Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security concern - IPFS ENS Resolving #5724

Closed
decanus opened this issue Nov 11, 2018 · 34 comments · Fixed by #7362
Closed

Security concern - IPFS ENS Resolving #5724

decanus opened this issue Nov 11, 2018 · 34 comments · Fixed by #7362

Comments

@decanus
Copy link

decanus commented Nov 11, 2018

Describe the issue

Using gateway.ipfs.io when resolving ENS sites is dangerous. It allows all dapps to have access over eachothers cookies as well as over the local storage. Research should be done into how this could be mitigated in order to protect users.

Depending on how the new metamask opt-in feature works, this may also be dangerous. If it is domain wide, all dapps called through their ENS name are automatically permitted to use metamask.

Could this be done by potentially adding a custom host to a users hosts file that resolves all *.ens domains to a custom local server which then simply replaces content?

Potentially helpful examples

@ligi
Copy link

ligi commented Nov 11, 2018

this might be helpful: https://github.com/ricmoo/meeseeks-app

@decanus
Copy link
Author

decanus commented Nov 11, 2018

@ligi the most ideal way would be if we find a method to have the browser respect it as *.eth.

@decanus decanus closed this as completed Nov 11, 2018
@decanus decanus reopened this Nov 11, 2018
@holiman
Copy link

holiman commented Nov 11, 2018

Could have a subdomain, first 16 hex of the hash: 0x12345612.gateway.ipfs. So the non-subdomained page refirects, and the second one checks the url against subdomain? Then all different pages would be domain siblings, and not have access to each others cookies... ?

@decanus
Copy link
Author

decanus commented Nov 11, 2018

@holiman depending on how the cookies are registered the flaw may still exist. If a domain uses *.gateway.ipfs. cookies rather than with the subdomain included you run into the same issue.

@holiman
Copy link

holiman commented Nov 11, 2018

No, they can opt in to have the parent access them, they still can't access siblings

@decanus
Copy link
Author

decanus commented Nov 11, 2018

I thought *.bar.com will be both accessible for foo.bar.com and baz.bar.com. That's at least how I remember cookie policies.

@lidel
Copy link

lidel commented Nov 11, 2018

Some helpful pointers:

IPFS content identifiers encoded as CIDv1 in Base32 are case-insensitive and can be used as authority component in FQDN. This creates Origin-based security perimeter per CID, isolating sensitive websites.

Example:
https://bafybeiemxf5abjwjbikoz4mc3a3dla6ual3jsgpdr4cjr3oz3evfyavhwq.ipfs.<foo>.<tld>

Some notes and sample gateways that support that approach can be found in ipfs/in-web-browsers#89

See https://github.com/ipfs/ipfs/issues/337#issuecomment-435356238 for commandline conversion steps from case-sensitive Base58 to cidv1b32.

@danfinlay
Copy link
Contributor

This is an important report before sites rely on ENS/IPFS for hosting dapps. Sounds like a simple first step would be for Infura's gateway to use subdomains for the ipfs hash. I will notify them now.

@holiman
Copy link

holiman commented Nov 12, 2018

@decanus No, foo.bar.com and baz.bar.com aren't shared, unless they both 'relax' into .bar.com via setting document.domain . I'm fairly certain, but I wouldn't take poison on it before I have tested a bit

@holiman
Copy link

holiman commented Nov 12, 2018

Actually, document.domain hasn't anything directly to do with cookies, but cookiejar policy is close but not identical to same-origin policy

@decanus
Copy link
Author

decanus commented Nov 12, 2018

@danfinlay I think the most elegant solution would be if the solution implemented in ens-chrome-extension was used. Then there is also no need to even redirect a user.

@decanus
Copy link
Author

decanus commented Nov 12, 2018

@danfinlay https://chrome.google.com/webstore/detail/ens-gateway-eth-domain-br/jkaiofboahfpipgijdgdmbdldlgcipgo Just found this extension written by @briansoule, maybe he can offer some insights.

@danfinlay
Copy link
Contributor

@decanus Oh really, it preserves the URL and doesn't do a redirect? I'm amazed we hadn't seen that yet. Thanks for bringing it up! @PhyrexTsai!

@briansoule
Copy link
Contributor

@danfinlay @decanus Happy go to through the tech with you and possibly merge it into Metamask

@decanus
Copy link
Author

decanus commented Nov 12, 2018

@briansoule is the extension open source?

