hush
/
hush3
9
0
Fork 11
Code Issues 144 Pull Requests 2 Projects Releases 16 Wiki Activity
Browse Source

Auto merge of #1644 - str4d:826-reference-in-security-warnings, r=daira 

Link to #826 in doc/security-warnings.md, link to new Security website page

Closes #826
pull/4/head
zkbot 8 years ago
parent
07c967aca7 9e044e509e
commit
ea4c08d43d
1 changed files with 15 additions and 2 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 17
      doc/security-warnings.md

17
doc/security-warnings.md
View File

@ -4,7 +4,9 @@ Security Warnings
Security Audit
--------------
Zcash has been subjected to a formal third-party security review. For high priority security announcements, check https://z.cash.
Zcash has been subjected to a formal third-party security review. For security
announcements, audit results and other general security information, see
https://z.cash/support/security.html
x86-64 Linux Only
-----------------------
@ -79,7 +81,6 @@ Users should choose a strong RPC password. If no RPC username and password are s
Users should also refrain from changing the default setting that only allows RPC connections from localhost. Allowing connections from remote hosts would enable a MITM to execute arbitrary RPC commands, which could lead to compromise of the account running zcashd and loss of funds. For multi-user services that use one or more zcashd instances on the backend, the parameters passed in by users should be controlled to prevent confused-deputy attacks which could spend from any keys held by that zcashd.
Block Chain Reorganization: Major Differences
-------------------------------------------------
@ -95,3 +96,15 @@ The option `-debug=zrpc` covers logging of the z_* calls. This will reveal info
The option `-debug=zrpcunsafe` covers logging of sensitive information in z_* calls which you would only need for debugging and audit purposes. For example, if you want to examine the memo field of a note being spent.
Private spending keys for z addresses are never logged.
Potentially-Missing Required Modifications
------------------------------------------
In addition to potential mistakes in code we added to Bitcoin Core, and
potential mistakes in our modifications to Bitcoin Core, it is also possible
that there were potential changes we were supposed to make to Bitcoin Core but
didn't, either because we didn't even consider making those changes, or we ran
out of time. We have brainstormed and documented a variety of such possibilities
in [issue #826](https://github.com/zcash/zcash/issues/826), and believe that we
have changed or done everything that was necessary for the 1.0.0 launch. Users
may want to review this list themselves.

Write Preview
Loading…
Cancel
Save