Securing MPC by enforcing UI verification in Curv’s infrastructure

At Curv, we are constantly innovating to eliminate attack vectors that may arise — both internal or external — to ensure our clients can confidently scale their digital asset operations in a secure and reliable fashion. Today, Curv proudly unveils the latest security feature to help institutional customers feel even safer about their digital assets and how they are managed and accessed.

User interfaces are more vulnerable than we tend to think

An attacker who is able to control what a user sees and interacts with can cause devastating outcomes for an institution. Some would say that Cross Site Scripting (XSS) is the main threat to a user interface. This threat occurs when an attacker hijacks a browser given a developer trusts the external sources without checking them first. Some modern frameworks like React protect users against XSS attacks by requiring developers to explicitly permit dangerous uses of external sources. However, even with today’s XSS-proof websites any attacker who successfully manages to gain control of the server which handles oversight of different static assets (such as HTML and JavaScript files) has more control than you think.

Given the user interface has logic, it makes requests and can use a client’s authentication tokens to invoke any API call on behalf of the user. For example, an attacker might present a UI which shows the user a notification that reads, “You are about to transfer 100 BTC to your bank”. However, the API triggered thereafter instead transfers the 100BTC to the attacker. In essence this could lead to the user interface making privileged calls to Curv’s server as if the user authorized it. All of this takes place without the user noticing the malicious activity.

Cryptography is “key”

At Curv, we always strive to ensure our product offers users the most genuine experience possible. We deliver on our commitment to provide clients with the security and reliability they need across all their digital assets. While Curv’s solution protects both client machines and Curv’s servers from being compromised, it is equally as important to ensure that a server security breach will also not cause any unwanted operations across client permissions.

Curv’s secure UI solves this problem by assuring all permissions have been originated and approved by Curv and no one else.

What’s already being done to secure user interfaces?

One of the technologies used worldwide to secure web content is Subresource Integrity (SRI). SRI allows the browser to validate any content that a page would require to render what you see and interact with. While it does make sure some of the content you see is authentic, it does not promise that the base page that requests those subresources is authentic. For example, let’s say “index.html” is requested from the server. It then requests the SRI enforced “main.js” and applies that to the page. If “main.js” was compromised and “index.html” wasn’t, the browser would prevent the “main.js” from being loaded, hence preventing the attack. If an attacker was able to modify the content of the “index.html” file then SRI would not prevent it from being rendered. So in theory, as long as SRI is in place, the first renderable page is the one that needs to be verified.

Another technology used to secure website content is Content Security Policies (CSP). CSP allows developers to instruct the client’s browser to only trust sources from specific domains. If implemented correctly this eliminates the threat of XSS attacks. However, it still does not secure the user from a compromised content server since the server enforces whatever policy it wants.

How does Curv solve the problem

Curv’s desktop application, as well as the container, acts as a proxy to its backend servers. Every request dispatched by the user is directed to Curv’s application, which then handles the request as needed. It is critical that Curv secure these requests. Therefore, any request sent through the proxy is monitored to ensure the response is authentic. We use this to enforce strict security measurements, including TLS Certificate Pinning. In addition, this allows us to intercept each request to a static resource — such as “index.html” — and validate the authenticity of its content using an embedded public key.

Unlike the TLS private key, which is used to secure the communication channel and must be accessible to the server, the key used to sign static resources is protected by a Hardware Security Module (HSM) and only accessible by a dedicated machine during the deployment process.

Enforcing UI verification asserts that what a client sees is indeed authentic. In summation, this assures Curv and Curv’s clients that the user interface they are engaging with, which can make any request to the proxy, is indeed not malicious.

Security is a big field of uncertainties

Even though our new UI security feature addresses a large potential problem for Curv users, it is obviously not the be-all and end-all. There are still many attack vectors to consider and monitor for ongoing threats. We prepare now to prevent an impending wave of new attacks. This is part of our ongoing commitment to clients to deliver a solution that meets the highest level of security — now and in the future. In the future, this could involve attacks on backend servers, whereby an attacker alters the data presented to the user or corrupts data used by Curv. “Malicious” employee attacks additionally remain a possibility. Thankfully, Curv has an established and comprehensive methodology to ensure this cannot occur within a company. Lastly, third party libraries remain a cause for concern. Without close attention to the library in use and its contributors as well as the code it actually executes, any system can be compromised by a vulnerability in the library.

For those without a trusted technology partner like Curv, which has a 360 degree view of these varied attack methods and how to account for them within an underlying digital asset infrastructure, these threats can seem overwhelming and reason enough to not accelerate involvement in the digital asset landscape or launch a new cryptofinance product. Thankfully, Curv is dedicated to ensuring these attack vectors are always accounted for. We are proud of our new UI verification feature and the benefits our clients experience as a result of its release. We will continue to work on and present new security features as they come along. Stay tuned…