You are viewing a single comment's thread from:

RE: How Trustless and private is using Light Client with an API provider

in #bitshares-29 years ago (edited)

Regarding trust, it’s the same as running your own full node and API then using the Light client or web wallets option to add any node and connect through it.

I disagree with this statement in response to the question of how trustless is the BitShares2-light + Openledger backend combination. You do require less trust if you connect the light client to a full node that you operate. Granted, it is unlikely for a backend like Openledger to feed you bad data that causes you financial loss, but it is theoretically possible. For example, they can fake the market orders and make you place foolish orders on the DEX that you otherwise wouldn't have if you had the true information at the time. They could feed you transfer transactions that aren't actually in the real blockchain, making you think you received funds in exchange for some service or good exchange until it is too late to reverse (although perhaps this last one might require that they also trick you into believing the active witness set has changed?).

Peermit is working on a promising 2FA implementation for example. You can have 2FA providers who you only need to trust the funds (active keys) you want to,

This statement is vague and could lead readers to believe something that is definitely not the case. If you use a 2FA provider like Peermit, you are not just giving them access to your funds (and everything active authority could do). It acts like a 2-of-2 multisig. To do anything with that protected account, you need authorization from both the user and Peermit. Keep in mind, Peermit could deny access to active authority authorization by refusing to sign anything (or being offline). But as long as the user still has owner authority control, they can take back control of their account by changing the active authority set.

Sort:  

Good points to state that running your own full node requires less trust , thanks for the clarification I'll remove that sentence.
Regarding the 2 of 2 multisig 2FA model, what else can be compromised besides day to day wallet funds?

Regarding the 2 of 2 multisig 2FA model, what else can be compromised besides day to day wallet funds?

What exactly do you mean by compromised? In the scenario we are discussing, I assume that to mean having the capability to do irreversible damage.

Assuming the user's active key is safe, the 2FA provider can only deny access to but not really compromise their account. And if the user has set up the owner authority properly so that they have full control, that access denial is temporary. The user would have to fetch their cold storage brain key to sign a transaction using the owner authority to remove the 2FA provider from the active authority set and get back full control of their account with no funds lost.

If some attacker compromised the user's active key (say by hacking the computer that they use the client on), then the user's funds could be compromised as long as the 2FA provider was also colluding with the attacker, which is unlikely to happen. Even in this worst case scenario, assuming the user has set up an owner authority with proper cold storage keys, the user would still be able to recover access to their account (meaning they keep their account name) even if all funds were stolen.

Thank you arhag, added to the FAQ.