Approximately a month ago, community member Embellished Tangible Darklingbeetle mentioned that browsing https://audius.co/ in the Web3 browser of the Status mobile app is not permitted, and causes the following error message to appear:
This site is blocked
We detected potential malicious activity from this address. To protect you and your wallet, we’re preventing further navigation.
If you think this is an error, let us know in the #status public chat.
I tested this in the following browsers on my iPhone, and was unable to reproduce the error.
This leads me to believe that the Web3 browser in Status is detecting what it considers to be malicious behavior on the fly, or Status maintains some sort of URL blacklist which I’m concerned may be private (and thus would be in conflict with principle V, transparency). If it’s leveraging a third-party list, no other Web browser I could find is using it.
I raised this issue in the #support public chat in the Status app, but haven’t heard anything back yet… so I’m creating this thread to track updates. My most pressing concern about this behavior is that users can’t bypass the error/warning, effectively censoring the site in violation of principle II (censorship resistance). I’m unaware of any other URLs which trigger this behavior, and would appreciate hearing from anyone who is aware of any.
This makes me wonder if the library is working as intended, or if the Status mobile app includes an older version. The list of domains that it appears to reference is at the URL below (though I don’t know if it checks internally or externally for it), and audius.co is in the “whitelist” section of the JSON:
I verified that etherclassicwallet.com (from the “blacklist” section of the JSON) generates the same error in the Web3 browser in the Status mobile app. More confusingly, however… I entered a number of other domains from the “whitelist” section such as auctia.io and crypto.games, and many (but not all!) of them generated the “site is blocked” error in the Web3 browser in the Status mobile app.
yeah npm library was updated last time 2 months ago, and “audius.co” still not in the latest npm package, dunno if we have to use the latest master instead or have our own list or do not have any lists at all? @petty@hester@andre
This sounds like the best option to me. We for sure don’t want to block, but we do want to inform from a security perspective. I’d love to know the criteria for the blacklist. If they are established, measurable security criteria, it makes sense to use it. If there are any arbitrary criteria we might want to look at alternatives like user generated flags
@0kok0k any thoughts on managing domain security checks?