aaroncox/vessel

vessel consistently tries to do reads from nodes i don't trust and don't want to use

Opened this issue · 4 comments

sneak commented

Vessel connects to RPC nodes run by random third parties from some internal list outside of the broadcast node I have specified on the main home screen.

This is unacceptable from a security application; I have no idea if Vessel is transmitting data that I don't want transmitted to those nodes. Additionally, RPC nodes are trusted, and I have no way of knowing if those nodes are being honest. Vessel should only connect to the RPC node I specify on the home screen, in my opinion.

Vessel only attempts to connect to a preset list of servers if you click "change servers" (after being disconnected from your primary node). I'm not sure what you mean by "consistently tries to do reads from nodes" unless you're using that feature.

And for the record, it's not transmitting any data about you - it's calling to load the global props to see if those servers are available.

client.database.getDynamicGlobalProperties().then((props) => {
let servers = Object.assign({}, this.state.servers);
servers[server.replace('wss', 'https')] = props.time;
this.setState({servers});
});

sneak commented

Vessel should only connect to the RPC node I specify on the home screen, in my opinion.

You're right in that It's unnecessary for the automatic "is this server available" call and I can remove that. While it doesn't leak any portions of your actual wallet information with the call, it does say "hey look at me, I'm a computer with a steem wallet" which could be a risk and shouldn't be forced on users.

Also sorry - after rereading my response to you I also realize I wasn't all that direct in addressing the concern, and just ended up stating how it functions in a defensive tone. What I was trying to ask (terribly, mind you) was if you were seeing these connections occur anywhere besides that server selection screen. It isn't intended if so and is an oversight.

While I don't have any releases planned in the immediate future, I'll flag this as something for the next version.

sneak commented

With no ability to see what it is sending, without auditing the code in my copy, I don’t know what it is or isn’t sending.

If it connects only to a node I know and trust, it could in theory send almost anything it wants (save for a comment with my private key’s WIF in the text) and it would probably be okay.

I know that I won’t personally feel safe using it for high value things until/unless I audit the code thoroughly or it makes precisely one TCP connection to a node that I trust/control.