Summary Cosmic.link is the next-gen solution for signing Stellar transactions from various applications without granting them control over your account. Cosmic.link is user-friendly, open-source, vendor-neutral, community-designed, and production-ready. Live Example Goals Provide a user-friendly yet secure way to explore the Stellar ecosystem. Provide a standardized solution for passing transaction requests between applications and wallets. Provide useful open-source libraries to the community. Raise awareness around issues related to asymmetric cryptography & the cryptocurrency security model. More specifically, raise awareness around the one golden rule in crypto: "Never share your private key!" . At that time, those goals have been met − except of course the part about informing the community which is a never-ending task. Most of the work is currently focused on continuous improvement, communication, and partnerships. Description CosmicLink is a project made of several components: an open protocol, a web front-end and several open-source libraries. Please keep in mind that the front-end ( Cosmic.link ) is only the emerged part of the iceberg. What is Cosmic.link? Cosmic.link is a solution for signing Stellar transactions from various applications without granting them control over your account. Each CosmicLink contains a request that is displayed on your screen. Then, you can pass it to your wallet where the transaction can be double-checked & safely signed. Your secret key never leaves your wallet, as it is meant to be. Why Cosmic.link? Before Cosmic.link, Stellar applications had two ways to have you sign transactions: Have you create and fund a new Stellar account, which they would control. Ask for your secret key. Having as many accounts as applications is painful, and sharing secret keys is dangerous. Cosmic.link solved it all thanks to an innovative solution: transaction requests. How does Cosmic.link work? Transaction requests get encoded into what is called a query string for the purpose of passing them into normal web links: ?type=payment&destination=tips*cosmic.link&amount=20 Transaction requests can then get passed to any compatible service by using their address: https://cosmic.link/${tx_request} ${handler}${tx_request} When applications generate those links, they choose which handler to use (it doesn't have to be Cosmic.link). Here's, for example, the request on the cosmic-lib demo interface . In some cases, it is possible to pass the request directly to the users' wallets. For example, here's the same request pointed at Stellar Authenticator . (You can view it by clicking Guest Mode ) In other cases, wallets don't use the same format for transaction requests, and conversion has to happen. Cosmic.link does it under the hood. Which Services are Compatible? Thanks to its open design, CosmicLinks can be implemented in any software, independently from any organization or service. There's a growing list of compatible services, some of them being well-known to the community: Applications: Equilibre.io : Portfolio balancer. Cgig.app : Stellar marketplace. StellarPay.com : Shopify payment plugin. Lumenthropy.com : Donations to NGO. PublicNode.org : Community full nodes. r/stellar Photons : Reddit community points for Stellar. NiceTrade.co : Stellar Decentralized Exchange interface. Wallets: Ledger Wallet Trezor Stellar Authenticator Keybase Lobstr * StellarTerm * Stellar Laboratory (dev tool) *: For now, those wallets only support a subset of possible transactions. Libraries Cosmic.plus philosophy is to provide the community with as many reusable components as possible. Some of them are among the most downloaded Stellar libraries, which is greatly motivating! The following libraries have been developed in the context of the CosmicLink project: cosmic-lib This is the JavaScript implementation of CosmicLinks. It features helpers to create transaction requests: const { CosmicLink } = require("cosmic-lib") // Create a request. const txRequest = new CosmicLink({ network: "test", memo: "Hello, World!", maxTime: "+5" }).addOperation("payment", { destination: "tips*cosmic.plus", amount: 20 }) // Open the signing interface. txRequest.open() It also provides helpers for wallets to receive and sign transactions: const { CosmicLink } = require("cosmic-lib") // Configuration. const network = "public" const source = keypair.publicKey() // Parse, sign & send the transaction. const txRequest = new CosmicLink(location.search) await txRequest.lock({ network, source }) txRequest.sign(keypair) const response = await txRequest.send() Open the documentation @cosmic-plus/ledger-wallet, @cosmic-plus/trezor-wallet Popular hardware wallets support, as simple as it can be: const ledgerWallet = require("@cosmic-plus/ledger-wallet") // Connect with the device. await ledgerWallet.connect() // Get the public key. const pubkey = ledgerWallet.publicKey // Sign a transaction. await ledgerWallet.sign(transaction) Open the documentation @cosmic-plus/tx-result A convenient helper that tells you if a transaction has been validated, and if not, what went wrong: const TxResult = require("@cosmic-plus/tx-result") const result = new TxResult(horizonTxResponse) // { // validated: false, // title: "The transaction has been rejected", // errors: [ // "Operation 1: The destination account doesn't exist." // ] // } Open the documentation Other Contributions The very nature of CosmicLink is to make connections with other developers and open-source projects. As the Cosmic.link maintainer, I'm constantly checking over projects such as stellar-sdk , @ledgerhq and trezor-connect . I'm writing bug reports and pull requests to them when necessary. Lately, this led to major improvements in Trezor wallet support. At that time, I'm working on getting the new Stellar operations into Ledger & Trezor firmware ( manageBuyOffer , pathPaymentStrictSend ). #Ledger #Trezor I'm also cooperating with community projects that are looking into using Cosmic.link. For example, I've recently worked with StellarAuth , StellarPay , Lumenthropy , PublicNode , and r/stellar community . Future The development of CosmicLink is centric to Cosmic.plus (hence the name). It's been continuously developed since two years, and there's more ahead. Here are the ongoing developments: Publish comprehensive, not-so-technical documentation. Publish explanations about how to host an alternative CosmicLink relay. Publish a library that makes high-level integration even easier. Publish a TxRequest library that doesn't depend on StellarSdk (450kb). Design a solution for applications to acquire user publicKey/wallet. Provide helpers for short-circuiting Cosmic.link (direct application-wallet communication). Links Application: Cosmic.link Organization: Cosmic.plus | @GitHub | @NPM | @CodePen Weekly updates: Reddit | Twitter Talk: Keybase | Telegram Your vote matters Cosmic.link is an ambitious open-source project. Because it doesn't receive direct funding, community support is critical in financing its continuous development. Thank you! 🙂

TOP5 JavaScript Community Libraries - November '19 cosmic-lib (cosmic-plus) 836 stellar-hd-wallet (chatch) 655 stellar-checkout (brewaa) 441 cosmic-plus/ledger-wallet (cosmic-plus) 421 stellarburrito (stellarburrito) 193 Source: Yarn.pm

Edit : Add Cgig.app and r/stellar community Photons in the compatible applications.

Never (Ever) Copy/Paste Your Secret Key 20 years ago, people made their first steps with email and online payments. Many of them learned the hard way. For scammers, it was an age of abundance. Things improved thanks to two keys: education and better software design. Today, that’s exactly what crypto needs and, users are fortunate, the rules are simple. Rule 1. Keep your secret key secret / Rule 2. Never (ever) break rule 1. Let’s talk about it. Read more...

Continuing the discussion from this StellarTerm thread as my reply mostly relates to the "clipboard vulnerability" described here and CosmicLink itself. @gleb correctly pointed out that web pages have to request special browser permissions to interact with the clipboard content. Moreover, reading data from the clipboard can be executed only in response to a direct user action such as pressing a button. And the only way to do it in the background is to have the ability to execute arbitrary userspace code on the client-side. The thing is that neither of the existing key management approaches (including yours) protects a user if the local environment has been compromised. Yes, using the clipboard for sensitive data is not recommended because it somewhat simplifies the attack, and that's cool that you are raising awareness. But in your comment, you refer to the far-fetched arguments. That's like agitating for physically damaging the integrated laptop webcam to prevent the potential private information leakage. The webcam access is sandboxed in the browser and requires explicit access confirmation (just like the Clipboard API), but if the attacker has root access to your computer, nothing will help you. So it all comes to the client environment security in the end. However, instead of admitting that you exaggerated the copy-pasting problem (intentionally omitting the attack prerequisites) to support your point, you are throwing pretty aggressive comments. And going even further, you directly accused StellarTerm team of deliberately weakening the application security or intentionally misleading the users (not quite clear what you ment here) to gain some mysterious "profits": Properly informing people about how to stay safe is critical to the success of cryptocurrency. When a security-educated developer finds profitable to communicate against that goal − because that's what the whole story is about − that's a serious issue. I realize that you (both) are making efforts to turn this into something personal or, at least, into a trolly debate on an unrelated matter. Again citing your words, "Dude, that's off-limits." Clearly, you started all personal trolly debate on the unrelated matter. It looks like I also need to expand my previous statement on CosmicLink UX, to illustrate my point. To my mind, CosmicLink isn't suited for usage in most Stellar-based applications as a primary log-in and transaction signer option, and here is why. Let's imagine that StellarTerm throws away the existing logic and adopts CosmicLink instead. Each action takes a lot of time and requires multiple confirmations. Case: a user wants to remove two active DEX offers and place a new one. Each time she has to wait for the redirect to CosmicLink website, confirm the transaction, wait for the redirect to, say, a SEP-0007 wallet, confirm the transaction again (this a required step, I guess there is no need to explain why this is important), provide her credentials, press "submit", and wait for the redirect back to StellarTerm. Repeat this 3 times yourself and you will understand why this is frustrating. Users that actively trade or send payments on Stellar network will have a nightmare user experience, with each action taking 10 times longer than before. Of course, some people are ready to overcome difficulties, but most regular users will just switch to another Stellar DEX GUI (StellarPort, StellarX, InterStellar, you name it). The situation is better with hardware wallets because