Defensive Security

Why did Bybit hack happen? How could we effectively prevent such hack to happen again? In retrospect, there were at least two broken layers that lead to the catastrophe: (1) Safe Wallet frontend did not use Subresource Integrity in web app[1] (2) Bybit signers did not keep and check the web3 smart contract address.

This security browser app aims to check every trust layer of a web app, for example[2]:

• whois, domain name lookup
• https certificate, chain of trust
• website, integrity...
• web3 smart contract, code or audit
• web3 wallet

to ensure the functionality works as expected, not getting hacked or manipulated.

By investigating the security layers, we will also release research reports with these findings, propose solutions and participate in the corresponding internet governance, e.g., ICANN, IETF, W3C, etc.

Refs:

• [1] https://x.com/evilcos/status/1894794067403513876
• [2] https://speakerdeck.com/denkeni/defensive-security

The defensive web browser app itself has to prove itself secure. Every user should be able to easily build from source. That’s why we chose Swift Playground as the developing platform, and optionally distributed through App Store channel with Apple’s code signing and validation. Besides, every commit of source code in the Git version control is signed for authenticity (my GPG key ID: 0A67BF2F5CC9712A).

While people may think of building a desktop web browser extension, it’s impossible to build a robust security model on it. Many browser extensions are granted permissions to read and modify webpages, and couldn’t be monitored by another browser extension. Same logic applied to application apps, which means a security (or antivirus) software requires root privileges to monitor other applications.

So we decided to build a web browser app on iOS platform, list all security and trust layers, and manage risks on each layer.

There has been several early findings that make things hard to be secure, for example, whois domain name lookup often redacts information of registrant, even for legal companies. We need to combine more information from multiple trust layers to verify the legitimacy of a domain name.

We expect to implement multiple partner technologies to verify the security layers, such as using different RPC endpoints to verify ENS or World ID identities on the blockchain. That’s one of the best security measures that only decentralized web offers.

Refs:

• [1] https://support.apple.com/en-ca/guide/security/sec7c917bf14/web