Comment on Attackers exploit fundamental flaw in the web’s security to steal $2 million in cryptocurrency by Mickey

Share on facebook
Share on twitter
Share on linkedin
Share on reddit

This is interesting. The fact that they were able to use BGP to access a domain-validated certificate is pretty disconcerting.

I think it’s a fair point that the vendor should have had better controls. The javascript library is obviously front-end, and the near-universal rule is never trust anything from the client, right?

The protections from TLS via PKI are, imho, “good enough.” In that for most use cases the protect the privacy of the client traffic. But for doing more sensitive operations, you always increase the surface area. There should be at least a 3-pronged validation approach to prevent this sort of compromise (similar to how Stripe requires verification from your server and directly from the client to process a request).

Read more

Explore the site

More from the blog

Latest News