Price: $0.646
Pools: 3082
Epoch: 475
Slot: 120,125,862
Date: 29-03-2024

Articles

Advanced safety considerations for secure Cardano and Web usage

There have been great tutorials for your Cardano-Node security settings by VRITS, but many users access and manage their ADA on home devices. This tutorial aims at explaining security risks together with solutions for a safer web experience.

StablePool 18-09-2020, 13:38 · 6 mins read
Share this

Security and Internet is like an egg-hen problem. If you are connected to the web, you are at risk, if you are not connected to the web, you don't have the proper updates on your device and are also at risk. So how does one close potential back-doors?

The answer is pretty simple: It's not possible to be completely safe on the web. Especially with thinks like the Meltdown attack users have to accept that there might be possibilities to compromise their devices on a sub-OS level.

Still, the world banking economy and a lot of blockchains run smoothly and demonstrate that it is possible to run a safe machine online, keeping in mind the security settings advised by VRITS in their great article:
https://cardanojournal.com/is-your-server-secure-or-did-you-leave-your-front-door-open-85
which is the basis of any safe operation of your Cardano-Nodes.

On the other hand the above examples illustrate, that the only way for complete safety is to run a machine in a so called "safe-by-design" setup. This means, for example, having your computer disconnected completely from the web, which - by design - eliminates the possibility of someone compromising your device via the internet. This is the advised setting for your node which is used to sign transactions - the node which contains your cold keys. Following this simple precaution automatically iliminates the risk of your cold keys being stolen via the web. On the other hand - if the device is not encrypted - it is possible to physically steal the computer from your home - thereby stealing your cold keys and the access to all your ADAs on your pool. For this reason the encryption of the cold keys is highly advised - software like VeraCrypt can encrypt your files in a safe container, thereby protecting your keys from being physically stolen. Be sure to have your cold keys on mutliple encrypted locations.


But what about all the users and stakepool operators out there, accessing the internet via their home-routers?

Here the same principles apply as for usual goods. Where is the most dangerous location for your information? It's on the road, like with real goods! So how can one protect internet packets? By sealing all the intrusion points.

1. A first thing to advise is protecting the road of your packets. The internet is of course build by machines interacting though the IP protocol, so if you access a website you really access the IP of the server hosting this website. And the one telling you the IP of the hosted website is your Domain Name Service (DNS). So - if you access for example cardanojournal.com - you really don't know what you are accessing and your DNS tells you which IP the cardanojournal.com website really has. If your DNS is compromised however - you can be fooled and sent to imitating sites! Check your DNS on Linux by first installing resolv.conf if you don't have it:

sudo apt install resolvconf

You can print your DNS servers by:

cat /etc/resolv.conf

Which gives some lines plus:

nameserver xxx.xxx.xxx.xxx

Which is the IP of your DNS. Check if this DNS is the DNS of your internet service provider (ISP), if not, your device might be compromised.

Furthermore the DNS provider knows all your visited websites and saves them, in most countries, for some months. Your DNS provider might even censor the Web - by sending you to different sites if you access a censored site. This is why it is highly adviseable to choose a proper DNS which is accordance with your wants. A fast, free, reliable and uncensored DNS is run by https://blog.uncensoreddns.org/. Be sure not to edit the resolv.conf file directly, as the changes will be overwritten. Instead, edit your wi-fi/lan internet connection settings and enter the DNS in the DNS section. Reconnect and do the cat /etc/resolv.conf again to check if your nameservers match the wanted dns. For uncensoreddns the output looks like:

nameserver 91.239.100.100

nameserver 89.233.43.71

2. Router safety is an issue!

As all your internet is going through your router, also make sure to properly configure your router! This tutorial will only give some key points, where it is always adviseable to check the web for potential threats concerning your router model. Keeping in mind the settings from below will however bring you closer to a secure web experience.

Check your Router password! Most of the users never change their router passwords and - even if the default user/pw are not things like user: admin password: admin - there have been breaches of company data containing the default router passwords. As the router is the gate to the web it is of utmost importance that it is not compromised! Log into your router and change the default user and pw!

Only use WPA2 for wifi - thinks like WEP can be hacked in less than 5 minutes. 

Disable remote administration - some routers feature it but it's a potential security risk.

Keep your router firmware up to date! Check if there are updates for your router model - if you are running on a very old router where no updates exist - consider contacting your ISP for a new model.

For an extended discussion of router security visit: https://routersecurity.org/

3. Don't browse the web randomly on a machine you use for crypto - it exposes your machine to things like flash which have been known to feature intrusion points for malware. Consider installing NoScript, as it blocks most of the unwanted scripts running on web-pages. 

4. Never - Never - Never expose your crypto holdings! It should be self-explanatory - but there still are people out their blurting about how many ADA they bough yesterday on twitter. Don't do this, it exposes you as a potential candidate to attack!

5. Stay safe - stay alert: Always follow the latest news on your project, only use proper links for the software, check pgp keys and stay up to date! Most of the hacks are exposed very fast and security updates are released sealing the back-doors.

6. Always be alert handling your crypto - if something seems strange - take a break and check again.

This is only a short list of things to pay attention to to stay safe - without the guarantee of complete safety - as it doesn't exist.

Image by Gerd Altmann from Pixabay 

Author StablePool
Supplying stable staking to the cardano blockchain. Hosted with a major german server hoster, 24/7/365 uptime, 8 cores and 8 Gb Ram in relay and producer, SSDs.
AuthorĀ“s StakePool
Pool ID
Read next

The Cardano Protocol is well prepared for the Future

We usually know well what has happened in the past. We can just assume what is going to happen in the future and still, we can be sure that we will be surprised by the development of events. A decentr...

Cardanians.io 30-06-2020, 11:26 · 20 min read

Explaining Cardano's eUTXO model for a five-year-old

Cardano is fundamentally different from Ethereum in its accounting model. While Cardano uses the extended UTXO model (eUTXO), Ethereum uses accounts. In this article, we will explain the difference be...
13-09-2022, 18:21 · 11 min read · Cardanians.io

Your very first article about Cardano

If you have never heard about Cardano then this article is for you....
26-01-2020, 23:00 · 18 min read · Cardanians.io

Adoption of Cardano will be different from the First Generation of Cryptocurrencies

The adoption of a platform will be quite different from the adoption of the transactional network. A richer set of features allows people to use many new services and better interconnection with the t...
23-02-2020, 23:00 · 19 min read · Cardanians.io