Jump to content

Info on Nano-Chrome API issue?

XRPto50dollars

By XRPto50dollars
in Software and Hardware

 Share

Recommended Posts

XRPto50dollars

XRPto50dollars

Posted
  • Author
Posted
4 hours ago, Valhalla_Guy said:

i am not sure what it is you are looking for? What would be "secure" in your mind?

When you pay a bill, do you not write a check, seal it in an envelope, and then "transfer it to the public system via Postal carrier"  How do you sleep at night knowing that your saliva and donkey glue is all that secures your bank's name & address, along with your secure (private) checking account number + RTN number. It also has the payee name, and amount transferred.

Oh yeah let's not forget a valid copy of your signature, and technically, if I wanted to hack your "secure method of wealth transfer",  I could even get your DNA!

Of course on the public side of the envelope, you put your name and address, as well as the payee's location. (this allows us to know what envelopes to hack, without having to open them all)

The only safe wallet is one that is never opened- FIAT or CRYPTO!  The safest XRP wallet, is a true cold wallet, that is generated on a PC that never went online, nor ever will. You would put your coins in it, and NEVER spend them. (This is 100% secure yet it also makes your coins 100% worthless, since you can't spend them)

Once you "open" your wallet to actually spend money (FIAT or CRYPTO), you will need to compromise some security for the transaction to take place. 

The Ledger is the SAFEST wallet for those who like to "frequently spend" (read transfer) crypto, because it never exposes your key to the PC or the world. Preventing your key from exposure, comes at the cost of trusting a 3rd party to protect your key.

I suppose, until they mint XRP, that you can put under your mattress, along with never unlocking your doors, and never leaving home, you will never feel secure?

(How did you buy crypto in the first place, without exposing your personal info and some form of financial account number to the web?) 

Dear sir, It is not that you do not understand Ledger or Crypto; after reading all of your posts, on many threads, it appears you do not understand the word security.

 

 

interesting response. i like it. straight forward and to the point. im simply bringing up topics which may interest people.. and apparently it does. We always need to ask questions. the moment we stop, we become complacent. so.. to answer your question of what is secure in my mind..

i understand our personal info is out there. send letters, write emails, send checks.. 

im simply amazed that Ledger CHOSE to use a Chrome app when it didnt have to. The big thing right now is the FACT that Chrome apps are ending very soon. Ledger admits on their site they are working on a new way to use the Ledger without the Chrome app.. So.. if theyre doing this anways.. why depend on a Chrome app in the first place? It was lazy. pure laziness on their part. im not bashing the company. but...................... for touting such a secure device.. if their practice is to take shortcuts with a Chrome app (which will be obsolete very soon), how do we know they didnt take other shortcuts?

again, not doubting the reliability of the Nano S. But questioning the reasoning behind making the Nano S so secure if its possible the Chrome App could be messed around with by someone with bad intentions.

Link to comment
Share on other sites
  • Replies 44
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

gray
gray

Being a newbie has nothing to do with it lol. There is no "Windows software component" that is required for Ledger Wallet for Ripple. There's a Chrome app which is multiplatform. Which doesn't need to

gray
gray

Ah, I see. Well I admit I was mistaken, the Ripple specific app for Ledger is a native app... Weird, since I was under the impression they were all Chrome apps. Anyway, the security implications are m

gray
gray

Well, first, XRP and the Ripple network is still just as safe as ever. Nothing's changed in that manner. Second, nothing is rekt so far, that we know of. If you download from the *real* chrome st

XRPto50dollars

XRPto50dollars

Posted
  • Author
Posted (edited)

So yes, as @gray and others have said, more than likely the Chrome app is fine. Its found on the actual Chrome App store and has HTTPS. Just be sure for new people, you download the Ledger Manager from the actual Chrome Store and not, 'Joe Bob's Truck Stop and App Store'.

Thanks for all the insight.

