Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
https://www.reddit.com/r/ethereum/comments/7krhue/psa_you_do_not_need_to_provide_a_private_key_to_a/
- Loading branch information
7d4a184There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ethtools wrote a large explanation of why this is not a fair blacklisting here: https://thomasclowes.com/psa-speculation-is-toxic/
7d4a184There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is interesting, as the author details they know a private key isn't needed for the faucet, but doesn't really justify them still asking for it in my opinion.
I don't want this to get too "political", but for something promoting bad behaviour (sharing private keys online) and the author saying they don't need this data, it should stay blacklisted as education isn't fully working within the community.
Though as I'm not the product owner, pinging @danfinlay and @kumavis for their input as to whitelist or not.
7d4a184There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hm - might have been collateral damage - but I think better safe than sorry ..
Also sites where landing on the blacklist that where much more innocent like metamate: #402
Would be OK with a revert - kind of indifferent about this. That said I do not really get his rant - and I would lean to @409H 's opinion keeping it on the blacklist as it is bad style and educating users the wrong way.
As an actionable item after this incident: after actively adding sites to the blacklist - we should try to inform the site about it.
7d4a184There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don’t think bad style qualifies as phishing. A full block is a very heavy tool, and it should be saved for extremely clear cases. This is not clearly phishing, there have been no reports of phishing, and the tool has other functions that involve the private key. If blocking this, why not block MEW?
7d4a184There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
because MEW is FOSS and this one is AFAIK not?-)
Is there something between a full block and nothing? Something like warning only?
7d4a184There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a complicated one. Naive users are getting ripped to shreds which makes me want to lean on the safe side and block it. But our scope has slipped beyond just blocking active phishing sites.
7d4a184There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a separate incident recently (I think etherdelta, post DNS fix) that made me wonder if it may be time for a graylist. At the risk of adding personal opinions or becoming more heavy handed moderators of the world (something I would prefer to avoid personal and stick to hard facts) the reality is: the world is shades of gray.
This case, a huge red banner and the messaging doesn't fit. That is undeniable. However, as this blacklist's target demo is also undeniably those who are newer to the ecosystem, it doesn't feel right to knowingly let it continue on. One reason we opted for blacklisting and not actively displaying things when they werent whitelisted (or were whitelisted) is bc we don't want to make people rely on this a a source of Truth for things that are "good" or "safe", just prevent things that are not safe.
As the creator of MEW I can say that my single biggest regret in my entire fucking goddamn life is telling people to enter their fucking private keys on our website. It was shortsighted, stupid, ignorant, harmful and I will never, ever be able to go back in time to change that. Regardless of all the good we do or how much people tell us we are responsible for the usability of Ethereum, we are responsible for creating and encouraging and to this day allowing a terrible practice which ultimately resulted in more loss than I can comprehend.
This community deserves better and those who encourage it without education, myself included, should be called out and chastised for their decision. I feel this way partially because I wish someone had educated my ass earlier about the risks and what I was encouraging. My naivety was the cause of this decision. I figured that the reason people shouldn't enter their keys is because at any point someone could push a bad commit and exit scam with the keys. I knew we wouldn't do that and therefore it wasn't a worry. What I failed to realize, and hope those building tools in this space do realize, is that the reason you don't fucking have users enter keys on websites is because you are training them that it's okay to enter fucking keys on fucking websites. Oh yeah, and the entire internet is fucking insecure as fuck and we are relying on the DNS system which was built by pioneers building the future who were just as naive as we are today.
I propose a second issue to discuss merits and implementation possibility of a graylist which will be used for gray areas where we don't feel it is right to let people knowingly go to the site but it isn't explicitly malicious, nor a website that intends to harm. I think intentions here are key, and I think that the balcklist should be not only malicious but those that intend to be malicious.
I welcome feedback and honest critique and arguments of the above.
PS: I would also be fine whitelisting with some education on the website itself. If the creator truly believes in his heart that having the PK field should be there, then at least include two sentences to educate users that it's both optional and that they should be careful entering pks on websites. As me saying this is fucking hypocritical as fuck, I will push a update to MEW in the next hours and make a Reddit post about the decision that does the same (and adds an unnecessary delay when unlocking pks) to discourage use of them moving forward. Something I have though about doing for a while but never gotten the balls to do because holy angry users Batman.
PSS: as promised, UI updates to MEW. Need to run checks (as travis thinks it's failing, even though its not) and will push tomorrow PM. https://imgur.com/a/NVqwB
7d4a184There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree a graylist is probably much more suitable for this. Didn’t mean anything against MEW, more meant that it’s a common risk people take. I’ve made seed phrase analysis tools that could be deemed dangerous for the same reasons. This greylist is a huge possible proposal, probably many times larger than a blacklist or whitelist, so I’m nervous about who can keep up with that, or if we can create structures to do it.
7d4a184There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry to comment uninvited, but although this might be well meaning I think it is just such bad op sec, it deserves a blacklist. If someone cannot understand this, good riddance. Especially this ‘private key converter’... not sure if there are others.
MEW can at least be run locally, and other tools as well but this not from what I understand
7d4a184There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the comments and discussions. Appreciated.
To clarify the private key convertor was added as a tool in response to a question. It comes with warning message “Note your private key controls access to you Ethereum wallet. We advise that you do not utilize raw unencrypted private keys.”. Perhaps this should be updated to “Do not use this if you did not ask for it”? I was trying to help a few people, not provide a tool to confuse people.
The tool in question however is the Ropsten faucet (currently down) which is a faucet. We don’t explicitly ask for your raw private key but rather your mnemonic (which is the same thing to all extents and purposes). The reasons for this are explained in the blog post. To add to this, the interface is used across the whole site to allow signing of transactions, registration of ENS domains etc. We request the mnemonic on the site because in many cases we need it. It seemed easier and more consistent to use it across the site after all whilst you are just taking my word for it, we are not trying to steal your Ether.
I am happy to take constructive criticism but if people do not like this approach then it does essentially mean removing a large number of offerings.
The product works in a similar way to Metamask - it signs transactions. The difference is we ask for your mnemonic each time rather than storing it in any capacity.
In specific relation to this issue, my point is that I did not know about this for 18 days. I rarely read reddit so unless someone had told me I wouldn’t have known.
I would obviously like further constructive insight on the sites offerings but perhaps this isn’t the appropriate place. The general view seems to be not to ask for mnemonics. I guess there is a reason that Etherscan is a ‘read only’ site.
Importantly (although again probably not the right place), to sign a transaction the only way of doing it without exposing your private key in some form is by using a Ledger or equivalent. We are teaching people to stay safe at the detriment of teaching people not to be stupid (respectfully).
If EthTools doesn’t look safe or seem legit, our argument is to ask questions, reach out and make sure you 100% trust the site before you ever consider using it. If you don’t 100% trust it then don’t use it. In practice a subset of users don’t seem to be using their common sense when it comes to their own security (and money) and as a result it means that no one can have nice things.
In relation to this commit can we have the website removed from the blacklist. I will be removing all the functionality that requests a mnemonic today and will be focussing on the data analytics side of things.