Someone fixed it and now it is correct. We are place #19.
Rocket.chat?
Slack is industry standard. 21 uses it, slock.it uses it. why does LSK not use it?
Some people belive in owning their data instead of relying on a third party.
That's one reason. The other is that on Slack only the last 10,000 messages will be saved. If you have 1000 users you will always end up with empty rooms.
In fact our chat already have nearly 900 users and over 20,000 messages.
Now that you've brought up the subject, is there a Developer's Guide?
https://lisk.io/documentation?i=lisk-docs/READMEI'm a full stack developer and a early investor (2nd week). I like Lisk because of JavaScript as main language. I have just started looking at the dapp development, noticed some serious security concerns with dapp development.
My understanding with dapps is (correct me if I'm wrong), a dapp is hostable component that exposes an http external api and is capable of doing some transactions (withdrawals and deposits). Every dapp can be hosted within in some sidechain. Users can access dapp functionality with the help of exposed api by passing secret and transaction info. It means you have to pass your pass phrase to every dapp you want to do a transaction lets say a withdrawal (paying to dapp owners).
Apple, Microsoft, and google stores are centralized. Every app has to go rigorous review process before getting published in stores ( I published few apps in google and windows stores). The review process mainly includes scanning for malicious code that exposes user phone to external attackers.
Situation 1:
Lisk has no such review process but the code can be viewed by others. Lets say if dapp included with some malicious code that records pass phrases somewhere (not in the dapp), lisk-cli just creates a foundation base for dapp development and users extends it with their own api. How lisk prevents user from accessing dapp and removes from store if malicious code found.
Situation 2:
Lisk dapps and their sidechains can be hosted by third party entities. Lets say owner setup two VMS. One with actual sidechain with clean dapp code internally and installed a reverse proxy on another VM(that sits on external point and forwards request to internal VM that hosted dapp). The reverse proxy receives the request from user first and records pass phrase and then forwards same request to internal VM without modifying request headers.
Situation 3:
Man in the middle attacks.
If the dapp owner not hosting sidechain with SSL, How Lisk ensures user data not compromised.
Just wondering how lisk handles these situations and prevents owner from misusing pass phrases. Last year, I encountered similar issue with NXT and lost around 10K coins. I used a remote nxt web node to check my transactions frequently. I suspect they recorded my pass phrase and transferred my 10k to theirs account.
I think users shouldn't be forced to send pass phrases to dapp owners, its like sending your BTC private keys to others.
@ 1: We are in a decentralized environment. Any kind of censoring by the devs will hurt lisk. The only way is a reputational... removing malicious code will probably not be possible. But who knows, maybe the reputation system can offer that.
Ok, I agree but this doesn't mean system should be infected with all malicious dapps. Reputation wise its not good. Still the dapp has to communicate with mainnet to keep consistency. I think Lisk mainnet holds meta information about each dapp. This should be enough to record info about dapp. Now the question is how to warn the user about that particular malicious dapp .
I'm thinking few alternatives, will present them in coming posts. @ 2+3: you don't need to send your password to the server hopefully. You also don't have to do that in NXT. Just the Frontend needs it.
I think Dapp UI asks for pass phrase, and pass same to server through api call or http post. its enough to capture pass phrase. Its not like Dapp UI (client face) directly talking to mainnet. it doesn't matter, Whether its UI or api all should go through http endpoints on the server. Please head to our forum, there were some discussions already and we are open to discuss it there. It just can't be answered in a good way in this thread.
http://forum.lisk.io/viewforum.php?f=13If someone post it there, I will answer as soon as possible.
Just very quick: Yes, there are some security issues right now. Especially involving the passphrase in dapps. Devs can either send the passphrases via an API though the network, or directly sign the transactions locally. The second option is more secure and our recommended way, but also slightly more complicated.
Long-term we want that the user will send/receive LISK from the Lisk UI into/from a sidechain. We will concentrate on various security related issues in the beginning. As I wrote above, please join us on our forum. I think you would be a great asset to the discussions!
) ? 