@briansoule
Copy link
Contributor

Not currently, we were planning on open sourcing it. Wanna jump on a call tomorrow?

@decanus
Copy link
Author

decanus commented Nov 12, 2018

Sure, send me a mail dean@ens.domains, let's get @danfinlay to join us.

@PhyrexTsai
Copy link
Contributor

@decanus @danfinlay
Cool, this is a very nice feature.
As my design using redirect to IPFS hash is due to the current user behavior and experience, it'll be intuitive to redirect to the content right after typing their domain.

I also built surrounding tools to look up the information of the corresponding domains, link: https://explorer.portal.network

@gitcoinbot
Copy link

Issue Status: 1. Open 2. Started 3. Submitted 4. Done


This issue now has a funding of 300.0 DAI (300.0 USD @ $1.0/DAI) attached to it as part of the Ethereum Foundation fund.

@gitcoinbot
Copy link

gitcoinbot commented Nov 30, 2018

Issue Status: 1. Open 2. Cancelled


Work has been started.

These users each claimed they can complete the work by 8 months, 4 weeks ago.
Please review their action plans below:

1) chandrumoses has applied to start work (Funders only: approve worker | reject worker).

I did not understand the requirement but will sort it out during development
2) briansoule has been approved to start work.

Integrate functionality from the ENSGateway browser extension, to resolve sites with a non-redirected url.

Learn more on the Gitcoin Issue Details page.

@spm32
Copy link

spm32 commented Dec 13, 2018

Hey @briansoule you're good to go on this!

@gitcoinbot
Copy link

@briansoule Hello from Gitcoin Core - are you still working on this issue? Please submit a WIP PR or comment back within the next 3 days or you will be removed from this ticket and it will be returned to an ‘Open’ status. Please let us know if you have questions!

  • reminder (3 days)
  • escalation to mods (6 days)

Funders only: Snooze warnings for 1 day | 3 days | 5 days | 10 days | 100 days

@bdresser
Copy link
Contributor

bdresser commented Jun 5, 2019

@briansoule are you working on this? If not, let's re-open to see if anyone else has the bandwidth!

@decanus
Copy link
Author

decanus commented Jun 5, 2019

@bdresser I don't think he's working on iit and I haven't been able to get a hold of him.

@bdresser
Copy link
Contributor

bdresser commented Jun 5, 2019

@ceresstation or @vs77bb could you remove @briansoule from the bounty so someone else can pick it up?

@briansoule
Copy link
Contributor

briansoule commented Jun 5, 2019 via email

@decanus
Copy link
Author

decanus commented Jul 9, 2019

@bdresser what is the status of this issue?

@bdresser
Copy link
Contributor

bdresser commented Jul 9, 2019

@decanus it's not currently being worked out. Bounty has expired if you're willing to extend it @ceresstation.

@rekmarks
Copy link
Member

It looks like we're picking this up internally.

@briansoule would you still be willing to share anything about your implementation for the ENS Gateway extension? Feel free to drop me an email: erik.marks@consensys.net

@briansoule
Copy link
Contributor

briansoule commented Aug 28, 2019 via email

@rekmarks rekmarks self-assigned this Aug 29, 2019
@gitcoinbot
Copy link

Issue Status: 1. Open 2. Cancelled


The funding of 300.0 DAI (300.0 USD @ $1.0/DAI) attached to this issue has been cancelled by the bounty submitter

@gitcoinbot
Copy link

Issue Status: 1. Open 2. Started 3. Submitted 4. Done


This issue now has a funding of 300.0 DAI (300.0 USD @ $1.0/DAI) attached to it.

@pldespaigne pldespaigne mentioned this issue Nov 7, 2019
3 tasks
@gitcoinbot
Copy link

⚡️ A tip worth 300.00000 SAI (300.0 USD @ $1.0/SAI) has been granted to @pldespaigne for this issue from @rekmarks. ⚡️

Nice work @pldespaigne! To redeem your tip, login to Gitcoin at https://gitcoin.co/explorer and select 'Claim Tip' from dropdown menu in the top right, or check your email for a link to the tip redemption page.

@gitcoinbot
Copy link

Issue Status: 1. Open 2. Started 3. Submitted 4. Done


This Bounty has been completed.

Additional Tips for this Bounty:

  • rekmarks tipped 300.0000 SAI worth 300.0 USD to pldespaigne.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.