Internet Identity Lack Of Security

That’s an understatement :slight_smile:

There’s nothing inherently wrong with the way II works right now. It uses some new tech (webauthn), it supports fido keys and it’s pretty good with protecting a user’s privacy (maybe a bit too good at that). There’s no “lack of security” here.

What people seem to misunderstand is that no amount of code and hand-holding features will fix bad OPSEC. All the hypotheticals that people used in this thread can be addressed by sane OPSEC: Don’t use the same account for both staking a gazillion ICP and for playing hold’em. Don’t add random insecure devices to your II that maintains said gazillion ICPs. Use live distros. Use airgapped systems, etc.

4 Likes

So, to avoid - still not totally - risk, people have not only to create another II, but also buy a dedicated computer, etc. In summary, even casually hold or stake and interact with NNS becomes « Mission : Impossible ». Conclusion : it is clearly not thought for a mass adoption. I wish I knew this before investing…

If any newcomer wanting to enthusiastically invest in ICP had to read this as good as rigorous and wise methodology you gave, it would make him immediately reluctant to invest in ICP and flee away to invest in safer and simpler blockchain allowing staking.

I think this only way to act safely for a non developper investor, rationally described by you, would disgust any enthusiast investors.

Thanks a lot for this long and patient methodology description !

I think about this a little differently.

  1. If I have 100x of value, I would use a safer mechanism to store. (Just like I wouldn’t store ALL of my net worth in a physical wallet).

  2. I am ok with carrying around 1x of 100x with the potential of knowing and accepting the risk that I may lose 1x against not able to spend any value at all.

On the existing investment front, I believe that there’s a mechanism to transfer the management of a neuron to follow another neuron; even one created with nns dapp in iis. If the followee is created through airgapped computer, then I THINK that’s a path to secure existing investment. @timo might this work?

The project has lots of problems, but the II is not one of them.

The more I read your posts, the more I’m convinced you are a troll. You seem to ignore what’s being explained to you by security professionals, you seem to constantly move the goalposts, you find the most convenient edge cases and the most absurd what-ifs. You are not looking for a discussion, you seem to have a pre-made point and you want to drive it home.

The title, your responses, they all read “TROLL” … As an old forum adage went, “please don’t feed the trolls”…

1 Like

Are you serious ? :smiley: Mate, are you new here ? If you never saw my name since the genesis, there is an issue. I let the socials tell you if I am a troll. But if you say so… Have you twitter at least, do you read the forum or telegram channels ? Best joke of the year. Do you know ICPMaximalist at least ?

I don’t think @Roman is being a troll at all. I think he is expressing dissatisfaction with II.

I completely understand your points on OPSEC and I don’t disagree. To be honest I should have done more due diligence with how II works before I staked so much at Genesis.

But, I do agree with @Roman that telling people now, 6 months later to not stake large amounts of ICP with an NNS account that relies on II authentication is an oversight (unless I missed something in the original documentation warning against this). Especially since there was no other choice.

Edit: To be fair I guess the CLI has always existed. But that is not something I would have expected an every day user to figure out.

4 Likes

Again, you have a better formulation than me to express my opinion.

Friend, I say this with absolute candor and no ill intentions: I don’t care who you are, what your twitter is, or how much social clout you have. In this thread, this topic alone, your posts, the words you choose and the replies you type make you sound like a troll. If your intentions are indeed good, you should take a breather and rethink your approach.

I stand by my words:

The title is misleading at best. There is no inherent lack of security in the II.
The replies are constantly moving the goalposts.
Your edge cases are contrived.
Every “bad security” example you gave somehow implies that PHYSICAL security is compromised. There are few security solutions that would ever work in such a situation, and most of them hint towards what’s already been offered: live distros, airgapped systems.

I don’t intend to further this line with you. I am but a dev that wants to see this project succeed, and I have no intention of fighting with you. Just wanted to let you know that your approach is counterproductive, misleading and at the end of the day it makes you sound like a troll. shrug

2 Likes

I don’t believe that @Roman is a troll, either. If I look at his concerns, it’s that how to safeguard his investments.

What is large or not depends on context…

Put this in a different context: 10 ICP may not mean much to some. But for others, that’s a LOT of money( perhaps ONE months worth of work). If II is NOT workable for those with “little” investment, how will we EVER get masses to stake their coins on NNS?

I believe that this post has been a HUGE learning experience for me , personally.

4 Likes

You are right my good friend, I am a troll, I am meaningless and nobody. I won’t talk anymore on the forum. Like this, you won’t have to suffer anymore of my trolling.

1 Like

I agree with @mparikh that this discussion has been nothing less than educational. Had @Roman not posted this (idc what the title is) then we would not have had this opportunity to learn more about the limitations of II.

2 Likes

No you’re not.

You might benefit from working on how you express your thoughts. But I’d say his ability to provide constructive feedback could also use work.

Don’t let it get to you. I appreciate this post.

1 Like

Point taken. +20 chars

1 Like

No!!! A newcomer uses a Ledger Nano like they do on all other blockchains.

The suggestions I gave with a dedicated laptop was a short term solution for someone who has already staked a high amount with an II and wants to reduce the risk immediately. Newcomers don’t fall in that category. Let’s not mix those cases and conclude that ICP has a problem because there are no options for newcomers.

EDIT: Re. dedicated laptop. As suggested elsewhere in this thread, a live distro is just as good.

2 Likes

To be fair, newcomers on-boarding today don’t have that option unless they use the Ledger’s developer mode. Unless the Ledger app was released recently?

1 Like

@wpb perhaps you and I should get together and work on a proposal for allowing neuron transfers. We’ve talked about this topic frequently in the past; but, given what I’ve learned in this thread I’d really like to have the ability to transfer control of my neuron to my Ledger Nano in the future.

Edit: tagging @lastmjs because I’d like his opinon as well. We can move this chat to a telegram group if you’re both interested.

I am following this thread with much interest. We were promoted to stake our ICP in the NNS by several people at Dfinity and outside. @wpb @Kyle_Langham and @ayjayem are trying to change some rewards distribution in order to add to the long term staking in the NNS. The lack of security describe here by @GLdev is certainly a big fact that was not taken into consideration. Gabriel goes as far as suggesting to not have big amount of ICP into the NNS unless you know how to air gap, etc. Of course, the majority of us have no clue how to air gap and do not wish to go that far.

There is nothing we can do from the past, but we can certainly try to improve.
Again, this come to the fact that it is way to easy to add and remove devices from II. This had happen to @xiaobing lately.
So I am asking to @jwiegley @hpeebles @diegop Is there a way to add a PIN or a Ledger Nano confirmation for adding or removing a device in the II?
Is there a way to have the Last Date Login in the main screen so we are assure no one else have gone in our NNS?
This first step at increasing security would certainly help investors to feel much more secure.

As second step, would it be possible to receive a phone notification or email every time there is a login in our NNS?

For me, this would be top priority. May be you guys have some much better idea.

Right now, with what I have learned in this thread, I would not recommend anyone to send their ICP in the NNS, as Gabriel recommend. Personally, I will manage the best I can to keep it as much secure as I possibly can now with the suggestion from this thread.

Thank you all for your posts here.

2 Likes

I don’t think this is possible. But can look into it again.

  1. So CURRENTLY the ONLY SAFE WAY to hold significant value is an air-gapped computer with proper tools such as quill and keysmith.

  2. Internet Identity SHOULD NOT BE TRUSTED for any store of significant value.

are the two main points coming out of this hugely important post.

3 Likes