Use https if possible when communicating with etherscan #23
Comments
|
Yes exact same issue here. Initially we used https for every request but decided to switch to http as soon as users started experiencing connection problems on some devices. Not the best solution but I wasn't able to reproduce this issue on my devices nor do I know whether pinning the certificate in app would resolve this issue on those devices either. |
|
Thanks for the answer! It is not only a privacy problem - this way it is also open for man in the middle. Ideally I would also like to pin the certificates - but If there is a fall-back to http anyway it is kind of pointless .. Currently I have only seen this on 5.x devices - but on none of mine unfortunately .. |
|
Sure it leaves a door open to MIT attacks, but there's not much a MIT attacker can do here. He can spoof and sniff your responses like balances and transactions, but I don't see how that could lead to users funds being at risk. An attacker might prevent transactions from being broadcasted to the network, but that's about the worst case scenario a MIT attack I can think of. Not saying that this isn't an issue, but that's what I meant when I said I think of it more as a privacy concern than a real world security threat where users funds are at risk. |
|
Imagine a localethereum or merchant like situation - via man in the middle an attacker could pretend he has payed you the money if in fact he has not. We really need working light clients - but until that at least https ;-) |
|
Fair point. Well I'll try to contact etherscan about this issue too, maybe it helps if they hear it from two wallet devs |
currently plain http is used:
Lunary-Ethereum-Wallet/app/src/main/java/rehanced/com/simpleetherwallet/network/EtherscanAPI.java
Line 169 in da97ec6
I think I know why you do it: walleth/walleth#134
But on some devices https works so perhaps http should be a fallback and not the default
The text was updated successfully, but these errors were encountered: