Addressing Plug Safety Concerns
This post is meant to address the concerns of some users, namely theguy.icp’s post:
-
Yes, Plug needs access the whole site. This is how extensions work. An object is injected into the page that is globally available for dApps to hook into and interact with. This most definitely does not mean that applications are able to access your private keys. Plug exposes functions through this object to allow dApps to initiate new transactions through Plug (like sending a token) that a user can accept or deny.
-
For this we need to understand the difference between a hot and cold wallet. Hot wallets access an encrypted version of your private key in your computer’s memory. This keeps your keys safe while also providing accessibility to approve transactions (in dev speak this is akin to ‘signing messages’). A cold wallet is where your private key is stored directly on a physical device that signs messages and sends the approval to an interface to be processed. This is how Plug will operate when we add support for Ledger hardware wallets.
An Overview Of Plug as a Hot Wallet
Plug currently operates as a hot wallet. Let’s get the most important point to address out of the way first: at no point is your private key being hosted on a centralized server somewhere, it lives within your own machine’s local memory.
Let’s go through the entire hot wallet flow to fully understand this.
Are my keys being hosted on some Google server? Absolutely not… the current version of the extension is available for download through Google’s extension store, which means they keep a blank copy of the extension code that they distribute when you download it. You can think of this blank copy as a car, and your private keys are… well, the keys to the car. At no point after download of the extension do key interactions of the app interact with google servers. You insert your keys into the vehicle, start it, and when you’re done with it, take them with you. That’s how a non-custodial wallet works.
While your keys are plugged into the application, they are decrypted and stored in extension memory, an area isolated from all other processes. This is the only time that your un-encrypted private key is actually stored in memory and is a requirement for a hot wallet so they can be accessed to sign approvals for transactions. They are not being uploaded and fetched to a server, they live and die protected on your device.
Plug Structure & Where It’s Headed
Currently, the Plug team is the primary controller of the Plug application and dictates updates. We have communicated time and time again our commitment that Plug will become DAO controlled. One of the large components of our DAO structure will be transparent code upgrades. Not only will new updates coming to Plug have to go through democratic community votes in order to pass, but the code will also all be open source so that the community can have time to vet for any malicious actors.
Additionally, if you’re worried about a 3rd party updating the extension with malicious intent since, Plug is open source and provides builds for every new release (view them all here). There is nothing stopping anyone from manually downloading and building the extension yourself, instead of receiving automatic updates.
We hope this answered some of the community’s questions & concerns. Questions & critiques are welcome! 