Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vessel consistently tries to do reads from nodes i don't trust and don't want to use #91

Open
sneak opened this issue Apr 23, 2018 · 4 comments
Open

vessel consistently tries to do reads from nodes i don't trust and don't want to use #91

sneak opened this issue Apr 23, 2018 · 4 comments
Labels
bug

Comments

@sneak
Copy link

sneak commented Apr 23, 2018

Vessel connects to RPC nodes run by random third parties from some internal list outside of the broadcast node I have specified on the main home screen.

This is unacceptable from a security application; I have no idea if Vessel is transmitting data that I don't want transmitted to those nodes. Additionally, RPC nodes are trusted, and I have no way of knowing if those nodes are being honest. Vessel should only connect to the RPC node I specify on the home screen, in my opinion.
@aaroncox
Copy link
Owner

Vessel only attempts to connect to a preset list of servers if you click "change servers" (after being disconnected from your primary node). I'm not sure what you mean by "consistently tries to do reads from nodes" unless you're using that feature.

And for the record, it's not transmitting any data about you - it's calling to load the global props to see if those servers are available.

vessel/app/components/global/ServerSelect.js

Lines 54 to 58 in 0e0c132

client.database.getDynamicGlobalProperties().then((props) => {
let servers = Object.assign({}, this.state.servers);
servers[server.replace('wss', 'https')] = props.time;
this.setState({servers});
});

@sneak
Copy link
Author

sneak commented Apr 28, 2018

Vessel should only connect to the RPC node I specify on the home screen, in my opinion.

@aaroncox aaroncox added the bug label Apr 28, 2018
@aaroncox
Copy link
Owner

You're right in that It's unnecessary for the automatic "is this server available" call and I can remove that. While it doesn't leak any portions of your actual wallet information with the call, it does say "hey look at me, I'm a computer with a steem wallet" which could be a risk and shouldn't be forced on users.

Also sorry - after rereading my response to you I also realize I wasn't all that direct in addressing the concern, and just ended up stating how it functions in a defensive tone. What I was trying to ask (terribly, mind you) was if you were seeing these connections occur anywhere besides that server selection screen. It isn't intended if so and is an oversight.

While I don't have any releases planned in the immediate future, I'll flag this as something for the next version.

@sneak
Copy link
Author

sneak commented Apr 28, 2018

With no ability to see what it is sending, without auditing the code in my copy, I don’t know what it is or isn’t sending.

If it connects only to a node I know and trust, it could in theory send almost anything it wants (save for a comment with my private key’s WIF in the text) and it would probably be okay.

I know that I won’t personally feel safe using it for high value things until/unless I audit the code thoroughly or it makes precisely one TCP connection to a node that I trust/control.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sneak @aaroncox