Due to a vulnerability of chrome affecting all published versions of the beta beta v0.9.3 and below of the BETA v0.9.3 and below, we issue this warning warning for users not to browse the websites no Reliable with beta beta beta beta. Office application users “Ethereum wallet” are not affected.
Configurations affected: Beta mist browser V0.9.3 and below probability: Average severity: high
Malventy websites can potentially steal your private keys.
As Ethereum Wallet Desktop Application does not qualify as a browser – he only accepts the DAPP of the local portfolio – he is not subject to the same category of problems present in the mist. For the moment, it is recommended to use Ethereum wallet To manage funds and interact instead with smart contracts.
Mist Browser’s vision is to be a complete user -oriented bridge to Ethereum blockchain and a set of technologies that make up the web3. The browser opens an important path for the next web that our ecosystem is proudly built.
Regarding security, the manufacture of a browser (an application that loads the unreliable code) which manages private keys is a difficult task. During the last year, we have cure53 to make a vast safety audit of the mist and considerably improved the security of the MIST browser and the underlying platform, Electron. We quickly solved the safety problems found.
But it is not enough. Safety in the browser space is an endless battle. The MIST browser is based on the electron, which is based on chrome. Each new version of chromium solves many safety problems.
The layer between the mist and the chrome, Electronis a project led by Github which aims to facilitate the creation of multiplatform applications using JavaScript. Recently, Electron did not keep up to date with the Chrome, leading to a growing potential attack surface over time.
A basic problem with the current architecture is that any 0 day chrome vulnerability is several steps from the mist: the first chrome must be corrected, then Electron must update the chromium version, and finally, the mist must put up to date to the new electronic version.
We examine how we could manage the not so frequent liberation calendar of Electron, to reduce the gap between the versions of chrome we use. From preliminary studies, Brave’s Muon (an electronic fork) closely follows the chrome and is a potential option. The courageous browser, which also contains an integration of cryptocurrency portfolio, has a similar threat model and security requests as a mist.
An important reminder: the mist is always beta software, and you should treat it as such. The beta of the browser Mist is provided on a basis “as it is” and “as available” and there is no guarantee of any kind, expressed or implicit, including, but without limiting itself, the guarantees of quality merchant or objective of the objective. Quick safety control list:
- Avoid keeping large amounts of ether or tokens on private keys on an online computer. Instead, use a material wallet, offline device or a solution based on a contract (preferably a mixture of these).
- Save your private keys – Cloud services are not the best option to store it.
- Do not visit unreliable websites with Mist.
- Do not use mist on unreliable networks.
- Keep your daily browser up to date.
- Keep track of your operating system and antivirus updates.
- Learn to check the sums of file control (link).
Finally, we would like to thank the security researchers who worked hard to reproduce and make invaluable bids through the Ethereum bonus program.
If you need additional information, contact here: Mist (at) Ethereum dot org.
(We will update this message as the situation evolves).
@Evertonfraga Mist Team
