In my journey to setup a witness node, I found important security issue that I would like to share with anyone who intended to become witness or already is.
A lot of tutorials directs you to setup a cli_wallet by connecting to a third parity RPC node. Ignore these parts.
This is one big Don't do it.
By doing so, you are possibly compromising your security.
As per examining local node, the cli_wallet unlocks are transmitted to nodes, your key get's decrypted and handled by account_by_key plugin in order to operate your wallet.
- Never, ever use the same wallet password as the password for your steemit account
- If you did so, change your Steemit password, as it will automatically regenerate your active key.
The only secure way to become a Witness without compromising security is to connect your cli_wallet to local seed node, that accepts RPC connections on localhost / local network only.
Make sure your seed node accepts RPC on localhost, or interface that's exposed to local network only. Example:
rpc-endpoint = 127.0.0.1:8090
rpc-tls-endpoint = 127.0.0.1:8091
Never, ever set your "unlock" password to be the same as one for your steemit account
Always connect your cli_wallet to your local node. example ./cli_wallet -s wss://127.0.0.1
If you are wondering how it happens that steemit whales got compromised from time to time, this could be one of the attack vectors. The remote node logs can be abused in order to get unauthorized access, therefore, host your own.
Looking forward to opinions and experiences from more advanced users in comments. I am in process of fully re-syncing my RPC node. If this article results in some interest, I will create another one with screenshots of what's transmitted and what end's up in RPC node log, both in images and TCP Dumps.
Stay safe.