Detect insecure addresses without having access to private key | Public API #53
Comments
Dexaran
added
the
under consideration
|
I see the status of my proposal has changed, thanks Dexaran for taking the time to check my proposal. I am happy to respond to any concerns, also open to suggestions too. |
|
@amj24 I think that it may be a useful proposal, however I'd like to clarify some of its aspects. This is a good idea to create a source of insecure addresses with bad private keys (I don't think that this is the greatest concern for the industry, however it can save some "not so smart" users) and provide API. At the other hand, maintaining API is not that important if we can just hardcode a list of insecure addresses in CEW and periodically update it (say once a month). CEW (MEW) must check whether the unlocked address is insecure according to the addresses list and pop up a big red banner saying "Warning! Your funds are insecure, please create one more address and transfer your funds there". This is not a problem of Callisto, but this is a global problem of all Ethereum-compatible networks. That's why I think that this must be chain-independent. If the address had some transactions on Callisto network then the same address is insecure in Ethereum, ETC, UBQ, Musicoin and other Ethereum-compatible networks.
I'm ready to negotiate the funding goal of this proposal. |
|
@amj24 are you still interested in this proposal development? |
|
@Dexaran I am interested. In fact, I am working on a prototype. At first glance it might seem that only “not so smart users” are the ones who can benefit most here but I believe the use cases are actually limitless, it can be used by anyone: nodes, wallets, exchanges and end users. I believe that exchanges will be very interested in operating in safe environment and dealing with secure addresses since it reduces the issues among their end customers. It took me plenty of time to do the research and evaluate the risks. I was doing it for fun initially. Once I found some positive balances, I didn’t want to bother a lot and started looking for possible solutions to prevent that and that brought me here to bring light to this matter. Anyway, here is my take on the points that you have proposed.
My goal is to list addresses only, no private keys attached or stored in any form or anywhere in the API server(s). The project will evolve with time and I thought about the API as a starting point that I can deliver. I am still going to finish up with the project. I want to support as many blockchain projects as possible. I strongly invite Callisto to make a contribution to this project and in return Callisto will be mentioned as an honorary founder/sponsor to this project and have access to the API for life. I can make a prototype live by the end of this month so I can showcase a working product. |
Security through obscurity is not that good approach. I'm still in favor of transparent description.
Yet I don't see any real benefit in maintaining API servers after the creation of the database of insecure addresses. In my opinion it would be better to publish the database and store it, for example, in IPFS. I'm accepting this proposal for now and you will receive payments as soon as you publish the working product, but this may be reconsidered later. |
Dexaran
added
accepted
Proposal
Offer a public API for Ethereum based addresses to detect insecure addresses without having access to private key.
Description
Background:
I made random checks on several blockchain projects to evaluate the safety of the addresses used. I collect all addresses in the blockchain and check them against my database of addresses generated with dummy private keys.
You might wonder why? Basically I do it for fun and out of curiousty too, no harm was intended.
While evaluating addresses on the CLO blockchain, I have found several addresses that have positive balance. Some addresses seem old and actually active. They have one of the weakest private keys ever.
Unsecure addresses could probably be generated due to bad code (dev stage of app/software) or end user (new comers) there is a risk of fund loss.
The idea & solution:
As soon as I noticed the issue I started wondering what is the best option to notify / alert the owners of such addresses. Definitely showing that publicly on a block explorer is not a good idea as it might encourage a targeted attack. So as long as the user has access to the wallet (see possible use cases below), it should be the safest option.
Solution: Create a database of addresses based on dummy private keys that are weak / leaked (see milestone section down).
Project Goals:
Reduce the risk of using vulnerable private keys.
Warn end-user if:
=> Offer higher reliability for the community especially the ones who lack proper knowledge. Less frustration = More trust.
Possible Use cases: (Callisto web wallet)
Any Ethereum based wallet with access to this API can discretely show a warning message to the end user (see screenshot message highlighted in red located in the right, click on the image to view full size )
A user attempts to send coins to an address with weak PK, can get a helpful message. Especially in the event of migrating coins to another wallet. See the message under “To address” Box
Other use cases:
Any 3rd party app that wants to work in a secure environment, CLO nodes can show an informative message when dealing with similar addresses in the mainnet.
Milestones:
Example:
000000000000000000000000000000000000000000000000000000000000000111111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222With Permutations and slight changes, it’s possible to cover millions of private keys. I can showcase private keys generations in a short video.
Private keys generated with the help of security dictionaries such as https://github.com/topics/dictionary-attack
Private keys that are leaked publicly. (require an active crawler)
Only addresses will be produced without any private key attached. These addresses might to be saved in an integer friendly format so it can be indexed and retrieved easily.
Disclaimer:
As a believer in CLO, I would like to offer it exclusively for Callisto network. I can provide the data and/or the API access itself and maintain it.
The main goal of this project is to protect the community. I do not plan to commit any unlawful activity.
Funding goal
50K CLO / month to provide and maintain the API.
my address: 0xf07Bc0D791103480F8F0Ee95F1b2758627D9a080
The text was updated successfully, but these errors were encountered: