Jump to content

Security update for Nano S


emsemporium

Recommended Posts

Quote

New security feature: verify your receive address directly on your Nano S

Dear Ledger user,

Protecting your security is of paramount importance to us. TheLedger Wallet Bitcoin Chrome application has just been updated to give you more control over the security of your transactions. The update is automatic and enables an essential new feature: verification of the reception address directly on the device.This new feature is addressing a specific issue known in the crypto-community as the "Man in the Middle Attack". There has been a recent announcement of a malware proof of concept that could potentially infect the user’s computer - including, the Ledger Chrome application. In this scenario, an attacker could theoretically change the ‘receive’ address displayed on the (infected) computer’s screen within the Ledger Chrome application. 

By enabling you to verify the receive address on your device (the only source you can trust), the updated Chrome app provides an additional peace-of-mind.  Always verify the receive address on your device before communicating it to a third party.  Your current funds are not at risk and do not require any action. 

Besides this important software update, we are taking 3 specific actions to make sure our users are safe and secure, while remaining alert: • Software updates: the LedgerWallet Bitcoin Chrome application is the first to benefit from the on device receive address verification feature. It is available for Bitcoin and all other coins managed by the Chrome app. ETHand XRP apps will benefit from that new feature in the upcoming desktop global release.• 

Upgraded Bug Bounty program: we are growing quickly - and we are still developing and strengthening some of our behind the scenes processes. We value contributions from security researchers and the community, and will be making our Bug Bounty programs faster and more efficient.•

Prevention: we are continuously working on developing resources and materials to help our user base better understand the threats hey face and how they can best secure their assets. If not done already, we urge you to read our basic security principles ruleset. 

Security is an arms race. We’re in it for the long haul and are prepared for it. At Ledger, we take our mission seriously and that mission is to protect you. 

Thank you for your trust. 

Eric Larcheveque 

Ledger, CEO 

FYI

I appreciate that not everyone on here is a fan of the Nano S hard wallet, but this is a copy of the email I've just received from Ledger regarding a security update which effects Ripple.

 

Link to comment
Share on other sites

1 hour ago, emsemporium said:

It is available for Bitcoin and all other coins managed by the Chrome app.  ETHand XRP apps will benefit from that new feature in the upcoming desktop global release.• 

Make of that what you will, but "upcoming" seems to suggest that they are still working on it.  

In the meantime, I'm keeping my Nano S safely locked up in the second drawer of my des-- ah, but then that would be telling...

Link to comment
Share on other sites

I could be wrong, but the security 'flaw' in the XRP wallet is minor compared to other coins. My understanding is that Bitcoin (and perhaps others) use a new "receive address" for each deposit. This means that you need to verify the address displayed on your screen, against that displayed on the Ledger itself, when receiving funds.

XRP wallets use the same receive address (Public Key) for all transactions.  This means as long as you know your receive address worked at least once (activation) you are good forever.

The XRP wallet app, on Ledger, is only vulnerable upon the initial creation of your wallet; when you first "see" your receive address (public key)  This address can be compromised, so make sure you only send the minimum XRP to activate your wallet, and cover fees. If it works, your public key good.

Remember that to "receive" coin, the ledger itself does not need to be online, and the XRP app does not need to be running. Only when sending coins (xrp) is the ledger to be pulled from it's deeply buried and well protected vault, in your backyard.

I own a Ledger, so please let me know if I am wrong- I also use a paper wallet, and keep 80% of my coins there, bc I still have trust issues with Ledger.

Link to comment
Share on other sites

6 minutes ago, Valhalla_Guy said:

I could be wrong, but the security 'flaw' in the XRP wallet is minor compared to other coins. My understanding is that Bitcoin (and perhaps others) use a new "receive address" for each deposit. This means that you need to verify the address displayed on your screen, against that displayed on the Ledger itself, when receiving funds.

XRP wallets use the same receive address (Public Key) for all transactions.  This means as long as you know your receive address worked at least once (activation) you are good forever.

The XRP wallet app, on Ledger, is only vulnerable upon the initial creation of your wallet; when you first "see" your receive address (public key)  This address can be compromised, so make sure you only send the minimum XRP to activate your wallet, and cover fees. If it works, your public key good.

Remember that to "receive" coin, the ledger itself does not need to be online, and the XRP app does not need to be running. Only when sending coins (xrp) is the ledger to be pulled from it's deeply buried and well protected vault, in your backyard.

I own a Ledger, so please let me know if I am wrong- I also use a paper wallet, and keep 80% of my coins there, bc I still have trust issues with Ledger.

very good summary

Link to comment
Share on other sites

On 2/7/2018 at 12:03 PM, Valhalla_Guy said:

I could be wrong, but the security 'flaw' in the XRP wallet is minor compared to other coins. My understanding is that Bitcoin (and perhaps others) use a new "receive address" for each deposit. This means that you need to verify the address displayed on your screen, against that displayed on the Ledger itself, when receiving funds.

XRP wallets use the same receive address (Public Key) for all transactions.  This means as long as you know your receive address worked at least once (activation) you are good forever.

The XRP wallet app, on Ledger, is only vulnerable upon the initial creation of your wallet; when you first "see" your receive address (public key)  This address can be compromised, so make sure you only send the minimum XRP to activate your wallet, and cover fees. If it works, your public key good.

Remember that to "receive" coin, the ledger itself does not need to be online, and the XRP app does not need to be running. Only when sending coins (xrp) is the ledger to be pulled from it's deeply buried and well protected vault, in your backyard.

I own a Ledger, so please let me know if I am wrong- I also use a paper wallet, and keep 80% of my coins there, bc I still have trust issues with Ledger.

Yep, this is correct. XRP doesn't generate receive addresses for extra coins each transaction. However there's a slight nuance here, which is that in theory your receive address could be compromised any time you look at it on the Ledger app, but with Ripple, you know that something is wrong if that receive address is different than your original address. With other cryptos, it's completely normal that it is different.

Link to comment
Share on other sites

On 2/12/2018 at 6:12 PM, MegaNerd said:

Did Ledger Nano S company ever replace their chrome app for the nano? i cant find anything.

if its anything like anything else in life, theyll release the new'whatever it is' for the Chrome App, but there will be bugs and issues and it wont work for months on end haha

Link to comment
Share on other sites

  • 2 months later...
23 hours ago, XRPto50dollars said:

nope. talk about being secure. 

I saw you posted this as well in another topic:

https://www.ledger.fr/2018/02/23/announcing-new-ledger-wallet-desktop-mobile-applications/

looks like theyre going to update the chrome app in the next month or so. yay.

the device is as secure as one could be i believe. you just have to use it right

 

Edited by MegaNerd
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...