Dash Treasury
4625 Masternodes | 297.87 USD | 0.0523 BTC | 1.34% market share | Create Account

A Few Words About Security

Computer security has been a rapidly escalating arms race for a long time now, but nothing has raised the stakes like crypto-currency. With real money on the line, no longer is security a responsibility limited to researchers and system admins. Bitcoin and other currencies have left behind a massive wasteland of businesses and individuals that have succumbed to heists, hacks, and thefts of all kinds. Some have covered their losses and carried on, others have not.

A wise man learns from his mistakes, but an even wiser man learns from the mistakes of others. The main lesson we should learn from the losses of others is that perfect, 100% solid security is very, very difficult to do right. Even in cases where software security hasn't been at fault, there are situations where the physical security of the hardware itself was the entry point. The infamous Linode heist of 2012 is a perfect example. If we accept the fact that, despite our very best efforts and the work of our very best people, the worst could still go wrong, then we need to look at ways to lower the stakes if and when security is compromised.

The approach we've taken on this site is to hold very little of any value. We have no hot wallet that holds funds. We collect only minimal user information. We delete server log files daily, and many other steps are taken to ensure best practice security measures are exercised throughout.

However, security is often a trade-off with convenience. One of the features we would have liked to add to this site, which we debated very thoroughly, was an option for masternode owners to vote on proposals directly through the web site. Due to the way blockchain voting works, this would have required masternode owners to enter their private voting keys into this site. There would be absolutely no way around that. Clearly, storing a large list of voting keys on the server would be something of extreme value to an attacker. By stealing the keys, an attacker could control the votes and misappropriate treasury funds. Storing these keys would make this site a huge target, and it would put the entire Dash economy at risk.

One suggested solution to storing the keys on the server would be to use Javascript to encrypt the keys on the client-side before they are sent to the server. To vote, a Javascript function would prompt the masternode owner for his decryption code, a voting message would be signed on the client-side, and no potentially compromising information would ever be sent to the server. On paper, that sounds like a great idea. In reality, it does nothing to solve the underlying problem of exposing private keys in the event of a server breach.

Here's why. The Javascript code that performs the encryption is sent to the browser from the server. Although anyone can view the source of this code, how many people actually would? More importantly, how many people would review this code every single time they use the site? Of those that do, how many would even understand what they're reading? Perhaps now you see the weakness. If the Javascript code is compromised, then so too would be the private keys. An attacker wouldn't be able to pull the encrypted keys from the database, but it would be every bit as easy for the attacker to change a few simple lines of code in the Javascript function that would go unnoticed for who knows how long. Or even more simply, the site's webmaster could even be pressured through good old "rubber hose cryptography" (i.e. threats of violence) to make this simple change against his will.

This attack vector is not theoretical. It has happened to other sites and services before. Let's be the wiser one who learns from the mistakes of others rather than having to pay the high price of learning them first hand.

Do not give your private keys to anyone! If you run a web site, be responsible and do not request private keys from anyone!

Budget Stats
Voting Deadline: 10 days
Payment date: Nov 2, 2017
Superblock: #764336
Approved: 18 of 29
Available: $1,981,386