Link to #826 in doc/security-warnings.md, link to new Security website page
Closes #826
This commit is contained in:
parent
489f1d38ee
commit
9e044e509e
|
@ -4,7 +4,9 @@ Security Warnings
|
||||||
Security Audit
|
Security Audit
|
||||||
--------------
|
--------------
|
||||||
|
|
||||||
Zcash has been subjected to a formal third-party security review. For high priority security announcements, check https://z.cash.
|
Zcash has been subjected to a formal third-party security review. For security
|
||||||
|
announcements, audit results and other general security information, see
|
||||||
|
https://z.cash/support/security.html
|
||||||
|
|
||||||
x86-64 Linux Only
|
x86-64 Linux Only
|
||||||
-----------------------
|
-----------------------
|
||||||
|
@ -79,7 +81,6 @@ Users should choose a strong RPC password. If no RPC username and password are s
|
||||||
|
|
||||||
Users should also refrain from changing the default setting that only allows RPC connections from localhost. Allowing connections from remote hosts would enable a MITM to execute arbitrary RPC commands, which could lead to compromise of the account running zcashd and loss of funds. For multi-user services that use one or more zcashd instances on the backend, the parameters passed in by users should be controlled to prevent confused-deputy attacks which could spend from any keys held by that zcashd.
|
Users should also refrain from changing the default setting that only allows RPC connections from localhost. Allowing connections from remote hosts would enable a MITM to execute arbitrary RPC commands, which could lead to compromise of the account running zcashd and loss of funds. For multi-user services that use one or more zcashd instances on the backend, the parameters passed in by users should be controlled to prevent confused-deputy attacks which could spend from any keys held by that zcashd.
|
||||||
|
|
||||||
|
|
||||||
Block Chain Reorganization: Major Differences
|
Block Chain Reorganization: Major Differences
|
||||||
-------------------------------------------------
|
-------------------------------------------------
|
||||||
|
|
||||||
|
@ -95,3 +96,15 @@ The option `-debug=zrpc` covers logging of the z_* calls. This will reveal info
|
||||||
The option `-debug=zrpcunsafe` covers logging of sensitive information in z_* calls which you would only need for debugging and audit purposes. For example, if you want to examine the memo field of a note being spent.
|
The option `-debug=zrpcunsafe` covers logging of sensitive information in z_* calls which you would only need for debugging and audit purposes. For example, if you want to examine the memo field of a note being spent.
|
||||||
|
|
||||||
Private spending keys for z addresses are never logged.
|
Private spending keys for z addresses are never logged.
|
||||||
|
|
||||||
|
Potentially-Missing Required Modifications
|
||||||
|
------------------------------------------
|
||||||
|
|
||||||
|
In addition to potential mistakes in code we added to Bitcoin Core, and
|
||||||
|
potential mistakes in our modifications to Bitcoin Core, it is also possible
|
||||||
|
that there were potential changes we were supposed to make to Bitcoin Core but
|
||||||
|
didn't, either because we didn't even consider making those changes, or we ran
|
||||||
|
out of time. We have brainstormed and documented a variety of such possibilities
|
||||||
|
in [issue #826](https://github.com/zcash/zcash/issues/826), and believe that we
|
||||||
|
have changed or done everything that was necessary for the 1.0.0 launch. Users
|
||||||
|
may want to review this list themselves.
|
||||||
|
|
Loading…
Reference in New Issue