- Implementation:
- M-of-n parties deterministically compile web interface bundle and sign it
- Interface installs service worker mandates all future updates are
- signed with m-of-n valid keys certified by a pinned CA
- newer timestamp than current version
- Protections
- Compromised insider tampering with frontends
- BGP attacks
- DNS takeover
- TLS MITM
- Resources
- Implementation:
- Collect WebAuthn public keys for one or more devices for all users
- External Authenticators: Yubikey, Nitrokey, Ledger, Trezor, Solokey, etc.
- Platform Authenticators: iOS 13+, Android 7+, Windows Hello, many Chromebooks
- Certify Webauthn public keys with trusted enclave
- Webauthn sign all impacting web requests like trades and transfers
- Private key enclaves validate request signatures before signing trades and transfers
- Protections:
- Compromised insider tampering with backends
- TLS MITM
- Resources:
- Implementation
- Collect and certify asymmetric public keys from all engineers
- Have all engineers locally sign all code commits and reviews
- Multiple independently managed CI/CD systems are deployed
- CI/CD systems deterministically build only validly signed commits/reviews
- CI/CD systems sign resulting artifacts with well known/pinned keys
- Production systems only deploy artifacts signed by multiple CI/CD systems
- Protections
- Compromised insider impersonates commit as another engineer
- Compromised insider injects malicious code, bypassing review controls
- Compromised CI/CD system tampers with artifact generation
- Resources:
- Implementation
- Collect and pin asymmetric pubic keys from all code reviewers
- Review all third party dependencies used in transfer-critical codebases
- Have all reviewers sign reviews with certified public keys
- Publish reviews in well documented format to help crowd-source efforts
- Have CI/CD fail production builds when un-reviewed deps are present
- Protections
- Obvious malicious code injected into external software library-
- Resources:
- Implementation
- Multiple parties compile deterministic airgap OS and firmware
- Multiple parties sign airgap os/firmware artifacts
- New laptop acquired by multiple parties
- Trusted firmware loaded, verifying signed hash with existing firmware
- CA key pinned into firmware, and external TPM verification device
- Laptop stored in highly tamper evident vault requiring multiple parties for access
- Laptop firmware verifies multi-party signature on flash-drive iso and any scripts
- Participants verify date and ensure it is the latest and expected version
- Protections
- Tampering by any single compromised insider
- Tampering by any single compiler or build system
- Resources: