Replying to Avatar nerd2ninja; ©️📺

#[0] Hey Tony. I couldn't help but notice that the web address to access mutiny wallet is something other than the expected 127.0.0.1 or localhost.

Why is that? This is just Beta demo stuff right? The release will be better than this right?
Avatar
nerd2ninja; ©️📺 2y ago

https://app.mutinywallet.com/

This is the wallet? A software update is reloading the browser? There is no reverting versions because you disagree with the the new update, there is no verification before you load the new version (without special tooling). We just sorta hope the DNS server points to the IP its supposed to and that your webserver fingerprinting everyone's web browser isn't going to selectively rug pull.

I just thought this would be a file you download and then paste the file location into your web browser, I just assumed an expectation that a sandboxes browser like we have on f-droid that goes by that name would be the defacto suggestion for running this thing.

It was one thing to talk about web browser CVEs, but now we gotta talk about the web server getting a backdoor in it and selectively serving a different page based on fingerprinting information. You're killing me here!

Reply to this note

Please Login to reply.

Discussion

Avatar
nerd2ninja; ©️📺 2y ago

Of course you *can* self host it. Of course you *can* wget or right click save as after the page is loaded, but the user flow presented means no one is going to think they need to do that

Avatar
Yaco 2y ago

Seems to be worried about distribution. So DNS and the auto updates PWA's do.

Avatar
nerd2ninja; ©️📺 2y ago

My mind goes through various attack points, but to be a little more simple about the thought process, I see a way to do better, and I don't understand why doing less than the optimal as a matter of expectation would be a desirable project goal.

Avatar
w3ird_ 2y ago

what's the optimal? what expectations did you have that a PWA doesn't hit?

Avatar
nerd2ninja; ©️📺 2y ago

1. Locally hosted.

2. Sanctioned off from other shit.

Its like I said. A file that you download and load the file location of into a browser that isn't the same app you "watch free online" in.

It isn't that its a pwa, its that its a pwa that took no effort to minimize its attack surface. If you're gonna put money in a web browser, the most heavily researched application in I.T. for exploits with a wild environment that just executes whatever the site you visit gives it, I would think its because you have a very good excuse with very good risk minimization.

When I saw that this app was called "mutiny" I thought ah yes, the solution you go to when the app store has taken everything from you and the device you're on doesn't have "jailbreaking" instructions yet. What I was not thinking was that the app would commit a mutiny on your sats.

We live in a world of links that are 1 letter off, of people who think the internet is down when DNS gets shut off by a government or ddosed or just has a bad day, its a post "atomic wallet" world. A world where people have already lost money from malicious updates. A world where we gotta be talking about verifying applications before we run them, not for nerds who are extra, but as an expectation for grandmas. Nobody wants to make the ux to verify better, they just want to make things vulnerable and make "ux" an excuse for it.

Normalize basic security habits and quit normalizing the unsanitary computer practices.

Avatar
nerd2ninja; ©️📺 2y ago

There isn't even a damn version number on the thing Tony! If I'm trying to use this in a version controlled way as I described, how am I supposed to know what version I'm on?

Avatar
nerd2ninja; ©️📺 2y ago

Point me at a nostr client that supports keysend for zaps and I very much will. I'm only using SN to receive zaps for compatibility reasons. I got blixt wallet rearing to go. Got Phoenix too, but they aren't done with bolt 12. I've actually been actively complaining about this.

I also have a hash checker ready to go: https://github.com/hash-checker/hash-checker

So that I can verify what I'm downloading.

So if you had a release in your releases I could verify the hash.

Avatar
nerd2ninja; ©️📺 2y ago

Really Tony? We're really stuck on this f-droid thing right now? The point isn't that it came from f-droid Tony. It could be Opera or Chrome or Firefox or anything! The point is just that its not the same browser as your daily driver.

Avatar
nerd2ninja; ©️📺 2y ago

And what do you mean "minimized web assembly code you can't read"? Why wouldn't I be able to read it? I don't know what the vendetta with f-droid here is, and I don't know what version of f-droid caused you such a vendetta, but I do actually get a link to the source code in my version.

I can take that I'm wrong to suggest a particular browser, it is no longer maintained after all.

Here's the reason it was abandoned:

https://github.com/tobykurien/WebApps/issues/253

"Unfortunately the bad news is that I will probably stop supporting this app this year, despite this app being a labour of love and one I'm proud of. The sandbox leaks mentioned in the README, combined with browser fingerprinting, supercookies, FLoC, and other hostile abuses of Web technology, have made me come to the conclusion that the Web is a lost cause for private browsing. Yes, WebApps offers only limited protection, and that protection will probably decrease every year."