Okay, thanks for clarifying. I was aware of the risks at the user end, your post just got me worried there were risks at the NNS website / Internet Identity end that I was unaware of that were similar to the risks involved with browser wallets like Metamask.
Hi @bjoern,
Thank you for your answer.
Does this mean that we can hope hold our NFT through the Ledger Hardwallet soon ? If yes, it is marvelous, and what would the timeline be (approximatively of course) ?
I also donāt understand why we still donāt have the signing of cbor messages with ledger available. we should be able to interact with certain sites with our ledger.
Among the authentication types of Internet Identity, Security key is the most secure because it never passes through the browser or memory, and biometric authentication is equally secure because it is stored in the hardware chip (TPM) in the PC. However, the seed phrase is less secure because it is temporarily stored in memory when it is generated and then deleted.
Security key >= biometric >> seed phrase
Seed phrase with low security is problematic, so security key is recommended, is that correct?
Even so, it is more secure than browser-based wallets like Metamask and Plug. Because,
-
Seed phrase is a one-time use of memory (and then deleted), while browser-based wallets are stored in memory for each signature to tx.
-
Browser-based wallets do not store the private key in the TPM like biometric authentication, but rather store it encrypted in the local storage of the browser, which is less secure ( I could be wrong).
However, the most secure one is a hardware wallet like Security key, which does not pass the private key through browser or memory, and verifies and displays the tx on the hardware, so we are considering to develop it so that we can use it. Is that correct?
hardware wallet(ongoing) > Security key >= biometric > seed phrase >> browser-based wallets
3 Likes
Depends on the application for II because of the ephemeral private key stored in local storage. This is even worse than MetaMask. That key can do anything that the II can do, so your WebAuthN device isnāt providing any security after youāve logged in.
What would be amazing is if we could require additional verification from a WebAuthN device for certain actions.
1 Like
II never stores key material in local storage. Thatās why you have to re-authenticate on every login.
3 Likes
Itās probably realistic to build this functionality in the Ledger application in a few months. The additional implementation effort is moderate, but such an update will have to go through a security review with Ledger, which will usually take a while.
Regarding the concerns with threshold ECDSA signing: We are following three different paths toward improving the security over time:
- Diversifying the set of node providers (NPs). If you have been following NNS proposals recently, you must have seen several proposals registering new NPs. So the IC is getting more diversity in its nodes, which will allow the NNS to improve the diversity of nodes in the subnets that host the threshold keys, and also grow that subnet over time. As with anything organic, that just needs a bit of time to grow.
- Supporting trusted execution environments (TEEs). We are building support for AMDās SEV-SNP in the node deployments, which provide some additional security against potentially malicious NPs. This work is in progress, and will play well with the new āGen 2ā node architecture that the new NPs are rolling out.
- Threshold trade-off: We can parameterize the protocol to achieve better security (meaning: improved resilience in terms of number of NPs that have to collude to create a signature) at the cost of weaker liveness (less misbehaving NPs could stop the subnet from issuing signatures). This is a protocol-level improvement that is orthogonal to the above two.
I donāt think that this is fair, on multiple levels. First, there is (and has always been) ongoing work toward improving the security of ICP, in several components and aspects. We have made significant improvements since launch, and we will continue doing so. This work often receives less publicity, of course, since in many cases it is just invisible to users.
Second, you seem to imply that deploying on the IC was generally less secure than on ācompeting systems.ā The statement is vague and thus hard to respond to, but I would guess that such comparisons are generally hard because they tend to compare apples with oranges. Anyway, Iād be interested to know what you had in mind.
Third, it would be infeasible (and not helpful either) to now stop all the work we are doing and focus on a single aspect, like security. Are there security aspects we have to work on? Absolutely! But so are aspects of scalability (e.g., number of neurons in the governance canister, number of canisters on a subnet, size of the state a subnet can handle), developer experience, and so forth.
3 Likes
The ephemeral keys must be stored somewhere accessible to the domain (accessible to its JS) so that signing can occur, I donāt understand this.
