It occurs to me that most Ledger apps are inadequate in terms of protecting you from a malicious computer.
When generating an address, the Ledger BTC and ETH apps will display the address on the device so that the user can confirm that the computer is not modifying it. But this is not enough! For one, if only the address is displayed, not the public key, then you can’t use the key for anything other than receiving money at that address. Meaning you can’t use the key for other purposes, e.g. a multi-sig address. But more dangerously, the ETH app (at least the python testing script) will in fact display the public key on the computer — but not the device. For obvious reasons, this key cannot be trusted!
Even if the pubkey were displayed, there’s another crucial piece of information that’s missing: the HD key derivation path! This means the user is trusting the computer to tell the truth about which path it passed to the Ledger. It would be trivial for the computer to say “yep, this is the address for path `m/44’/60’/0’/0`,” when it actually sent `m/44’/60’/0’/100000` to the Ledger. To be clear, this attack does not allow the computer to steal your money; no matter what path is used, the address always “belongs” to your seed. But it can cause you to *lose* money, by sending it to an address whose path you do not know. If you don’t know which path was used to derive a key, your only recourse is to search the entire path space (unless there’s some BIP32 magic I don’t know about that lets you figure out the path from the address). Worse, you have to perform this brute-force search on the Ledger itself, since only it knows the HD master seed. Needless to say, this would be prohibitively slow.
So my thinking is that the Sia Ledger app should display the path alongside the address. As for the public key, maybe we’ll have a single screen for the path+pubkey+address, or maybe we’ll have two separate screens: path+pubkey and path+address.
This post was last modified on June 13, 2018, 9:26 pm