OpenLedger Security Risks
Introduction (skip if you are familiar with DEX gateways)
--
“What is a gateway?”: OpenLedger (abbreviated OL) is the biggest company operating continuously on the Bitshares platform. OL is a gateway that performs the function of custodian for non-bts-native assets. They issue certificate tokens with rights of withdrawal in exchange for custody of the original asset. The user may then trade this token for another asset. Even if the certificate has changed hands 10 times the gateway stands by a promise to redeem the original asset to the ultimate certificate holder upon demand.
--
This is an update to a review of the OpenLedger exchange platform by @murda-ra written almost one year ago – (https://steemit.com/cryptocurrency/@murda-ra/review-of-a-cryptocurrency-exchange-openledger-info). Here is the ranking from that review -
Ease of use -
GRADE 8/10
Account/Transactions Security -
GRADE 10/10
Hosting/Brand Security/Reputation -
GRADE 3/10
The overall review was positive and recognized OpenLedger as the premier gateway on the bitshares decentralized exchange. The lowest grade on hosting/brand security was a result of lacking DNS for the IP (a security no-no when dealing with value as large as transacts on the Dex).
The review ends with this chilling passage:
“We strongly suggest use of this exchange. Except few hosting security leaks and ownership/domain validation that are looking fishy a bit, this is probably best/most value for users Exchange interface available in CryptoCurrency Community. Let's hope they will show us stability, and prove me wrong for few things.”
With this background we will turn to recent events and the following announcement from OL CEO Ronny Boesing over the weekend.
“ATTENTION please: To anyone normally using openledger urls whether domains bitshares.openledger.info or OpenLedger.io to access the trading platform we would highly recommend to access your account via the bitshares domain https://wallet.bitshares.org/ until further notice. We have lost control of above mentioned domains, and are awaiting for domain provider to change access. Hackers have full access to domain and SSL, so it’s not secure to use openledger domain even if it’s url is highlighted as trusted. There are phishing activated. To anyone who Got hacked We advice to change password and/or bin file more details here: https://github.com/bitshares/bitshares-ui/wiki/Cloud-Wallet-Login-and-changing-password. Our team has started investigation. We will be back with news soonest possible. Yours sincerely OpenLedger Team.”
Recognizing that running a critical business at scale is a challenging proposition this author attributes a good-faith effort on behalf of the OL team to safeguard customers’ assets. However, the benefits of an immutable blockchain is that individuals can excavate ideas and warnings from long ago. It appears @murda-ra’s foresight was 20/20 on the risks of OL’s technical operations.
Has anyone here been affected by the OL domain being compromised? I would like to hear your thoughts and experiences in the comments below.
OL disaster was a bit of shocker for me during the weekend. The truth is that I never knew of this background weakness and this is the first time I have heard about it.
Although there were plenty of people here in my feed making fun of OL for allowing this to happen, I on the other hand felt more than a little worried. Maybe its my protective instinct but whenever something like this happens it makes me feel that the credibility of the whole cryptosphere suffers.
We are not interested in making fun of anyone working on bts platform. People's hard earned capital is at stake here. It is definitely concerning you are right. But this controversy proves the value of decentralization which BTS has in spades!
As of this morning, OL issued assets are suspended for trading.
This would be disastrous on a centralized exchange like Coinbase. However, bitsharians can simply migrate trading to another gateway (GDEX, CryptoBridge, Rudex) for business as usual.
Thanks for taking the time for sharing this man. Of course I know that you were actually posting this on a serious note. I was actually referring to some other people I have been following for the news in the OpenLedger.
and yes that is definitely the advantage for the people using bitshares backbone. On a centralized exchanges not only the directly affected assets would have been frozen but people would have also lost he ability to control their funds and without reasonable time frame update for it. This way the market of the asset is also less affected.
@john-robert, thanks for the handful of information given prior to the change in the domain name of the OL site I personally have been having issues on this regards, but now am relieve.
The cliche is that hackers are geniuses. That's not true, hackers are generally stupid.
The top three hacking problems for the last 10 years are "phishing", "password reuse", and "SQL injection". These problems are extremely simple, as measured by the fact that teenagers are able to exploit them. Yet they persist because, unless someone is interested in hacking, they are unable to learn them. They ignore important details. They fail at grasping the core concept.
Dear All, I sympathize with those users who were affected by the recent hosting provider’s account breach. Though it wasn’t our fault that credentials of some OpenLedger DEX wallets were stolen, resulting in lost crypto assets, I couldn’t stay still. Starting from July 2, our trading platform will launch the Reimbursement Program for such users. Read more in the official announcement at https://dex.openledger.io/access-issue-ol-reimbursement-program. Yours sincerely Ronny Boesing, CEO, OpenLedger ApS.
great step to see, thank you @bloggerclub Ronny
Thank you @bloggersclub for the swift response. I know many people appreciate this gesture and I am sure this will go a long way maintaining trust between Bitshares users and the OpenLedger gateway service.
I encourage everyone to read the OL announcement linked above - I believe it strikes a fair balance between maintaining the tenets of decentralization (individual responsibility) and OL's responsibility to provide fair and transparent service.
thanks @john-robert
the security of a site is very important for the convenience of the user, especially if the crypto exchange site.
sites such as these are subjected to hackers therefore hosting and DNS should also be assured for their security.
@john-robert, I have been monitoring your blog on steemit and you give out more useful tips about bitshares, I just followed you to gain more knowledge ans infos, also, thanks for the security alert you have just sent out at the right time to curbed many being victim of the fraudsters.
Congratulations @john-robert! You have completed some achievement on Steemit and have been rewarded with new badge(s) :
Click on the badge to view your Board of Honor.
If you no longer want to receive notifications, reply to this comment with the word
STOPTo support your work, I also upvoted your post!
Thank you for your continued support of SteemSilverGold
The 2000 presidential election is a prime illustration of this process because its contested nature clarifies and highlights gateways that have been less visible in other elections.
From Cambridge English Corpus
Unsurprisingly, the perennial priority to legislate on gateways to work and welfare benefits remains.
I am a Chinese, so the certificate may mean bitCNY to me ?
I'm not sure what you mean - but you can trade bitCNY on the bitshares exchange.