it's only one hop, but here comes the next problem. Single-page applications (like StellarTerm, StellarX, Lobstr, and many others) rely on the client-side state. When a redirect occurs, the application is unloaded and loses the entire current state. So it either needs to encode and transfer the state in the callback URL, or save it temporarily somewhere, for example, in the browser local storage. The former approach may be insecure (both CosmicLink and target signer app potentially have access to the private information), and the latter doesn't work out of the box when a user has more than one tab open (e.g., all markets page and current user's active offers page in our case). This can be addressed, but it really requires some additional coding. And a user gets old-fashioned website redirects experience instead of the streamlined UX of single-page apps with smooth navigation and responsiveness. That's also one of the largest problems of the SEP-0007 standard from my perspective. There is no way to retrieve the user's public key. The only way to implement this with your current logic is to ask a user to sign, say, an empty transaction. We won't ask a user to input the public key directly, right? Because asking for a public key and then using a delegated signing to confirm the transactions is the worst UX I can imagine. Case: a new user wants to check the current account balance, see open orders, and maybe exchange some assets. And when she clicks "login", the browser redirects her on some third-party website that proposes to sign a suspicious transaction that she didn't request. Such behavior will definitely scare away most users. Poor onboarding flow for new users. Case: a new user decided to explore StellarTerm and see how it works. When she clicks the login button, the browser redirects her to the CosmicLink website, which is literally hostile to newcomers. What transaction should she sign if she doesn't have any Stellar account in the first place? What's the signing method, and which one she supposed to choose, "Stellar Laboratory" or "Copy/Paste XDR"? What does the "Register as web+stellar links handler (SEP-0007)" means? What's an "Automatic redirection"? I'm developing on Stellar for years, have read through all available documentation and standards, but some things are not entirely clear even for me. For newcomers, this may be a huge stopper. And I doubt that StellarTerm or any other popular Stellar application will be eager to lose ten times more users during the onboarding. It is complex enough process with a low conversion rate even without the delegated signing. How do you suppose to support mobile platforms? Maybe this is covered somewhere, but I didn't find. Opening a CosmicLink URL from the app is pretty straightforward, but what about returning the response back to the caller application once the transaction is signed? This can be partially addressed with a message like "Now please close this browser tab and return to the application that requested the transaction signature" , although that's so depressing to see such UX in the 2020s. Also, what if the application needs the signed transaction back, like in the case of multi-sig aggregation or the public key request(see #3)? I can think of several workarounds, yet each of them requires jumping through hoops. Without a unified UX on web and native mobile apps, this all looks questionable. Summing it all up, as I see it, CosmicLink may be used only as an additional option ( not for login , only for transaction signing), and almost exclusively by advanced users with an existing Stellar account. That's like 2-3% of all Stellar users at best, not counting ecosystem developers. I'm pretty certain that until the described UX problems are solved, most ecosystems apps will be reluctant to replace their existing key management strategies (namely, requesting the secret key each time or storing it on the server-side) with your service. I'm obviously biased here, but this looks more like a neat playground for developers than a production-ready app for regular users. Again, you most likely know about the limitations of your approach since you are working on this for more than a year. In this context, your attacks on other ecosystem applications look really odd.

