What is blind signing ledger

By Charles Hamel, VP Product at Ledger.

Those paying attention noticed something new when we launched ParaSwap inside Ledger Live a couple weeks ago. ParaSwap is now available on our newly launched Apps Catalog in Ledger Live “Discover” section.

This recent launch highlights our strategy to become the most secure gateway to the Web3 galaxy with a growing range of applications for our users, all accessible within Ledger Live.

Update Ledger Live today and take a look for yourself!

Ledger has been building the best hardware devices for cryptocurrency and digital assets since 2017. Originally, the use case for Ledger devices was simple: send your crypto to your Ledger wallet, and keep it offline.

What is blind signing ledger

This approval is expressed in the form of response headers.

To allow Ledger Live to embed your DApp, you might need to edit your server’s configuration and edit the Content-Security-Policy header:

  • To allow any websites to embed your page: Content-Security-Policy: frame-ancestors ‘*’;

  • To allow only Ledger DApp browser to embed your page: Content-Security-Policy: frame-ancestorshttps://dapp-browser.apps.ledger.com/

Adding the “what you see is what you sign” property

As of today, most smart contract interactions on hardware wallets are quite difficult to understand for users:

  • When the smart contract is not supported well, users have no way to verify what they are about to sign.

What is blind signing ledger reddit

Let’s make blind signing a thing of the past!

Take a look at a ParaSwap transaction to show what this means for you:

As shown in the example above, instead of simply showing “Data Present”, the Nano can show full transaction details within the absolute security of its Trusted Display – so instead of trusting, you can now verify.

With new integrations happening constantly, our Ledger’s App Catalogue is leading the industry for dApps security.

What if the dApp I Need Isn’t Integrated?

Since Ledger Live is an open source and open platform – no matter the project, you can write your own plugin to make it Ledger Live compatible and allow your users to clear sign. So why wait?

In the mean-time, while our integrations expand, we understand that some transactions still need an intermediary wallet.

What is blind signing on ledger nano x

So instead of trying to break the door open – they are relying on you to open it for them by tricking you into blind signing.

Sohrob documents the whole sorry saga on twitter, Jeff it seems was too gutted to be quite as detailed. By all means have a read in your own time, it’s a pretty toe-curling sequence of events that might help you avoid something similar yourself.

https://twitter.com/sohrobf/status/1430478533306982408?s=20

THE LEDGER SOLUTION

Ledger’s solution is to integrate dApps directly in their APP CATALOGUE on LEDGER LIVE, in order to make sure the tech is compatible and there’s no blind signing.

Instead there’s CLEAR SIGNING, where a transaction in Ledger Live – via paraswap for instance – is displayed clearly on the trusted display showing all the transaction details.

Private messages are a hotbed for this type of threat. A recent incident saw scammers posing as OpenSea tech admins on Discord. An experienced collector looking for technical help started a conversation about his account, believing he was talking to a service advisor.
In the course of the chat the advisor asked him to approve a transaction call – showing no contract details – using his Ledger Nano. In reality, the transaction he was verifying provided access to his vault, and the advisor was really a fraud – the entire scenario was the staging for a scam.

  • Software Wallets – No Trusted Display

We know what you’re thinking: software wallets are designed for interactions with NFT and DeFi platforms, and can easily read and display full transaction details for you to inspect. But there is no way of verifying that what you see is what you’re signing.

What is blind signing ledgering

If possible, do not force a transaction on a non-supporting wallet by going through third-party applications, especially when you’re transacting with someone you don’t fully trust.

Don’t Trust, Verify

Always make sure that you are signing the right smart contract from the right platform. Moreover, always try to determine whether that app or website you’re using is compromised. You need to be very vigilant when it comes to transacting on a trustless platform, or you just might lose all the assets in your wallet.

The Takeaway

Blind signing is one of many methods hackers use to steal digital assets from their owners.
Crypto has come a long way since its early days, but it seems that it’s not completely out of the woods yet.

This is thanks to Ledger’s open source platform, allowing developers to expose their service within Ledger Live as well as write applications for the Nano hardware devices.

This is in stark contrast to what is happening today when interacting with DApps on the Web.. Everywhere you can see is a little “CONNECT” button in the upper right which basically asks you, “Which one of these 9 software wallets would you like to use?”. Pfft. Far too many people are relying on insecure software wallets when using DeFi, NFTs, etc, and if you’re like us then you are hearing the horror stories of people getting hacked or phished every day.

So say you’re using a Ledger Nano to secure your NFT collection – under no circumstances should you be securing your collection using the same wallet you sign smart contracts with. Why? Because if you make a mistake, or sign a dishonest transaction, your entire collection is at risk.

Instead, you should always segregate your assets into different wallets, and dedicate just one of these wallets, for interacting with smart contracts. This means you can move only what you need (when you need it) into your DeGen wallet – and the rest of your collection is protected even if you make the wrong call when signing a smart contract.

Transparency, Security, Education – the Crypto Trinity

Ledger is not just about securing your private keys – our MO here at the Academy is giving you the information you need to be completely autonomous and secure as you explore Web3.

Using something like a LEDGER NANO adds a layer of security to ALL of your interactions.

And FINALLY, should we need to say it again…

NEVER DISCLOSE yourrecovery phraseto anyone, SAVE IT on a device connected to the internet or ENTER IT into a software wallet.

Keep it written down on paper somewhere safe you won’t forget. That’s it.

CONCLUSION

At Ledger, we’re trying to make the process better.

So in our ever expanding APP CATALOGUE on LEDGER LIVE there’s no need to BLIND SIGN – you can VERIFY each and every transaction and know exactly what is happening to your tokens.

This CLEAR SIGNING is a recent innovation, and one that is incredibly necessary.

Indeed, it is the future. But until it’s everywhere, be careful out there folks.

Both Jeff Nicholas and Sohrob Farudi got taken in by scammers on the Discord channel for major NFT marketplace Opensea.

These scammers had somehow mimicked the usernames of the Open Sea founders, and directed Jeff and Nicholas to a place where they revealed the Metamask QR Code in their browser extension – essentially the same as giving out your SEED PHRASE.

In Jeff’s case, despite the fact he had a hardware wallet, the scammers persuaded him to blind sign a series of transactions before after they got to his ultimate QR code in order to transfer some of his precious NFTs.

And this is the key lesson: with crypto bursting into the mainstream, more and more people are becoming educated about how to keep their assets secure, and there are fewer opportunities for scammers to gain access to your assets.

Or, not reading the terms and conditions before clicking ACCEPT when you’ve got a new electronic device.

One of these you might be more likely to do than the other – but when the contract you’re signing MANAGES YOUR MONEY, it pays to be prudent.

We are of course talking about BLIND SIGNING, something that you’ll come across in crypto as soon as you start exploring the NFT and dApp space.

It’s actually the industry standard, so it’s not BAD per se – you just need to exercise judgement and good practice.

The problem is a computer’s screen can’t always be trusted – and even if the software wallet shows a message, this could be compromised.

[ROBIN HOT WALLET BLIND SIGN TUTORIAL]

– showing that key details are not shown to the user.

Leave a Reply

Your email address will not be published.