This repository has been archived by the owner on Jan 7, 2022. It is now read-only.
A malicious lightwalletd could spoof user accounts by "censoring" a username registration message #517
Labels
Milestone
According to the Zcash wallet app threat model a malicious lightwallet server can hide certain transactions from the user.
Our user registration system, however, assumes that all username registrations will be available to everyone. This is true in a fully synced full node, but not true in the lightwallet context.
Proposal:
We should provide an API for username registration.
Advantages:
We can also add some protections against our service misbehaving:
The text was updated successfully, but these errors were encountered: