Closed halibobo1205 closed 1 year ago
No problem bro
wow, this is as early as necessary
I couldn't agree more
Agree, but one question, if this proposal get approved by majority, how will this going to be enabled, by a new chain parameter? Or by a mandatory node upgrade?
I think mandatory upgrade is just fine, cause it is security issues only.
@Jamestepfoward might be a small patch I guess
Although most people will do not use these api, but for some blockchain beginners, these api will be more convenience. So as long as the interface exists, someone will use it, and exposing the private key is not conducive to account security, it's better to remove them. Creating address locally, signing transaction locally should be promoted, but not by others.
Might be a silly question. Like m-o-m12 said, we use gettransactionsign
locally all the time, by remove, do you mean remove this API completely or just for the public api? If the removal is permanent, what's the replacement if we want to use HTTP request rather than modules and sdks, say wallet-cli, tronweb module etc..
@souppopnix I think using HTTP requests to sign with PK is always a bad idea, PK stealing and revealing are furious recently, third party services stopped the API a long time ago. It seems for now we have to go with the SDK and modules.
I couldn't agree more
Close this issue as it is implemented by GreatVoyage-v4.7.1.1(Pittacus)
Simple Summary
Propose to remove potential vulnerable APIs.
Abstract
Previously some APIs could lead to the leakage of sensitive information, such as private keys. Although developers have been advised not to make remote calls to these APIs, I think it is better to remove the relevant APIs for security concerns and mitigate risks for developers.
Motivation
For network stability and user data security, I suggest deleting the relevant APIs.
Specification
The following APIs should be removed.
1. HTTP
2. gGRPC
Rationale
TODO
Implementation
TODO