Edited by XRPto50dollars
Link to comment
Share on other sites
gray

gray

Posted
Posted
5 minutes ago, XRPto50dollars said:

interesting response. i like it. straight forward and to the point. im simply bringing up topics which may interest people.. and apparently it does. We always need to ask questions. the moment we stop, we become complacent. so.. to answer your question of what is secure in my mind..

i understand our personal info is out there. send letters, write emails, send checks.. 

im simply amazed that Ledger CHOSE to use a Chrome app when it didnt have to. The big thing right now is the FACT that Chrome apps are ending very soon. Ledger admits on their site they are working on a new way to use the Ledger without the Chrome app.. So.. if theyre doing this anways.. why depend on a Chrome app in the first place? It was lazy. pure laziness on their part. im not bashing the company. but...................... for touting such a secure device.. if their practice is to take shortcuts with a Chrome app (which will be obsolete very soon), how do we know they didnt take other shortcuts?

again, not doubting the reliability of the Nano S. But questioning the reasoning behind making the Nano S so secure if its possible the Chrome App could be messed around with by someone with bad intentions.

Actually, there's several benefits to using a Chrome app over a native one, and there's no reason to suspect a Chrome app is easier to be messed around with by someone with bad intentions... in fact, it's probably harder for someone with bad intentions to mess around with a Chrome app than a native one.

First, Chrome apps are sandboxed by Chrome itself... this means they're only given access to a small piece of memory they need and can't touch anything outside it. This sandbox is a great thing that native apps aren't forced into. Second, chrome apps are platform-independent. They can write only one code base and have it work for Mac, Linux, Windows, Chromebooks, etc. This means they only need to maintain and find vulnerabilities for one code base. Less code = less bugs, generally. And, at the time that they chose to use a Chrome app, they couldn't have known that they were going to be discontinued by Google since that informatio hadn't been released yet.

Link to comment
Share on other sites
XRPto50dollars

XRPto50dollars

Posted
  • Author
Posted
3 minutes ago, gray said:

Actually, there's several benefits to using a Chrome app over a native one, and there's no reason to suspect a Chrome app is easier to be messed around with by someone with bad intentions... in fact, it's probably harder for someone with bad intentions to mess around with a Chrome app than a native one.

First, Chrome apps are sandboxed by Chrome itself... this means they're only given access to a small piece of memory they need and can't touch anything outside it. This sandbox is a great thing that native apps aren't forced into. Second, chrome apps are platform-independent. They can write only one code base and have it work for Mac, Linux, Windows, Chromebooks, etc. This means they only need to maintain and find vulnerabilities for one code base. Less code = less bugs, generally. And, at the time that they chose to use a Chrome app, they couldn't have known that they were going to be discontinued by Google since that informatio hadn't been released yet.

yet again a 10 out of 10 written in a manner easily understood :clapping:

Link to comment
Share on other sites
at3n

at3n

Posted
Posted
6 hours ago, MemberBerry said:

Is this related to this problem? 

Hmm, that's troubling. That specific problem is not so damaging to Ripple wallets, because we don't change addresses with every transaction. If there's really no workaround for ETH wallets as suggested by the document, then that's a fairly severe problem for ETH users though.

The main problem that it raises is that the program files for the app are stored in each users AppData, which any malware running under that user's account has write access to. I checked the files for the native Windows Ledger Wallet Ripple app, it does store some files in AppData, but the main executable is in C:\Program Files, which is safer, and it's just one executable, not individual scripts. There were no .js files in AppData, so hopefully this vulnerability is not applicable to the native apps. If anyone is still using the Chrome Ripple wallet, they should consider switching to the native app.

It's not a security issue for any coins already on your Nano, it targets incoming transactions. Basically, it means you should not trust the Ledger app to tell you what your public address is. For Ripple wallets, the only time you need to rely on the Ledger app for that is the first time, when you generate the wallet. That means (as hopefully everyone does anyway) the first time you activate the wallet, just send the minimum required to activate it, and then do a small test send transaction from the Nano to verify that you have control over the wallet. Save the address yourself elsewhere/use your exchange's transaction history to get the address for any subsequent transactions to your Nano.

If you're aware of this problem, then it doesn't decrease the security of the Nano itself, but it's really not good for Ledger, a lot of people could get caught out by this if malware starts targeting those files.

Ledger should add the ability to display the public address on the Nano's screen to all of its wallets, and protect the program files better for the non-Ripple wallets.

I'm a fan of the Nano in general, but this issue is disconcerting.

Link to comment
Share on other sites
gray

gray

Posted
Posted

Pretty irresponsible by Ledger if what the vuln report's disclosure timeline said is actually true. Quite disappointing. Will probably sway me to not recommend Ledger devices in the future and instead go for Trezor who have done an excellent job of fixing this kind of vuln in the past and have an actual responsible disclosure program.

