A Letter to the the community: We are opening a worm hole of new attacks and exploits if we don't treat HTTP sites exactly like compromised ones. Companies in the space: I know you like ro move domains--Do not let SSL certificates expire

I recently was using Math wallet looking for a DEX through it's DAPP store thing (pretty cool btw) and i came across one that described itself as "The biggest EOS DEX" so when i went to install it, i was met with an SSL error. https://ift.tt/3dG6gIc This DAPP i now plan to interact with could have me at its mercy should someone MITM attack me. Imagine the people going to a conference, hearing about this via word of mouth, goes back to the hotel to install it but falls victim to an attack on the hotel wifi, which is SIMPLE to do.MITM attacks have not had the biggest effect in terms of the world of scamming bitcoins. Google TOTP greatly increases the skill barrier for anyone wanting to withdraw funds using the sole token they received from the initial phished login (and has to be within 30 seconds too). I have seen TOO many sites that switch domains/let subdomains go unaccounted for and it will create a systematic risk for anyone who is on the more business/social side of bitcoin. I find this most often with download links, backend api's (which luckily get blocked most of the time by chrome), and old pre migration domains.​If hackers know that they can manage to MITM at least one person for their accounts value (in this case you entire eos account) at a conference where people are very likely to own large amounts, they will go. If this remains exploitable, IT WILL BE EXPLOITED. It's very likely this has led to loss before but the cause isn't tracked down.​You can say "Verify hashes" or "Pay attention" all day long but the downside to leaving pages lake this up is a whole lot more than simply updating your certificates.​We do not want a world where people will be following you around staying in your hotels as you travel for business because they know you are likely to fall trap to one of these links through your daily activities. Basically i'm saying if we allow a little bit of leeway, we will finally cross a barrier where it makes sense for criminals to follow around rich crypto people waiting till they visit their MITM link. at that point we now have a force on our hands we are not equipped to deal with as the criminal may possibly get frustrated and decide on more direct means considering the fact that he is now close to you physically.​Call it a non-issue or whatever but it takes so little effort to fix can we please make sure to check legacy links. Thanks. I hope this gets received in good faith and i dont mean to call out findex because they're far from alone.

Submitted March 30, 2020 at 11:46AM

No comments:

Post a Comment