Workers Auto Approve
Host Validation (#GitCoin Funded)
(Issue Funded by #GitCoin)
We want to maintain a list of high priority sites (primarily crypto exchanges, wallets, and other important services) where we have a low tolerance for security changes.
One such change will be their host.
For a top list of sites, we should identify acceptable IP addresses (ideally main static ones), and any other information about the hosting environment that can be validated programmatically. This discover can happen server side and be published to a file in the repo for the client to read from.
In the event of a variation from that file, we should warn the user that there has been a change and we are still trying to validate the change.
**To claim this GitCoin bounty a contributor must:**
1. Create a proposed system with a framework for recording host information about a list of top crypto sites.
2. Build a well documented version of that system that can be merged into the main extension code without failing.
3. Successfully pass a review by two main contributors to the project.
4. Successfully pass automated tests of scraped domains.
5. Implement any refinements needed from the automated tests.
6. Be fully implemented into the new code with documentation for future maintainers.
If at any time the contributing developer cannot pass a stage of the review and integration process then a partial bounty or no bounty will be paid out.
**Other important considerations:**
* The implementation methods chosen should be ones that will work with the extension APIs in Chrome (and Chromium based browsers), as well as Firefox and Safari. Extra consideration will be given if the methods work in other browser environments, but, support for Chrome, Firefox and Safari is the minimum requirement.
_Client Side Security:_
* As a security extension, we should maintain as much of the code as possible on the client side of the extension. In order to justify server side communication the protection to the user should be demonstrably greater by an order of magnitude, or impossible to be done in a client side environment.
* If extensive scanning, or record keeping of domains is required, we should implement a light system within the extension client side. Then we should create a scanning server that does **not** directly communicate with clients. That scanning server could scan lists of domains gathered from top sites, and various crypto communities and update a database list within the extension.
* As we are dealing with a users ability to load a page, we must prioritize speed. Our internal guidelines are any process should aim to add less than 0.10 seconds to the average load time, or no greater than 10% additional load time to the average page (which ever is the greater). For each additional 0.10 seconds or 10% of load time, we must be increasing protection in some KPI by a measurable increase greater than one order of magnitude.
* There are multiple checks taking place within the extension. No new system implemented should directly conflict with those checks (i.e. no new system should automatically whitelist something that a check has already blocked, or no new system should ignore a whitelist.) Any implementations related to this issue must consider existing systems. Ideally, existing systems can be updated to include support for the automated scoring rules added in this issue.
* All implemented systems must respect the user whitelist and not override them, unless there has been a clear change since the whitelisting. Acceptable edge cases may be things like the site is hosted on a new IP address, and the SSL is invalid.
Setup your profile
Tell us a little about you:
No results found for
Type to search skills..
Required [[totalcharacter]] / 240
Are you currently looking for work?
[[ option.string ]]
Setup your profile
Our tools are based on the principles of earn (💰), learn (📖), and meet (💬).
Select the ones you are interested in. You can change it later in your settings.
I'm also an organization manager looking for a great community.
Enable your organization profile
Gitcoin products can help grow community around your brand. Create your tribe, events, and incentivize your community with bounties. Announce new and upcoming events using townsquare. Find top-quality hackers and fund them to work with you on a grant.
These are the organizations you own. If you don't see your organization here please be sure that information is public on your GitHub profile. Gitcoin will sync this information for you.
Select the products you are interested in:
Out of the box you will receive Tribes Lite for your organization. Please provide us with a contact email: