Thanks to everybody for chiming in. Based on these surveys I’ll conclude the light wallet “state of the art” has no popular security preferences, let alone assurances. If a developer or user finds something that gives any particular light Cardano wallet a apparent security advantage, I’d hope they will find this thread & post here.
The other implications, which I won’t ever agree with, are 1) that a commercial hardware wallet is the highest security standard, and 2) that cryptocurrency is really no place to put all your money. I wouldn’t want anyone in my own circle of responsibility to blindly accept either of these propositions, so I’m posting some individual responses to help keep people thinking about the related issues— not to criticise anyone else’s opinions or security posture— and then happy to let the matter rest.
For the purpose of this discussion I would like to scratch out -convenience-. Any mature platform which values security should also provide a wide & complete range of functions, with the user’s knowledge and skill expected to evolve as that range of function widens.
This brings me to my main reason for posting this question. We have such a platform which even resembles a hardware wallet in “USB key” form factor, with a persistent OS supporting either a “cold” key signing environment (cardano-cli
+ tools to support encrypted documents & archives) or a “cool” restricted Internet environment providing such a “dedicated machine” without the physical hardware:
Recently the disk and memory bandwidth is making Daedalus more burdensome to run on even the fastest USB drives so of course we are looking for something that’s an acceptable alternative from a security point of view. It’s becoming intolerable to run a full node, when you don’t really have to, just for security assurances that were made long ago.
And increasingly we’re seeing that Cardano tokens held in long term staking contracts (e.g. WMT and MELD) can only be assigned to those contracts though DeFi compatible browser extension wallets. Add that to the difficulty of waiting for Daedalus to sync when it’s infrequently used… especially across the slow disk bandwidth of the USB interface… and we have an extreme burden to Convenience which diminishes the benefit of this device’s range of Functionality that far exceeds a commercial hardware wallet. It would be well worth the research if we could find a light wallet to switch to without compromising Security on this platform.
Again, this is exactly what we’ve been thinking, and using. In fact the “Frankenwallet” is functional enough to trade on some DEX web sites, giving users another option besides their “daily use” browser to support the trading wallet(s), and avoiding entering your wallet password on one’s daily use machine, while keeping account & trading records in a document encrypted with a password that’s also never entered on the insecure host.
Nami has been our top choice because of longevity and popular support… and therefore also my main reason for posting this thread: its (to my knowledge) complete lack of a security statement beyond the usual assumption of responsibility, plus the fact that its user level documentation has never been extended since day 1. I have great confidence in this developer & his contributions, but this confidence will never be complete unless a cooperative security adversary has tried to break the wallet and failed.
Here’s the result of the Daedalus audit,. the last one that I know of: external_audits/cardano/byron_reboot at master · input-output-hk/external_audits · GitHub
I’d be happier to see another audit done since Shelley, but it’s still a plus that the features still used today (the UI container & Nix based architecture, with their usage of the node + wallet packages) were all looked at together at some point by a critical third party with the results publicly available.
This doesn’t conclude the matter either, because of the huge range of intermediate factors that are present in any browser based UI. For instance one wallet not long ago (I won’t say which, to try to stay on subject) invoked the Google spell checker on the wallet passphrase. The devs who created the key encryption architecture may not have been responsible for that… yet still the passphrases of all users of that wallet were made available to Google and all its minimally cleared employees for months.
This is mainly a character judgement, recently addressed in another forum thread so I’ll avoid it here: except to say (on the security topic) that the widely perceived security vulnerability of non-custodial cryptocurrency is an impediment to its mass adoption, as well as an excuse for over-regulation inhibiting development of the industry: both of which keep the assets of low value as well as vulnerable to security breach. So this judgement contributes to the perpetuation of the problem… i.e. a self fulfilling prophecy.
There is also the counterpoint that perhaps one’s Life’s Savings shouldn’t be in a bank either. Since the forum last kicked this idea around we’ve seen at least in the USA multi-percent average price inflation per month and the EU & WEF steaming along with plans for worldwide social engineering through CBDCs. If the issue of wallet security & privacy in Cardano is abandoned then people stand to lose more than just a few coins…
Although this seems like another subjective generalisation, it does come from a popular though naive assumption that hardware wallets cannot be insecure by design. We depend upon an industry full of black boxes from the level of user tech all the way up to the Internet backbone and even a casual search will confirm all these product classes are full of undisclosed spyware.
As a case in point nearly half of Internet backbone routers made around the world have backdoors for selective IP address monitoring… courtesy of developers inserted into Dell & similar companies by No Such Agency and its counterparts. The UK and the EU have been very active recently with draft legislation requiring all non-custodial wallets to require KYC with an identity framework. And we all know the Chinese approach to embedded spyware… so what place on the planet does that leave to manufacture a hardware wallet without an undisclosed back door?
This leads us back to our goal of an open & flexible security platform: to supplement, rather than supersede, the popular imperative that you’re “not safe” without a hardware wallet. With a simple & verifiably secure browser-extension light wallet in a security-tuned browser, users would have a compelling (though sometimes inconvenient) alternative to placing themselves at the mercy of the black box hardware wallet designers and those who sell them.