Vergrößert die „Ledger Recovery“ die Angriffsfläche?

Home Foren Ledger Wallet Vergrößert die „Ledger Recovery“ die Angriffsfläche?

  • Dieses Thema hat 12 Antworten sowie 1 Teilnehmer und wurde zuletzt vor vor 1 Jahr, 8 Monaten von mcc011ins aktualisiert.
Ansicht von 12 Antwort-Themen
  • Autor
    Beiträge
    • 20. Juni 2023 um 00:04 Uhr #2502871
      root_s2yse8vt
      Administrator
      Up
      0
      Down
      ::

      Ich zweifle nicht an Ledgers Fachkenntnis, aber Schwachstellen können von jedem, auch von den besten Programmierern, produziert werden, und ich bin sicher, Ledger weiß das.

      Ich kann Ledger bis zu einem gewissen Grad vertrauen, aber ich frage mich, ob diese neue Funktion „Ledger Recover“ mögliche Risiken durch menschliche Fehler, Bugs oder Implementierungsprobleme auf dem Gerät erhöht, wenn es mit dem Internet verbunden ist?

      Mit anderen Worten: Vergrößert sich dadurch die Angriffsfläche, wenn wir diese Funktion nicht abonniert haben?

      Ich danke Ihnen für Ihr Interesse.

    • 20. Juni 2023 um 00:04 Uhr #2502872
      jlevy1126
      Gast
      Up
      0
      Down
      ::

      The ledger device itself doesn’t go online.

      I’d say you’re right to not trust any 3rd party 100%, that said if you want a HW wallet you have to have some trust in the manufacturer of the HW and the developers of the software. In that context I still trust Ledger and don’t think this new service introduces a new attack vector for malicious actors.

    • 20. Juni 2023 um 00:04 Uhr #2502873
      TheQuantumPhysicist
      Gast
      Up
      0
      Down
      ::

      Yes, it does, by definition, given how software works: [https://www.reddit.com/r/CryptoCurrency/comments/13nnlbe/the_software_security_argument_why_ledger_recover/](https://www.reddit.com/r/CryptoCurrency/comments/13nnlbe/the_software_security_argument_why_ledger_recover/)

    • 20. Juni 2023 um 00:04 Uhr #2502874
      SilverTruth7809
      Gast
      Up
      0
      Down
      ::

      Ledgers recover/backdoor is in the Firmware subscribed or not, so yes.

    • 20. Juni 2023 um 00:04 Uhr #2502875
      r_a_d_
      Gast
      Up
      0
      Down
      ::

      No, you have to approve it, like you would approve a transfer. So if you trusted it to not let an adversary send your Bitcoin to his wallet, then there’s no reason to not trust that it will not share key shards unless you approve it.

    • 20. Juni 2023 um 00:04 Uhr #2502876
      forelle88888
      Gast
      Up
      0
      Down
      ::

      Yes

    • 20. Juni 2023 um 00:04 Uhr #2502877
      Spy008
      Gast
      Up
      0
      Down
      ::

      The thing that worries me and dont know how likely this is. But before I would imagine (with ledger being closed source) that if they were sending seeds externally people would be able to catch that via internet traffic/connections. Now i imagine it becomes more difficult to determine if something was compromised vs. the recover transmission.

    • 20. Juni 2023 um 00:04 Uhr #2502878
      Caponcapoffstillon
      Gast
      Up
      0
      Down
      ::

      It introduces several new points of failure compared to just self custody where if you lost your seedphrase you’re locked out forever. For those not using the service, it doesn’t change anything.

    • 20. Juni 2023 um 00:04 Uhr #2502879
      oxygenoxy
      Gast
      Up
      0
      Down
      ::

      Yes. I’m interested to know what features they added to the firmware in order to support ledger recover.

    • 20. Juni 2023 um 00:04 Uhr #2502880
      Ukfly
      Gast
      Up
      0
      Down
      ::

      Any change to the implementation of cryptography increases risk unless it is purely designed to tighten security; patching a vulnerability for example.

    • 20. Juni 2023 um 00:04 Uhr #2502881
      CorneliusFudgem
      Gast
      Up
      0
      Down
      ::

      If u dont know how crypto works or how to handle ur own recovery phrase, recover is a p nice option tbh. i got friends and family who were praying for this product lol.

      im not gonna use it myself (i know how ledger work) but if it means onboarding future people to self-custody i have no problem).

      only people who seem to have issue w it are people who don’t know how firmware works, never used an hd hw wallet b4, or they just ignorant and think that life is a disney movie with magic and they can make 100x overnight with PEPE (and if they don’t it must be ledger fault).

    • 20. Juni 2023 um 00:04 Uhr #2502882
      loupiote2
      Gast
      Up
      0
      Down
      ::

      I think the attack surface is mostly increased for the people who will use the service.

      i.e. there will be people who will attempt to steal seeds by impersonating Recover clients, using their credentials (passport photo etc) stolen from KYC databased in previous hacks, for example.

    • 20. Juni 2023 um 00:04 Uhr #2502883
      mcc011ins
      Gast
      Up
      0
      Down
      ::

      Yes any modification to extract the private key from the device increases the attack surface.

      However, the private key is encrypted already within the SE and split in 3 (which is good) before it goes out according to [this post](https://www.reddit.com/r/CryptoCurrency/comments/13okszr/this_is_what_joe_grand_the_guy_who_hacked_a/?utm_source=share&utm_medium=android_app&utm_name=androidcss&utm_term=1&utm_content=share_button)

      What is the key for encrypting the key we don’t know, and they will not reveal this top secret info.

      Is this a good secure architecture for recover feature? Probably yes. Does it increase or decrease the end user security? Depends how much you trust your own individual seed backup strategy.

  • Autor
    Beiträge
Ansicht von 12 Antwort-Themen
  • Du musst angemeldet sein, um auf dieses Thema antworten zu können.