My understanding is there is a keypair created on every login that can sign for the II. That key is not protected by hardware and is accessible to JS and thus XSS or other similar attacks.
1 Like
Iāve got a page or two of notes on security concerns Iāve come across while building the prototype of Backed USD, but managed to make myself busy again and donāt have time to flesh it out now. I hope to within a week or so.
For now, Iāll just dispel a couple of possible misunderstanding, plus stating that the fact that there is no way to securely connect to a dapp is alone probably enough to concede that the system is not āas secure as competing systemsā today.
First, as a relative newcomer I have no idea why the foundation has chosen to do the things itās done: all I know is youāve managed to create a groundbreaking system that mostly works. What I mean is only that, as you know, the world doesnāt care about how efficiently we allocate resources or how diligently we work: it only cares about the outcome, the concrete offering. What I mean is I donāt claim there havenāt been security improvements, perhaps massive ones that have required great effort and dexterity. I only claim that if those donāt amount to equal or better than the alternative, weāre in trouble. In particular, I mean no criticism of the foundation or its work (I donāt understand it well enough internally to comment): I only mean that the situation weāre in, the state of the network, is vulnerable to several attacks for a host of reasons, regardless of how much or how little work or improvements or what reasons have led to it.
1, 2, 3 above are important improvements (I understand 3 less well). They help.
Regarding
Maybe, I donāt know, thatās why I say āperhapsā, and āappears to beā. But also, maybe not, and perhaps the situation is such that really an exclusive focus on security would make sense for a while. It is not at all obvious to me from what Iāve seen.
If all goes well I hope to be back with a more detailed response soon.
That would be very helpful ā looking forward to that!
1 Like
There is an ephemeral key that is kept in memory, which is created for each session. I just checked that we are currently using a key that is actually accessible to JS, it seems preferable to use a type of key where at least the private key cannot be extracted from JS. Iāll check with the team when they plan to migrate there. Either way, this is entirely in the origin of II, and we intentionally keep the codebase of II small and simple.
3 Likes
Why is using an air gapped device more secure than a hardware wallet?
Not an expert like Bjoern is but i interpreted his statement that air gapped removes the potential of a bug in the hardware wallet.
Air gap has no internet connection so no potential for bugs (hardware wallets have very limited basic software, but still software) or hardware design flaws to affect you.
3 Likes
Hey - we switched all of our domains to icp0.io last week because of this warningā¦ we come back after the weekend to find users complaining that domain throws errors on their browsers and the original domain ic0.app does notā¦ what is going on here?
Which one should be used as of 2-28-2023?
For icp0.io domainā¦
Hey apotheosis!
Unfortunately, we discovered that the domain icp0.io, which we recently introduced as an alternative default domain, has been used for malicious content.
As a result the following providers/products have flagged raw.icp0.io (only the subdomain raw) on their list as spam/phishing:
- Google Safebrowsing
- Netcraft
- Kaspersky
- Emisoft
We will work with the providers/products and were already able to remove the entry of Netcraft, Kaspersky and Emisoft.
Update: Sorry mixed the domains in my original post. Itās now updated to raw.icp0.io.
Thanksš switching back to the old one.
Depending on how much effort it is for you to switch and how much you rely on raw URL, I would suggest to not switch back yet, because the same risk also applies to ic0.app, as we experienced with the Spamhaus listing.
In general its highly recommended to use custom domains to not rely on either of them.
Update: Just double checked your canister id from the screenshot and Kinic is indeed a special use case. So in your case switching definitely makes sense.
1 Like
This will keep happening with every domain. Itās a trivially simple attack vector that is now widely known. I reiterate what I suggested upthread:
āHave a domain reserved for core services and apps. Perhaps an NNS vote could be required to have a site on that core services domain, making it a community whitelisted IC. That way, we avoid having to censor while also sealing off any nonsense that goes on in the wider network from systemically important services. Because making a malicious website or app is extremely easy. Now that this issue is public, people will do it just to sabotage the IC.ā
Good news: raw.icp0.io is not listed on Google Safe Browsing anymore and the red warning should disappear.
4 Likes