Jump to content

Recommended Posts

On 3/13/2018 at 9:27 AM, Vader-DeWelt said:

How do you use this toolkit to avoid issues like this one with ethereum:

https://ret2got.wordpress.com/2018/01/19/how-your-ethereum-can-be-stolen-using-dns-rebinding/#more-151

? I'm going to assume that offline signing, in an app that does not allow itself to be controlled via json-rpc, would be fine ?

Don't know as much as I should about ethereum, but does the wallet really run an rpc server? why would you do that? that seems like a bad idea right out of the gate. advantages?

That attack vector only applies when you

1. Have a wallet with an unsecure RPC server running

2. Have a user that is browsing the web normally while that wallet/RPC server is running

Neither of these applies to any XRP wallet that I know of, so that specific attack vector is not one that's going to apply to really any XRP user.

Share this post


Link to post
Share on other sites

I'm a little confused because I would think that the moment someone said "oh i'm working on a wallet, and its going to offer its services via its own rpc" I would expect the entire community to rise up and say in one really loud voice "OH NO DON'T DO THAT. RECIPE FOR DISASTER!!!"

 

but no. I keep thinking of the very first episode of "mad men" where they're saying "people are attracted to things that will hurt them..."

Share this post


Link to post
Share on other sites

×