Jump to content

Info on Nano-Chrome API issue?


XRPto50dollars

Recommended Posts

Someone asked in another topic, "A link was posted with info from the ledger website suggesting that the chrome api had faltered and users should refrain from sending any coins from there nano using the chrome's api."

..but they cant find where they got this info. has anyone else heard about this issue with Ledger / API? Thanks in advance. 

Link to comment
Share on other sites

This is interesting.

"Google has announced the end of life of Chrome applications. Ledger will provide replacement solutions in time to make sure users are not affected.

We have started developing a new native application Ledger Wallet (for PC/Mac/Linux) based on Electron framework.

UPDATE December 2017: Google will not deprecate de Google Apps before June 2018."

 

https://trello.com/c/mf0aFgDK/28-chrome-applications-end-of-life

Link to comment
Share on other sites

18 minutes ago, XRPto50dollars said:

Someone asked in another topic, "A link was posted with info from the ledger website suggesting that the chrome api had faltered and users should refrain from sending any coins from there nano using the chrome's api."

..but they cant find where they got this info. has anyone else heard about this issue with Ledger / API? Thanks in advance. 

I feel better after reading this about the security.  

"Whenever a payment needs to be made, the transaction is signed inside the Secure chip and the private keys are not even visible by the computer the Ledger Wallet is connected to. A compromised computer will never be able to access the contents of the Secure chip."

https://support.ledgerwallet.com/hc/en-us/articles/360000380313-Security-of-Ledger-products

Link to comment
Share on other sites

37 minutes ago, MaxEntropy said:

Hmm... what is Ledger Wallet going to do for a security environment???

Clearly, Ripple has bombed on their implementation of the Ledger Wallet for Ripple.

What? This doesn't even make sense haha.

Link to comment
Share on other sites

Bombed...

  • the installer is NOT signed... 
  • which rocket scientist in the process of software design, development, testing and product release... decided that a presumably secure hardware wallet should use an UNSIGNED installer... not trusted by anyone or any corporation. Specifically, corporations accept ONLY products that are signed.

You folks have some work to do on security.

:-)

Please debate this issue.

Link to comment
Share on other sites

2 minutes ago, MaxEntropy said:

Bombed...

  • the installer is NOT signed... 
  • which rocket scientist in the process of software design, development, testing and product release... decided that a presumably secure hardware wallet should use an UNSIGNED installer... not trusted by anyone or any corporation. Specifically, corporations accept ONLY products that are signed.

You folks have some work to do on security.

:-)

Please debate this issue.

What installer is not signed?

Link to comment
Share on other sites

@gray

You see... you are a newbie !

Set aside which installer... and deal with the generic issue of Windows software component that is required for Ledger Wallet for Ripple... for which the installer is UNSIGNED... ie... no security credentials... and no company name... anonymous. Cute.

Edited by MaxEntropy
Link to comment
Share on other sites

Just now, MaxEntropy said:

@gray

You see... you are a newbie !

Set aside which installer... and deal with the generic issue of Windows software component that is required for Ledger Wallet for Ripple.

Being a newbie has nothing to do with it lol. There is no "Windows software component" that is required for Ledger Wallet for Ripple. There's a Chrome app which is multiplatform. Which doesn't need to be signed, because that application has absolutely zero bearing on the security of the system as a whole. The application that runs on the secure enclave of the device itself is signed, and that is what matters.

Link to comment
Share on other sites

Silly.. person... of course signed installers are required... otherwise the human at the keyboard has no way of determining who wrote the software that they are about to install.

Second, if you had actually used the software you WOULD KNOW that it does NOT run inside the security context of the Chrome Extensions. The rocket scientists 'out there' implemented the quick dirty approach and installed it as a standard native application on Windows. I may get around to seeing how it is installed on MacOS and Linux... one day.

Third... I will let you do some reading... you need to brush up on security.

-

"It is hard to discus security with people who confuse Australia with Austria."

<small joke for those who will are well read>

:-)

Max has left the building.

Link to comment
Share on other sites

3 minutes ago, MaxEntropy said:

Silly.. person... of course signed installers are required... otherwise the human at the keyboard has no way of determining who wrote the software that they are about to install.

Second, if you had actually used the software you WOULD KNOW that it does NOT run inside the security context of the Chrome Extensions. The rocket scientists 'out there' implemented the quick dirty approach and installed it as a standard native application on Windows. I may get around to seeing how it is installed on MacOS and Linux... one day.

Third... I will let you do some reading... you need to brush up on security.

-

"It is hard to discus security with people who confuse Australia with Austria."

<small joke for those who will are well read>

:-)

Max has left the building.

Ah, I see. Well I admit I was mistaken, the Ripple specific app for Ledger is a native app... Weird, since I was under the impression they were all Chrome apps. Anyway, the security implications are much less than you make it seem. The fact that the windows app is not signed has no bearing on the security of your coins (private keys) if they are stored on a Nano S. It does have some amount of bearing on the security of your computer that you're installing it on (and I agree on the principle, apps should be signed, you should be able to verify it). However, the security of that computer, again, has no bearing on the security of your crypto. In addition, the fact that the app isn't signed isn't as much of a problem here since it's being downloaded directly from their website using TLS... their site would have to get hacked or you'd have to not be using HTTPS to get MITM'd and compromise the app. You can basically guarantee that the app you downloaded is the same one hosted on their servers given that you're connecting over HTTPS. Also, that app is signed, just not in the way that Windows wants... it's still signed in such a way that a warning is presented on the device if you open a non-genuine app.

Link to comment
Share on other sites

@MemberBerry...

i have no idea. i feel like i started this Topic just to make conversation, and inadvertently brought the entire Ledger system to its knees. If the ledger's Secure Element' is safe, yet we're downloading stuff to our computer in order to use the Ledger which compromises the security of our personal stuff aka banking, email, etc... whats the point?????????????????????? How could Ledger spend so much time, money, and research to create a super strong Nano S... yet they skimped and went with a Chrome App??? 1Todd even discovered Chrome is ENDING ALL APPS! So how can Ledger be 'so secure' if they took shortcuts along the way?

Lets face it... MOST people cant afford to buy a separate computer just to run a Nano, nor can MOST people have the technical know- how how to work with linux to create a true cold wallet.

i feel as if someone from Ledger is going to read this Thread and be like, "Crap.. someone figured out we're not safe."

Id love/appreciate/highly desire the mega-brains to give their thoughts on this:

Pretty much this Topic seems to have inadvertently brought up a huge security risk thanks to Gray's and Max's input; if its not with the Ledger itself, its with the computer its connected to via USB due to the Chrome App.

@PickleRick @RegalChicken @Hodor  @gray @Chewiecoin @JoelKatz @zenkert 

@Mercury @1todd960

Edited by XRPto50dollars
Link to comment
Share on other sites

Soo much FUD on ripple, it doesnt have alot to do with ripple.

Ledger this ledger that, you are talking about the ledger nano s. A separate company that offers a hardware wallet. If they offer software that is not secure. You need to contact them. Btw I assume its not only ripple, but any other cryptocurrency they support would have the same issue.

Or am I wrong on this topic?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...