src=' | cut -d '"' -f 2 | while read n; do echo "Checking $n"; diff -B <( curl -s http://carbonwallet.com/$n ) <( curl -s https://raw.github.com/carbonwallet/carbonwallet.github.io/master/$n ); done
diff -B <( curl -s http://carbonwallet.com/ ) <( curl -s https://raw.github.com/carbonwallet/carbonwallet.github.io/master/index.html )

But from browser and without referrer (https vs http xhr).

Using chrome extension is silly, because then you can just have whole wallet in it and not bother with checking. The checker is valuable on mobile devices where extensions (and local static html files) dont work or poorly. Perhaps android app using webview?

[Aleksei Richards]

Actually perhaps instead of a github page. This could be developed as a jsfiddle.

[Aleksei Richards]

Using chrome extension is silly, because then you can just have whole wallet in it and not bother with checking. The checker is valuable on mobile devices where extensions (and local static html files) dont work or poorly. Perhaps android app using webview?

You can already download carbonwallet as a chrome extension. So this monitor app would be for people who use the wallet online.

[tumak]

Using chrome extension is silly, because then you can just have whole wallet in it and not bother with checking. The checker is valuable on mobile devices where extensions (and local static html files) dont work or poorly. Perhaps android app using webview?

You can already download carbonwallet as a chrome extension. So this monitor app would be for people who use the wallet online.

I've sent you pull request which merges everything into single html file, so it's not as much broken as MyWallet (which checks script tags - that is actually pretty useless because it's easy to inject code living in an anonymous js closure of setTimeout and delete the tag).

Verification is trivial, just xhr the index.html and compute hash for it.

[Aleksei Richards]

because it's easy to inject code living in an anonymous js closure of setTimeout and delete the tag

How would that work. To me the blockchain checker looks like it would do the job.

[tumak]

because it's easy to inject code living in an anonymous js closure of setTimeout and delete the tag

How would that work. To me the blockchain checker looks like it would do the job.

Start a bounty for MyWallet injection exploit (5BTC to be worth the while).

Exploit description:

The content script used by My Wallet checker runs in document_idle state, when script tags of document are already executing.

if it used run_at: document_end, it would have chance to catch remote script tag, but not inline javascript.

if it used run_at: document_start, there is not even DOM constructed, so you have nothing to inspect, though you might have chance to hook early and check DOM as it loads. Unsure if possible to attain reliability here, but certainly not done by the checker now.

In short, checking the DOM after it is loaded is harder than naive implementation, because once it loads, code contained there can modify itself (simply setTimeout and remove the script tag).

Note that this is only one of MyWallet's unbacked claims of security, there are much more :)