nanode icon indicating copy to clipboard operation
nanode copied to clipboard

Published 20 hours ago verified publisher icon mikepaszkiewicz

Private key and seed can be sent to the node

Open ghost opened this issue 6 years ago • 1 comments

There is no security issue when the node is local: const nano = new Nano({url: 'http://localhost:7076'}) But when the node is not local, such as when the Nanode API is used: const nano = new Nano({ apiKey: 'xyzzy' }) the private key and seed can be sent to the remote node and so are no longer secret.

These appear to be the API calls in question:

  • open, account.open and blocks.createOpen
  • send, account.send and blocks.createSend
  • receive, account.receive and blocks.createReceive
  • change, account.change and blocks.createChange
  • key.create
  • key.expand
  • deterministicKey

These calls can be made to sign blocks and generate keys locally using the nacl and blake2b packages that are already part of this repository.

I have submitted pull request #23 which resolves this issue.

ghost avatar Mar 24 '18 10:03 ghost

+1

roccomuso avatar Mar 01 '19 13:03 roccomuso