Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Marketplace
Re: Bounty - Github page to monitor online wallets.
by
tumak
on 11/06/2013, 09:20:17 UTC
Quote from: Aleksei Richards on June 11, 2013, 09:15:51 AM
Quote from: tumak on June 11, 2013, 09:06:00 AM
Since your site is hosted via github pages, what's the point?

An attacker who will compromise github will just modify the repo - the site will change along with it Smiley

gh-pages lacks ssl support though, so i guess this is (rather strange) way to close the door for evil-hostpot-mitm injection attacks?

I'd prefer just old fashioned chrome extension (that is actually strong guarantee) and ssl for mobile devices.

Other than that, the wallet looks nice, will try to use it with some pocket change for a while Smiley

Thanks for the reply.

This app would be there to re-assure users that the code loaded from the domain is the same as that on the repository. It's possible to redirect the domain away from the repository and therefore deliver a different set of JS files to the user. This would assure them that this had not happened.

I chose a HTML page rather than a chrome extension just because it's easier to use (i.e. not everyone has chrome). To repackage the page as an extension would be rather trivial I think.

Also the site is a 1 page app with no server. Therefore SSL is not required as the only communication is retrieving TX information and sending TX which are all public knowledge anyway.

I see.

There is problem with that ajax part - what you really want is cross-domain XHR, with no proxies (YQL). However github will not send the necessary header for that to work - github won't send access-control-allow-origin: *.

What you're saying would make sense if you hosted the site at your server, and you'd send the necessary header. I'll do the checker then for you Smiley

Another option may be some sort of bookmarklet, but thats rather user-unfriendly :/