This wasn't a flaw with Ethereum itself or its protocol, but rather an issue with one of the its client implementations (go-ethereum), other clients like Parity, Harmony, etc.. are unaffected.
The article states it's only been discovered and mitigated in geth, allegedly the most popular ethereum client; whether other clients are vulnerable is unknown.
This statement from ethereum/geth developer Felix Lange even hedges on how completely the vulnerability has been mitigated, which may not bode well for ethereum in general:
>We have done our best to mitigate the attacks within the limits of the protocol. The paper is concerned with 'low-resource' eclipse attacks. As far as we know, the bar has been raised high enough that eclipse attacks are not feasible without more substantial resources...
He did go on to mention his belief alternative ethereum client Parity isn't vulnerable, so there's that at least.
Is there any other field of computer security where this argument is acceptable? Usable security matters. Ecosystems matter. You cannot put a boundary somewhere in the middle of what the end user sees and call your security job done.
When people majorly botch x509 cert validation because the spec is so monstrously complex that's still a problem with x509.
Ethereum specifically chose to develop around multiple clients to mitigate the risks of implementation errors such as this. It would be ideal if all were perfect from the start, but no software is, security or otherwise.
WiseWeasel|8 years ago
This statement from ethereum/geth developer Felix Lange even hedges on how completely the vulnerability has been mitigated, which may not bode well for ethereum in general:
>We have done our best to mitigate the attacks within the limits of the protocol. The paper is concerned with 'low-resource' eclipse attacks. As far as we know, the bar has been raised high enough that eclipse attacks are not feasible without more substantial resources...
He did go on to mention his belief alternative ethereum client Parity isn't vulnerable, so there's that at least.
UncleMeat|8 years ago
When people majorly botch x509 cert validation because the spec is so monstrously complex that's still a problem with x509.
dahdum|8 years ago
heliumcraft|8 years ago