This repository has been archived by the owner on Nov 6, 2020. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Use https when connecting to etherscan.io API for price-info
- Loading branch information
ab7335d
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Privacy note: ~~~~this doesn't do much;~~~~ the MITM still sees that you're connecting to Etherscan.io (and therefore, that you're interested in Ethereum). Edit: They can still see that you're running an Ethereum client, based on connections to other known Ethereum nodes.
However, now they don't know that you're checking the PRICE of Ethereum.
Edit: They are now also unable to alter the response, which is a significant improvement.
ab7335d
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@danuker I still find it a valuable improvement — with
https
enabled we can (to some reasonable extent) rely on authenticity of the prices fetched from Etherscan.And this authenticity closes, for example, the "price-manipulation" attack vectors, where the client is tricked into sending more money than they should, because some third party was able to alter the content of the Etherscan response mid-flight.
I also think that connecting to Etherscan is far from being the only indicator of the user's interest in Ethereum, given they run a Parity node — and I don't think that it's too hard to determine the fact of running Parity if one have a capability to eavesdrop on the client's traffic.
ab7335d
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kirushik Wow! I didn't think of authenticity. You are absolutely right.
You are also right about detection, I suppose it would be easy to tell that a user is running Parity, or any other client, given their traffic. I guess I had a long day and I'm tired for not realizing that.