From 962dd93ebadcd7fa9080714313983e60f67ed69f Mon Sep 17 00:00:00 2001 From: anonimal Date: Wed, 26 Jun 2019 22:32:25 +0000 Subject: [PATCH 1/2] README: add beginnings of "Known Issues" Referencing https://hackerone.com/reports/592094 --- README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README.md b/README.md index 3c4f5ac86..6c0b7c3e5 100644 --- a/README.md +++ b/README.md @@ -22,6 +22,7 @@ Portions Copyright (c) 2012-2013 The Cryptonote developers. - [Release staging schedule and protocol](#release-staging-schedule-and-protocol) - [Compiling Monero from source](#compiling-monero-from-source) - [Dependencies](#dependencies) + - [Known issues](#known-issues) ## Development resources @@ -845,3 +846,10 @@ The output of `mdb_stat -ea ` will indicate inconsistenc The output of `mdb_dump -s blocks ` and `mdb_dump -s block_info ` is useful for indicating whether blocks and block_info contain the same keys. These records are dumped as hex data, where the first line is the key and the second line is the data. + +# Known Issues + +Because of the nature of the socket-based protocols that drive monero, certain protocol weaknesses are somewhat unavoidable at this time. While these weaknesses can theoretically be fully mitigated, the effort required (the means) may not justify the ends. As such, please consider taking the following precautions if you are a monero node operator: + +- Run `monerod` on a "secured" machine. If operational security is not your forte, at a very minimum, have a dedicated a computer running `monerod` and **do not** browse the web, use email clients, or use any other potentially harmful apps on your `monerod` machine. **Do not click links or load URL/MUA content on the same machine**. Doing so may potentially exploit weaknesses in commands which accept "localhost" and "127.0.0.1". +- If you plan on hosting a public "remote" node, start `monerod` with `--restricted-rpc`. This is a must. From b2813ab5e8f784ec77e2b12cb44b3c326c3f92fb Mon Sep 17 00:00:00 2001 From: anonimal Date: Thu, 4 Jul 2019 00:33:20 +0000 Subject: [PATCH 2/2] README: add blockchain-based issue to "Known Issues" Referencing https://hackerone.com/reports/417515 --- README.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/README.md b/README.md index 6c0b7c3e5..049562e56 100644 --- a/README.md +++ b/README.md @@ -849,7 +849,17 @@ These records are dumped as hex data, where the first line is the key and the se # Known Issues +## Protocols + +### Socket-based + Because of the nature of the socket-based protocols that drive monero, certain protocol weaknesses are somewhat unavoidable at this time. While these weaknesses can theoretically be fully mitigated, the effort required (the means) may not justify the ends. As such, please consider taking the following precautions if you are a monero node operator: - Run `monerod` on a "secured" machine. If operational security is not your forte, at a very minimum, have a dedicated a computer running `monerod` and **do not** browse the web, use email clients, or use any other potentially harmful apps on your `monerod` machine. **Do not click links or load URL/MUA content on the same machine**. Doing so may potentially exploit weaknesses in commands which accept "localhost" and "127.0.0.1". - If you plan on hosting a public "remote" node, start `monerod` with `--restricted-rpc`. This is a must. + +### Blockchain-based + +Certain blockchain "features" can be considered "bugs" if misused correctly. Consequently, please consider the following: + +- When receiving monero, be aware that it may be locked for an arbitrary time if the sender elected to, preventing you from spending that monero until the lock time expires. You may want to hold off acting upon such a transaction until the unlock time lapses. To get a sense of that time, you can consider the remaining blocktime until unlock as seen in the `show_transfers` command.