The Results of Ignoring That Browser SSL Certificate Warning
This is in response to the following article: https://www.theverge.com/2018/4/24/17275982/myetherwallet-hack-bgp-dns-hijacking-stolen-ethereum
“But anyone who clicked through this certificate warning was redirected to a server in Russia, which proceeded to empty the user’s wallet. Judging by wallet activity, the attackers appear to have taken at least $13,000 in Ethereum during two hours before the attack was shut down. The attackers’ wallet already contains more than $17 million in Ethereum.”
Accepting invalid certificates is dangerous, and users that ignore the warnings end up with results like those mentioned above. This kind of attack can happen even if you don’t see a certificate warning if the attacker holds a valid certificate, or can convince you to accept a compromised certificate authority.
This is another one of those hacks that is exactly what DTRelay fixes!
DTRelay is a middleware that provides authentication without exposing client-side tokens where hacking occurs. DTRelay enhances the security of web and mobile apps while simultaneously making them easier to build. DTRelay Technology protects communication from a device (including mobile) to your company’s API, which is where hackers steal personal information.
What About Compromised Credentials
Only The Associated Relay Can Verify The Signature
With DTRelay, we are talking about true end-to-end communication and easily authorizing each machine in the communication chain. This allows your security team to know exactly which machines are talking to each other and seamlessly reject unauthorized requests.
To identify registered applications, API providers often require a consumer key/secret value to authorize requests. These values are used for every request on behalf of the application and compromise can let an attacker masquerade as the application.
With DTRelay, these credentials can be stored securely on the server, out of the reach of users. Moreover, OAuth tokens are stored in DTRelay and never sent to the client application, so DTRelay can be used as a security layer on top of OAuth2 to prevent the exposure of the access token during requests.
As an added benefit of using DTRelay to relay messages to APIs, the relay can also be used as a proxy server, allowing protected resources to remain behind internal firewalls with DTRelay as a single, exposed destination.
DTRelay Even Protects Images
● During initialization, the relay provides the client application with a secret
● We can use this secret value to encrypt image during transfer
● The relay decrypts the image and processes it as a standard upload
● This same technique is used to encrypt any “protected parameters” so that they are tamper-proof and undecipherable in-transit (even without SSL)