Aleksei Richards



Offline



Activity: 38

Merit: 0









NewbieActivity: 38Merit: 0 Bounty - Github page to monitor online wallets. June 11, 2013, 08:45:05 AM #1



1. Downloads the carbon wallet home page via the url

2. Gets all the script tags from the page.

3. Checks that javascript in the script tags matches the JavaScript from github.



So basically anyone that visits the page can check the integrity of carbon wallet similar to the blockchain.info wallet checker.



This would be a valuable service to the community. I'm looking to pay around $100 or equivalent in BTC.



I would like a github page created that does the following.1. Downloads the carbon wallet home page via the url http://carbonwallet.com/ using Ajax. (You will probably need to use YQL to achieve this)2. Gets all the script tags from the page.3. Checks that javascript in the script tags matches the JavaScript from github. https://github.com/carbonwallet/carbonwallet.github.io So basically anyone that visits the page can check the integrity of carbon wallet similar to the blockchain.info wallet checker. https://github.com/blockchain/My-Wallet-Integrity-Checker This would be a valuable service to the community. I'm looking to pay around $100 or equivalent in BTC.

There are several different types of Bitcoin clients. The most secure are full nodes like Bitcoin Core, which will follow the rules of the network no matter what miners do. Even if every miner decided to create 1000 bitcoins per block, full nodes would stick to the rules and reject those blocks. rtised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertised sites are not endorsedby the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal inyour jurisdiction. Advertise here.

tumak



Offline



Activity: 35

Merit: 0









NewbieActivity: 35Merit: 0 Re: Bounty - Github page to monitor online wallets. June 11, 2013, 09:06:00 AM #2



An attacker who will compromise github will just modify the repo - the site will change along with it



gh-pages lacks ssl support though, so i guess this is (rather strange) way to close the door for evil-hostpot-mitm injection attacks?



I'd prefer just old fashioned chrome extension (that is actually strong guarantee) and ssl for mobile devices.



That being said, the wallet looks nice and the code is nicely clean, very impressive!



Will try to use it with some pocket change for a while Since your site is hosted via github pages, what's the point?An attacker who will compromise github will just modify the repo - the site will change along with itgh-pages lacks ssl support though, so i guess this is (rather strange) way to close the door for evil-hostpot-mitm injection attacks?I'd prefer just old fashioned chrome extension (that is actually strong guarantee) and ssl for mobile devices.That being said, the wallet looks nice and the code is nicely clean, very impressive!Will try to use it with some pocket change for a while

Aleksei Richards



Offline



Activity: 38

Merit: 0









NewbieActivity: 38Merit: 0 Re: Bounty - Github page to monitor online wallets. June 11, 2013, 09:15:51 AM #3 Quote from: tumak on June 11, 2013, 09:06:00 AM



An attacker who will compromise github will just modify the repo - the site will change along with it



gh-pages lacks ssl support though, so i guess this is (rather strange) way to close the door for evil-hostpot-mitm injection attacks?



I'd prefer just old fashioned chrome extension (that is actually strong guarantee) and ssl for mobile devices.



Other than that, the wallet looks nice, will try to use it with some pocket change for a while

Since your site is hosted via github pages, what's the point?An attacker who will compromise github will just modify the repo - the site will change along with itgh-pages lacks ssl support though, so i guess this is (rather strange) way to close the door for evil-hostpot-mitm injection attacks?I'd prefer just old fashioned chrome extension (that is actually strong guarantee) and ssl for mobile devices.Other than that, the wallet looks nice, will try to use it with some pocket change for a while

Thanks for the reply.



This app would be there to re-assure users that the code loaded from the domain is the same as that on the repository. It's possible to redirect the domain away from the repository and therefore deliver a different set of JS files to the user. This would assure them that this had not happened.



I chose a HTML page rather than a chrome extension just because it's easier to use (i.e. not everyone has chrome). To repackage the page as an extension would be rather trivial I think.



Also the CarbonWallet is a 1 page app with no server. Therefore SSL is not required as the only communication is retrieving TX information and sending TX which are all public knowledge anyway. Thanks for the reply.This app would be there to re-assure users that the code loaded from the domain is the same as that on the repository. It's possible to redirect the domain away from the repository and therefore deliver a different set of JS files to the user. This would assure them that this had not happened.I chose a HTML page rather than a chrome extension just because it's easier to use (i.e. not everyone has chrome). To repackage the page as an extension would be rather trivial I think.Also the CarbonWallet is a 1 page app with no server. Therefore SSL is not required as the only communication is retrieving TX information and sending TX which are all public knowledge anyway.

tumak



Offline



Activity: 35

Merit: 0









NewbieActivity: 35Merit: 0 Re: Bounty - Github page to monitor online wallets. June 11, 2013, 09:20:17 AM #4 Quote from: Aleksei Richards on June 11, 2013, 09:15:51 AM Quote from: tumak on June 11, 2013, 09:06:00 AM



An attacker who will compromise github will just modify the repo - the site will change along with it



gh-pages lacks ssl support though, so i guess this is (rather strange) way to close the door for evil-hostpot-mitm injection attacks?



I'd prefer just old fashioned chrome extension (that is actually strong guarantee) and ssl for mobile devices.



Other than that, the wallet looks nice, will try to use it with some pocket change for a while

Since your site is hosted via github pages, what's the point?An attacker who will compromise github will just modify the repo - the site will change along with itgh-pages lacks ssl support though, so i guess this is (rather strange) way to close the door for evil-hostpot-mitm injection attacks?I'd prefer just old fashioned chrome extension (that is actually strong guarantee) and ssl for mobile devices.Other than that, the wallet looks nice, will try to use it with some pocket change for a while

Thanks for the reply.



This app would be there to re-assure users that the code loaded from the domain is the same as that on the repository. It's possible to redirect the domain away from the repository and therefore deliver a different set of JS files to the user. This would assure them that this had not happened.



I chose a HTML page rather than a chrome extension just because it's easier to use (i.e. not everyone has chrome). To repackage the page as an extension would be rather trivial I think.



Also the site is a 1 page app with no server. Therefore SSL is not required as the only communication is retrieving TX information and sending TX which are all public knowledge anyway.

Thanks for the reply.This app would be there to re-assure users that the code loaded from the domain is the same as that on the repository. It's possible to redirect the domain away from the repository and therefore deliver a different set of JS files to the user. This would assure them that this had not happened.I chose a HTML page rather than a chrome extension just because it's easier to use (i.e. not everyone has chrome). To repackage the page as an extension would be rather trivial I think.Also the site is a 1 page app with no server. Therefore SSL is not required as the only communication is retrieving TX information and sending TX which are all public knowledge anyway.

I see.



There is problem with that ajax part - what you really want is cross-domain XHR, with no proxies (YQL). However github will not send the necessary header for that to work - github won't send access-control-allow-origin: *.



What you're saying would make sense if you hosted the site at your server, and you'd send the necessary header. I'll do the checker then for you



Another option may be some sort of bookmarklet, but thats rather user-unfriendly :/

I see.There is problem with that ajax part - what you really want is cross-domain XHR, with no proxies (YQL). However github will not send the necessary header for that to work - github won't send access-control-allow-origin: *.What you're saying would make sense if you hosted the site at your server, and you'd send the necessary header. I'll do the checker then for youAnother option may be some sort of bookmarklet, but thats rather user-unfriendly :/