StellarGuard - Add enhanced security to any Stellar account - Improvements for SBC 7
I've been hard at work on StellarGuard (https://stellarguard.me) since the last build challenge and have continued to make a number of security and usability improvements to make things safer and simpler for our users.
Since the last build challenge I've made over 200 commits and 40 production releases!
The purpose of StellarGuard is to provide enhanced security, safety, and privacy for people and businesses who use Stellar. StellarGuard offers users additional protection against hackers, thieves, and insecure wallets by providing a secure and convenient way to add and manage multisignature on their Stellar accounts. StellarGuard adds a unique signing key to a user's account that is managed by the StellarGuard service and allows them to preview, approve, or reject any transactions that are submitted to StellarGuard. Additionally, StellarGuard offers an API for other wallet/tool developers to integrate and submit transactions to StellarGuard.
StellarGuard aims to solve for 3 "P"s: Protection, Prevention, and Privacy.
Protection: StellarGuard was initially conceived in response to the Blackwallet hack. The idea was simple: there must be a way to keep your account safe even if your secret key gets compromised. By making multisig the core safety mechanism in StellarGuard, the user does not have to rely on application-level security of the tools they are using to keep them safe.
Prevention: Through user education and enhanced transaction analysis tools, StellarGuard hopes to help users detect and stop phishing schemes. Additionally, by warning about or blocking transactions that have suspicious destination or transaction characteristics we hope to stop malware like this: https://cointelegraph.com/news/report-2-3-million-bitcoin-addresses-targeted-by-malware-that-hijacks-windows-clipboard (this feature is not yet implemented in StellarGuard, but is on the roadmap).
Privacy: StellarGuard will continue build tools to help increase privacy when using Stellar, such as https://github.com/stellarguard/secret-memo. Other tools I'd like to invest in is a coin mixing service that can help obfuscate transaction sources.
Changes since SBC 6
I've made the following changes to StellarGuard since the end of SBC 6:
StellarGuard is now open source
This is something I intended to do since I started StellarGuard, but was not able to do it before the end of SBC 6. In the spirit of SBC 7 and my desire to share what I've learned and built in the hopes that others can use it or contribute to it, I've open sourced StellarGuard. I've created a few starter issues and will add more if interest grows.
More Supported Wallets
One of the largest hurdles for StellarGuard is getting support for wallets. Because of the way that multisig works with Stellar, you currently cannot submit a partially-signed transaction to Horizon so that others can sign it later -- each wallet/tool must implement its own way of dealing with multisig transactions. So there was a bit of a chicken and egg problem where we needed wallets to implement submitting transactions to StellarGuard so that we could attract more users, but the wallets don't want to add features that aren't being used by their users.
Thankfully StellarGuard grown and had proven itself to be trustworthy enough for more wallets to consider adding it. I'm humbled as I see entries to the current SBC that are talking about adding StellarGuard support by default, without any prompting!
With all that said, over the past few months I've worked with several wallet/exchange developers to add StellarGuard support (in alphabetical order):
Fully supported wallets (submit transactions directly to StellarGuard without copy/pasting XDR):
Partially Supported Wallets (allow XDRs to be copied so it can be manually submitted to StellarGuard):
There are several others that are in the works now too but won't be ready for this SBC deadline.
- StellarGuard private keys are stored in the database encrypted with Google KMS - this means that even I do not know the encryption/decryption key. Only the actual service account running the code has access to decrypting the keys used to sign your transactions (since the encryption is completely managed by Google KMS).
- Recaptcha added on sign up and sign in to prevent fraudlent sign ups or sign in attempts.
- Added CSP header to reject all non StellarGuard or Google Api (needed for recaptcha)
scripts. This significantly reduces the risk of a malicious agent being able to inject scripts.
- Added HSTS preloading to prevent any damage from the possible hijacking of the stellarguard.me domain (like what happened with BlackWallet).
Enhancements to StellarGuard Developer API
- When submitting a transaction, returns a link to the authorization page in the response so that wallets can link to it
- Fetch the transaction that is used to set up multisig for StellarGuard
- Activate their Stellar accounts that have StellarGuard multisig activated, thus linking the account to StellarGuard
- Check whether a given public key is protected by StellarGuard, and which is the StellarGuard signing public key associated with it
- An optional callback url can be provided when submitting a transaction, which will be POSTed to when a transaction is authorized with the transaction result
- Pending transaction page - see all pending transactions that need to be approved by StellarGuard
- Added numerous tutorials for using StellarGuard with various wallets
- Overall enhanced handling of errors and error messages, and loading states
- Better support for mobile (less cramped, less overflowing/chopped text)
- Allow auto-rejecting of Interstellar Exchange transactions when rejected via the Instellar Exchange UI
- Updated two-factor auth implementation to generate more secure secrets and QR codes that work better with Google Authenticator for Android
I've released a series of blog posts aimed at educating users about Stellar, multisig, and StellarGuard:
And more topics are planned!
Improvements Still in progress
I'm currently working on three features that I believe will address two big concerns that people have raised with StellarGuard. I will have them completed by the SBC 7 deadline but wanted to get some feedback from people first.
Feature 1: Allowing you to choose a transaction security mode that is separate from your StellarGuard account security.
Right now users who verify their emails must always enter a code that is sent to their email when approving a transaction, and users who have two factor auth enabled must use it both on sign in and when approving transactions. I've gotten feedback from users that this requirement is not always convenient, and they would like the option of still protecting their StellarGuard accounts with two factor auth, but have the option of dialing down transaction security when necessary (like when they are doing lots of trades in a row).
Here's a screenshot of what the various options will be:
If you have any feedback or concerns about this feature, let me know!
Feature 2: Allowing users to view their StellarGuard Secret Key or Recovery Phrase
One major concern people have raised about StellarGuard is something alone the lines of "what if you dissapear or StellarGuard shuts down, what do I do?" Although StellarGuard allows you to add backup signers to your account already, it's a bit of a clunky process since you have to supply your secondary public key as a backup signer and many users don't know how to do that.
So I'm taking a page from other wallets and the Ledger Nano and allowing users the option to see their StellarGuard secret key (or possibly the 24 word recovery phrase) during onboarding. They then have the option of storing that themselves so they could remove StellarGuard in the future in the unlikely event that we went down, without involving StellarGuard at all.
My question to the community: do you see any benefit to display the 24 word phrase instead of just showing them the secret key? The recovery phrase seems to actually be a bit more of a hassle to store or remember (since it'll end up being more characters). Or have users just become accustomed to having the recovery phrase shown to them?
Feature 3: Enhanced Onboarding
Right now StellarGuard just dumps you onto a dashboard after you register and doesn't really guide you into anything -- you just sort of have to click around until you figure out what to do next. I'm adding an onboarding/sign up wizard to guide you through the setup process.
The steps will be:
- Verifying your email
- Optionally adding two factor auth
- Setting transaction security level
- Showing recovery phrase/secret key
Again let me know if there's any feedback you have over this (maybe you hate these sort of setup wizards and could suggest an alternative approach).
That's a wrap!
I'll be posting more screenshots as I finish up Features 1-3 over the next two weeks (they all sort of come together in the onboarding steps which is why I'm doing them all 3 at the same times.)
Looking forward to hearing any more feedback or suggestions!