Z.cash/downloads/sprout-verifyingkey 301 redirected to amazonaws.com/zcashfinalmpc?

Hi
I am installing zcash via the terminal in ubuntu.

It looks like the installer is being redirected from the zcash site to a folder on Amazonaws.com. Obviosly Im a bit worried about this, does not seem right.

Does this look like a hijack?

Ive tried to post the output of the installer but the forum wont let me post anything with more than 2 links in it.

It’s probably the proving and verification keys that are downloaded from S3. It’s a large download so likely just done for performance reasons.

You can see what’s happening here https://github.com/zcash/zcash/blob/master/zcutil/fetch-params.sh (i.e. the https://z.cash/downloads/$SPROUT_PKEY_NAME link most likely is the 301 to S3). Note that the checksums of each key are validated so that if someone managed to compromise that file on S3 it would fail.

1 Like

Thanks for the reply Gareth. Im too worried about this to use the wallet, for now anyway. Looks to me like it could be, some kind of hack to the .htaccess file on the install servers. I think that is just sensible until I can confirm that that 301 redirect is ok.

Ill try again to post the code, not sure how many posts i have to make before the forum allows that so here goes…

Hhhmm.
Still getting the error “Sorry new users can only post 2 links per post”

Anyone know how many posts, or how many days on the forum, is required before i can post more than 2 links? It still wont let me post this code

Ok I will post the code in chunks containing only 2 links. I hope it can be read like this!

Retrieving: https://z.cash/downloads/sprout-proving.key
–2017-08-31 22:17:42-- https://z.cash/downloads/sprout-proving.key
Resolving z.cash (z.cash)… 104.28.11.251, 104.28.10.251
Connecting to z.cash (z.cash)|104.28.11.251|:443… connected.
HTTP request sent, awaiting response… 301 Moved Permanently

Location: https://s3.amazonaws.com/zcashfinalmpc/sprout-proving.key [following]
–2017-08-31 22:17:43-- https://s3.amazonaws.com/zcashfinalmpc/sprout-proving.key

Resolving s3.amazonaws.com (s3.amazonaws.com)… 52.216.21.133

Connecting to s3.amaxxxzonaws.com (s3.amaxxxzonaws.com)|52.216.21.133|:443… connected.

NOTE: In the post above, I had to break the url with those added xxx’s as the forum will not allow posts to amazonaws.com!!

This is a very restrictive forum set up.

HTTP request sent, awaiting response… 200 OK
Length: 910173851 (868M) [application/octet-stream]
Saving to: ‘/home/xxxxxx/.zcash-params/sprout-proving.key.dl’

 0K ........ ........ ........ ........  3% 1,01M 13m46s

32768K … … … … 7% 1024K 13m19s
65536K … … … … 11% 1,05M 12m36s
98304K … … … … 14% 1,12M 11m49s
131072K … … … … 18% 1,08M 11m14s
163840K … … … … 22% 1,11M 10m38s
196608K … … … … 25% 882K 10m28s
229376K … … … … 29% 1,01M 9m58s
262144K … … … … 33% 1,01M 9m27s
294912K … … … … 36% 1,16M 8m50s
327680K … … … … 40% 1,11M 8m16s
360448K … … … … 44% 1,07M 7m44s
393216K … … … … 47% 1,15M 7m10s
425984K … … … … 51% 1,06M 6m39s
458752K … … … … 55% 1,18M 6m6s
491520K … … … … 58% 956K 5m39s
524288K … … … … 62% 1,01M 5m9s
557056K … … … … 66% 963K 4m40s
589824K … … … … 70% 1,05M 4m10s
622592K … … … … 73% 1,14M 3m38s
655360K … … … … 77% 961K 3m8s
688128K … … … … 81% 989K 2m38s
720896K … … … … 84% 996K 2m8s
753664K … … … … 88% 929K 97s
786432K … … … … 92% 1015K 66s
819200K … … … … 95% 894K 35s
851968K … … … … 99% 1023K 4s
884736K … 100% 1,18M=14m11s

2017-08-31 22:31:55 (1,02 MB/s) - ‘/home/xxxxxx/.zcash-params/sprout-proving.key.dl’ saved [910173851/910173851]

/home/xxxxxxx/.zcash-params/sprout-proving.key.dl: OK
’/home/xxxxxxx/.zcash-params/sprout-proving.key.dl’ -> '/home/xxxxxx/.zcash-params/sprout-proving.key’
Retrieving: https://z.cash/downloads/sprout-verifying.key
–2017-08-31 22:32:00-- https://z.cash/downloads/sprout-verifying.key

Yes as I said it’s downloading the keys (which are obviously public) from S3. The content of these keys are then verified.

Did you follow the instructions here and checked the fingerprint of the signing key https://github.com/zcash/zcash/wiki/Debian-binary-packages as all releases are signed. The keys are huge hence coming from S3 but as I said above the contents of them are vaildated. It’s good to be overly cautious but this isn’t an attack.

1 Like

@dobby I unhid your posts. Sorry for the spam false alarms; the policy is a little oversensitive to posting multiple links (because that’s such a strong heuristic for real spam). I’ll look at what settings are available to make it less sensitive.

Note that marking text containing domain names as code (using the </> button in the post editor) should stop them being interpreted as links, I think.

To answer the main question and confirm what @garethtdavies said, the redirect to S3 is intentional and not the result of any attack.