11

Another way to put it: what is the root of trust for a full client on a network that has a potentially untrusted (or "owned") router+DNS?

As I was going through the ethereum wiki semi-randomly, I came across this, it says:

"[...] it allows a node given only the last block, together with some assurance that the last block actually is the most recent block, to [...]".

Similarly, this says:

"[...] if a node receives a state root from a trusted source [...]".

I am trying to understand where that assurance comes from or why I should trust that source. I'm trying to figure out how much a knowedgeable attacker can do to me if he "owns" the DNS and/or router I am using.

The traditional protection against this is PKI. Yes, PKI is imperfect, there are too many CAs in the browser, lack of trust agility (I've read/watched many of Moxie Marlinspike's posts/talks), and several other issues, but for what it is worth, it is there, and under specific conditions, with the proper TLC, can do the job.

I just don't know what's the equivalent here, or even if there is one at all.

Edited to add:

I don't have enough rep to comment, but to Ethan: authenticated encryption prevents MITM only if you already know whom you are talking to; in this case we don't know that for sure. (Which is why I mentioned PKI as the thing to compare against, despite its flaws).

To A. Frederick Dudley: thank you! "confirm the state root out of band" is what I was thinking; appreciate the confirmation.

sitaram
  • 213
  • 1
  • 4

2 Answers2

5

The ethereum clients connect to some trusted nodes that I believe are run by the ethereum foundation. The p2p layer uses authenticated encryption, so these connections are secure regardless of what the attacker controls. So long as one such connection exists, you ought to be able to see the correct chain. Additionally, an attacker would have to expend lots of proof of work to send you a faulty chain. State roots should always be verifiable against a recent block, so they don't really need to be trusted.

Note the security model changes somewhat under the move to proof of stake.

Ethan
  • 724
  • 4
  • 6
4

Yes, there is an assumption that when the node tries to connect to a given IP address, that in fact it is. To restate what Ethan said a little differently, if you are concerned that you might be MITM'd, you will need to confirm the state root out of band. Once you have manually confirmed that you're on the right chain, your security improves dramatically. The best time to attack is during that initialization phase.

A. Frederick Dudley
  • 442
  • 2
  • 6