Link to comment
Share on other sites
XRPto50dollars

XRPto50dollars

Posted
  • Author
Posted (edited)
1 hour ago, gray said:

Pretty irresponsible by Ledger if what the vuln report's disclosure timeline said is actually true. Quite disappointing. Will probably sway me to not recommend Ledger devices in the future and instead go for Trezor who have done an excellent job of fixing this kind of vuln in the past and have an actual responsible disclosure program.

ok @gray the super brain (tried to make it rhyme).. help me out here. whats going on? What did the Ledger Nano team do 'wrong'? What is a vuln report?

Thanks in advance 

@MemberBerry i give you a 10 out of 10 for finding that info. most average people here wouldnt have picked up on that Twitter post from Ledger

Edited by XRPto50dollars
Link to comment
Share on other sites
XRPto50dollars

XRPto50dollars

Posted
  • Author
Posted (edited)

@gray i thought malware couldnt alter the address on the Nano S screen?

and what is this image from? 

The article says, "always verify your receive address on the device's screen by clicking on the "monitor button"........ what screen? what button?

1.png

Quote

Ledger‏ @LedgerHQ 12h12 hours ago

More

we'll announce next week more information about the native app. Unfortunately this doesn't solve any of the attack vector (a malware will always be able to change what you see on screen). Education and careful double checks are the only way.

 

Edited by XRPto50dollars
Link to comment
Share on other sites
gray

gray

Posted
Posted
8 minutes ago, XRPto50dollars said:

@gray i thought malware couldnt alter the address on the Nano S screen?

and what is this image from? 

 

 

It can't. The "screen" referenced here is the computer screen the app is running on. The image is from the Ledger Bitcoin app running on a computer.

14 minutes ago, XRPto50dollars said:

ok @gray the super brain (tried to make it rhyme).. help me out here. whats going on? What did the Ledger Nano team do 'wrong'? What is a vuln report?

Thanks in advance 

@MemberBerry i give you a 10 out of 10 for finding that info. most average people here wouldnt have picked up on that Twitter post from Ledger

The vuln report (vulnerability report) is the pdf that is linked in that tweet. It's just a term for a report about a vulnerability.

The things the Ledger team did wrong in my eyes:

1. Not having a robust responsible disclosure program. Responsible disclosure means that if you find a vulnerability in their software or hardware, you tell them before revealing it to the public. This way you let them have time to implement a fix for the vulnerability before the mass public finds out about it, and often times the person who discloses the vulnerability will get a monetary reward of some kind.

2. Being dismissive of this vulnerability and not communicating with the people who disclosed it well. Based on the vuln report, they basically dismissed it and then stopped communicating for over a month before saying they weren't going to take steps to fix it. If that's true, it's pretty bad. On twitter, Ledger said they told the people who found it they were going to make new FAQ and documentation to try to help mitigate the vulnerability, but that they didn't wait long enough... even if this is true, it shouldn't take more than a whole freaking month to make new FAQ and documentation materials.

Link to comment
Share on other sites
XRPto50dollars

XRPto50dollars

Posted
  • Author
Posted
1 minute ago, gray said:

It can't. The "screen" referenced here is the computer screen the app is running on. The image is from the Ledger Bitcoin app running on a computer.

The vuln report (vulnerability report) is the pdf that is linked in that tweet. It's just a term for a report about a vulnerability.

The things the Ledger team did wrong in my eyes:

1. Not having a robust responsible disclosure program. Responsible disclosure means that if you find a vulnerability in their software or hardware, you tell them before revealing it to the public. This way you let them have time to implement a fix for the vulnerability before the mass public finds out about it, and often times the person who discloses the vulnerability will get a monetary reward of some kind.

2. Being dismissive of this vulnerability and not communicating with the people who disclosed it well. Based on the vuln report, they basically dismissed it and then stopped communicating for over a month before saying they weren't going to take steps to fix it. If that's true, it's pretty bad. On twitter, Ledger said they told the people who found it they were going to make new FAQ and documentation to try to help mitigate the vulnerability, but that they didn't wait long enough... even if this is true, it shouldn't take more than a whole freaking month to make new FAQ and documentation materials.

HMMMMMMMMMMMMMMMM.... 

Link to comment
Share on other sites
  • 1 month later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...