[tbb-dev] A proposal for stopping users from copying potentially-edited cryptocurrency addresses

Tom Ritter tom at ritter.vg
Thu Mar 14 11:22:33 UTC 2019

We discussed this at the monthly Tor/Mozilla meeting.

Nick suggested we think more critically about ways this can be
bypassed. For example, the website could change the address to a QR
code, requiring the user to scan it with their phone. Even if we
detected QR codes, they could build a QR code out of carefully placed
<div> elements.

We think the proposal still has value, but it's definitely lessened.
Arthur expressed interest in potentially putting it into Firefox.

We also investigated, and discovered that this feature appears like it
could be built entirely using Web Extension APIs[0], meaning it could
be built for Tor Browser and Firefox simultaneously, as well as
integrate nicely with Firefox's past experimentation approach.


[0] On Firefox at least; I don't think Chrome exposes an API to get
the page's TLS certificate

On Thu, 7 Mar 2019 at 05:40, Tom Ritter <tom at ritter.vg> wrote:
> The second of three proposals.
> This one basically stops the user from copying a cryptocurrency
> address to the clipboard if the address was delivered in a way the
> exit node could have tempered with it.
> -tom

More information about the tbb-dev mailing list