Metamask-extension: Security concern - IPFS ENS Resolving

this might be helpful: https://github.com/ricmoo/meeseeks-app

@ligi the most ideal way would be if we find a method to have the browser respect it as *.eth.

Could have a subdomain, first 16 hex of the hash: 0x12345612.gateway.ipfs. So the non-subdomained page refirects, and the second one checks the url against subdomain? Then all different pages would be domain siblings, and not have access to each others cookies... ?

@holiman depending on how the cookies are registered the flaw may still exist. If a domain uses *.gateway.ipfs. cookies rather than with the subdomain included you run into the same issue.

No, they can opt in to have the parent access them, they still can't access siblings

I thought *.bar.com will be both accessible for foo.bar.com and baz.bar.com. That's at least how I remember cookie policies.

Some helpful pointers:

IPFS content identifiers encoded as CIDv1 in Base32 are case-insensitive and can be used as authority component in FQDN. This creates Origin-based security perimeter per CID, isolating sensitive websites.

Example:
https://bafybeiemxf5abjwjbikoz4mc3a3dla6ual3jsgpdr4cjr3oz3evfyavhwq.ipfs.<foo>.<tld>

Some notes and sample gateways that support that approach can be found in https://github.com/ipfs/in-web-browsers/issues/89

See https://github.com/ipfs/ipfs/issues/337#issuecomment-435356238 for commandline conversion steps from case-sensitive Base58 to cidv1b32.

This is an important report before sites rely on ENS/IPFS for hosting dapps. Sounds like a simple first step would be for Infura's gateway to use subdomains for the ipfs hash. I will notify them now.

@decanus No, foo.bar.com and baz.bar.com aren't shared, unless they both 'relax' into .bar.com via setting document.domain . I'm fairly certain, but I wouldn't take poison on it before I have tested a bit

Actually, document.domain hasn't anything directly to do with cookies, but cookiejar policy is close but not identical to same-origin policy

@danfinlay I think the most elegant solution would be if the solution implemented in ens-chrome-extension was used. Then there is also no need to even redirect a user.

@danfinlay https://chrome.google.com/webstore/detail/ens-gateway-eth-domain-br/jkaiofboahfpipgijdgdmbdldlgcipgo Just found this extension written by @briansoule, maybe he can offer some insights.

@decanus Oh really, it preserves the URL and doesn't do a redirect? I'm amazed we hadn't seen that yet. Thanks for bringing it up! @PhyrexTsai!

@danfinlay @decanus Happy go to through the tech with you and possibly merge it into Metamask

@briansoule is the extension open source?

Not currently, we were planning on open sourcing it. Wanna jump on a call tomorrow?

Sure, send me a mail dean@ens.domains, let's get @danfinlay to join us.

@decanus @danfinlay
Cool, this is a very nice feature.
As my design using redirect to IPFS hash is due to the current user behavior and experience, it'll be intuitive to redirect to the content right after typing their domain.

I also built surrounding tools to look up the information of the corresponding domains, link: https://explorer.portal.network

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

__This issue now has a funding of 300.0 DAI (300.0 USD @ $1.0/DAI) attached to it as part of the Ethereum Foundation fund.__

• If you would like to work on this issue you can 'start work' on the Gitcoin Issue Details page.
  
  
  
  • Want to chip in? Add your own contribution here.
  
  
  • Questions? Checkout Gitcoin Help or the Gitcoin Slack
  
  
  • $33,424.88 more funded OSS Work available on the Gitcoin Issue Explorer
  
  

Issue Status: 1. Open 2. Cancelled

__Work has been started__.

These users each claimed they can complete the work by 8 months, 4 weeks ago.
Please review their action plans below:

1) chandrumoses has applied to start work _(Funders only: approve worker | reject worker)_.

I did not understand the requirement but will sort it out during development
2) briansoule has been approved to start work.

Integrate functionality from the ENSGateway browser extension, to resolve sites with a non-redirected url.

Learn more on the Gitcoin Issue Details page.

Hey @briansoule you're good to go on this!

@briansoule Hello from Gitcoin Core - are you still working on this issue? Please submit a WIP PR or comment back within the next 3 days or you will be removed from this ticket and it will be returned to an ‘Open’ status. Please let us know if you have questions!

• [x] reminder (3 days)
• [ ] escalation to mods (6 days)

Funders only: Snooze warnings for 1 day | 3 days | 5 days | 10 days | 100 days

@briansoule are you working on this? If not, let's re-open to see if anyone else has the bandwidth!

@bdresser I don't think he's working on iit and I haven't been able to get a hold of him.

@ceresstation or @vs77bb could you remove @briansoule from the bounty so someone else can pick it up?

Sorry guys, haven't had time. I endorse this

On Wed, Jun 5, 2019 at 6:17 PM bobby dresser notifications@github.com
wrote:

@ceresstation https://github.com/ceresstation or @vs77bb
https://github.com/vs77bb could you remove @briansoule
https://github.com/briansoule from the bounty so someone else can pick
it up?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/MetaMask/metamask-extension/issues/5724?email_source=notifications&email_token=AAMFWF7362XT4MTEFD3W3Z3PZBCRHA5CNFSM4GDB2T5KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODXBJB7Y#issuecomment-499290367,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAMFWFZOEGQANERFVC2WA43PZBCRHANCNFSM4GDB2T5A
.

--
BrianSoule.com http://briansoule.com/
512-964-0048
@BrianSoule https://twitter.com/BrianSoule

@bdresser what is the status of this issue?

@decanus it's not currently being worked out. Bounty has expired if you're willing to extend it @ceresstation.

It looks like we're picking this up internally.

@briansoule would you still be willing to share anything about your implementation for the ENS Gateway extension? Feel free to drop me an email: erik.[email protected]

Will shoot you an email Erik

On Wed, Aug 28, 2019 at 5:08 PM Erik Marks notifications@github.com wrote:

It looks like we're picking this up internally.

@briansoule https://github.com/briansoule would you still be willing to
share anything about your implementation for the ENS Gateway extension?
Feel free to drop me an email: erik.[email protected]

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/MetaMask/metamask-extension/issues/5724?email_source=notifications&email_token=AAMFWF4X5DTANQW6NIKTMDLQG3ZMNA5CNFSM4GDB2T5KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD5MTWKY#issuecomment-525941547,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAMFWF2RW2CTVI7QMTPNKG3QG3ZMNANCNFSM4GDB2T5A
.

--
BrianSoule.com http://briansoule.com/
512-964-0048
@BrianSoule https://twitter.com/BrianSoule

Issue Status: 1. Open 2. Cancelled

__The funding of 300.0 DAI (300.0 USD @ $1.0/DAI) attached to this issue has been cancelled by the bounty submitter__

• Questions? Checkout Gitcoin Help or the Gitcoin Slack
• $155,858.69 more funded OSS Work available on the Gitcoin Issue Explorer

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

__This issue now has a funding of 300.0 DAI (300.0 USD @ $1.0/DAI) attached to it.__

• If you would like to work on this issue you can 'start work' on the Gitcoin Issue Details page.
  
  
  
  • Want to chip in? Add your own contribution here.
  
  
  • Questions? Checkout Gitcoin Help or the Gitcoin Slack
  
  
  • $120,671.80 more funded OSS Work available on the Gitcoin Issue Explorer
  
  

⚡️ A tip worth 300.00000 SAI (300.0 USD @ $1.0/SAI) has been granted to @pldespaigne for this issue from @rekmarks. ⚡️

Nice work @pldespaigne! To redeem your tip, login to Gitcoin at https://gitcoin.co/explorer and select 'Claim Tip' from dropdown menu in the top right, or check your email for a link to the tip redemption page.

• $110188.44 in Funded OSS Work Available at: https://gitcoin.co/explorer
• Incentivize contributions to your repo: Send a Tip or Fund a PR
• No Email? Get help on the Gitcoin Slack

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

__This Bounty has been completed.__

Additional Tips for this Bounty:

• rekmarks tipped 300.0000 SAI worth 300.0 USD to pldespaigne.

• Learn more on the Gitcoin Issue Details page
• Questions? Checkout Gitcoin Help or the Gitcoin Slack
• $110,725.49 more funded OSS Work available on the Gitcoin Issue Explorer