Proposal to improve wallet security in the extension

The idea is that there is security in the extension as an extra password when transferring YUP to another account, it would be a security option to prevent anyone who has access to the browser can easily extract the YUP.

What do you think? is it a good idea?

9 Likes

I like your idea, excellent

Me parece excelente propuesta… :+1:

Solid security measure. The tradeoff is if someone has forgotten their password but i logged in their YUP is trapped in their extension unless they have their private key stored somewhere and can import it to another wallet.

Might make sense to implement this after we have a “reset password” option.

3 Likes

If you have people that you don’t trust accessing your PC, then you got a big problem, you can extract the private key from all wallets if they are unlocked, in YUP case a password for that view won’t prevent someone with direct access to your browser who will scan your extension raw memory to get your private key. Also if you put a password there might be a negative UX experience for people that don’t want to type every time they make a transfer, like in the case of metamask it allows you to set a 0-time lock so you don’t need the password every time. So probably adding this will need a settings view for ppl who want to disable this behavior.

Also after migrating and getting rid of EOS dependency the extension won’t be a wallet anymore and probably the transfer from the extension will go away anyway.

1 Like

Yup, good points, especially regarding UX and planning for untrustworthy people to have access to your computer. The latter should be an extreme edge case for most users.

1 Like

The recovery part you said I think is a very important point, normally a user should be able to recover his account in a web3 fashion only using the private key, but since we’re migrating, this needs to be rethought when EOS is account is not a dependency anymore, and the extension will not be a wallet anymore.

It is called prevention, I am sure everyone does not share their cell phone and have an access password to prevent others from accessing the data, the same way in the PC or Laptop even if you live alone I am sure you have an access password and security measures to prevent someone from accessing your data, And my proposal is in addition to the YUP password if we are going to continue having the Wallet option in the extension for withdrawals I think we should have the option of a security pin when transferring, that is an option for those who want to have more security, in my opinion is not too much prevention.

You can’t use an additional PIN, you can only use the encryption password(which can have any form) of the wallet itself because once the PK is in memory is game over anyone who has access to that PC, can very easily extract your PK from memory. So the way wallets work is to remove the PK from memory, once a certain time passes, then if you want to use it again to sign anything the wallet will ask you for the password to be able to load PK from persistent storage and put it in memory. So for a crypto wallet, a secondary pin doesn’t make any sense, why do you think hardware wallets were invented? it was because you don’t want to have the PK in memory of a PC were is vulnerable to extraction by any software that has elevated access to that PC. So for crypto wallets, it only makes sense to have one encryption key used to decrypt the PK from storage.

In the current YUP case, once you have logged in for UX reasons the PK practically stays in memory, so your key can be extracted from the extension in 20 seconds, without anything more than a memory inspector and nothing more.

If you know that your personal computer has the risk of being misused by an unauthorized person is much safer to just log off, if you want prevention, then you have 0 risks of your wallet/extension being misused, and logging off is actually something very often marketed as a prevention measure for every scenario.

A very practical solution by the way and thanks for giving me the argument that the YUP wallet is insecure, I hope that with the migration this will change or that some developer in the team will think outside the box to change this and not just say: log out and you will be secure.

I don’t understand why you think the YUP wallet is insecure, as I previously explained all software wallets are vulnerable to the extraction of the private key after it was decrypted from persistent storage, that’s why the term cold storage was coined. I can go and implement a password prompt, but that’s just false security since will not protect you from mistakes like sharing your personal device with an unauthorized person which is a total failure when it comes to security.

Also, I think is pretty rude to accuse any developer of not thinking outside of the box especially when you participate only with ideas and not with code, I myself knowing my limitations would never do such a thing :smile:

Maybe with my little knowledge I misunderstood this part you wrote:

If so, I apologize for my ignorance on the topic.

Yeah, that’s not insecure is a design choice, you need the PK in memory so you sign votes, and auth challenges, or would you rather type the encryption password every vote and every 3 minutes, even when you send a request to clear notifications it has a PK signature.

Every wallet has options to leave the key in memory for long or indeterminate periods of time to not have to type the password every time, local security for your key is your responsibility, so leaving people you don’t trust access your personal device to me is like sharing your PK.

Insecure means vulnerable to some exploit that can steal funds/sign transactions using some kind of remote execution by some stranger, it doesn’t mean you letting someone you don’t trust use your personal device.

Personally, I thought maybe transforming the extension into an eth wallet is a good idea after migration since you could use it to authenticate on the app and make a transfer quickly, but after seeing this thread, I am convinced that is better how @vt has suggested to just axe all the wallet functionality from the extension, then for all auth/transfer stuff, you’ll just have use metamask.

1 Like

In that case I apologize for my words product of my ignorance and lack of knowledge on the subject for that reason I misunderstood your message, again sorry!

And as you say everyone has the responsibility to take care of our assets and that is why we are the ones to ensure who accesses or not to our devices.

I can’t discern if you’re meme-ing or not but I’ve gone and implemented this anyway, even though it doesn’t make a lot of sense.

I like this idea! will pass on to the team.