OrbitLens Part of your message answers the issue I've raised about StellarTerm and doesn't belong here. Please note that I never said that StellarTerm should use Cosmic.Link. I've shown that it features a broken security model: there are several ways to fix it & I've not advised for one in particular (although I made my point that StellarTerm is not using delegated signing as intended). Please move the StellarTerm-specific inputs into the right place, I don't want to answer them here as thread-mixing is confusing. I can answer on the copy/pasting here, though. Edited

MisterTicot Please note that I never said that StellarTerm should use Cosmic.Link. Here are your exact words from the original message: Logically, StellarTerm should use delegated signing so that users can safely validate offers using their wallet - and ultimately get rid of this shameful secret key login. But that's not what's happening. Not only StellarTerm isn't using delegated signing, but it offers to handle transaction requests from other services by signing them with the secret key too... I mean come on, that's complete nonsense! The very reason we implemented delegated signing in the first place was to avoid sharing those keys. Realistically, you are the only one providing the more or less viable solution for delegated signing with the support of third-party wallets at the moment. It supposed to be stable or at least in production for like a year. Everyone else have only working prototypes at best. So when you started criticizing current StellarTerm key management strategy, and urging them to replace it with delegated signing, which service do you have in mind here? You are happened to be the author of the delegated signer, and the comment is yours, so I assumed that by "we implemented delegated signing" you mean CosmicLink. What else can it be? Part of your message answers the issue I've raised about StellarTerm and doesn't belong here. They are closely related to this thread, and has nothing to do with StellarTerm in particular, as at the moment of writing almost every single Stellar-based app requests secret keys in order to sign transactions on behalf of the existing user's account. Some of them encrypt the keys and store them locally or on the server, but this is not essential because copy-pasting secret at least once is potentially almost as dangerous as using it all the time. The fact is that copy-pasting is ubiquitous and it can't be easily addressed right now because the existing ecosystem tools are not mature enough. I can start a new thread if you like, as discussing theoretical problems of the whole ecosystem in the StellarTerm thread doesn't seem right to me, especially after that heated dispute. Moreover, can we please just turn this page and continue debating on the things that really matter for the future? I'm genuinely interested in your opinion about improving delegated signer flow, and it would be cool to hear your thoughts on the highlighted problems as I'm engaged in this matter myself.

OrbitLens Yes, using the clipboard for sensitive data is not recommended because it somewhat simplifies the attack, and that's cool that you are raising awareness. But in your comment, you refer to the far-fetched arguments. [...]. The webcam access is sandboxed in the browser and requires explicit access confirmation (just like the Clipboard API), but if the attacker has root access to your computer, nothing will help you. So it all comes to the client environment security in the end. However, instead of admitting that you exaggerated the copy-pasting problem (intentionally omitting the attack prerequisites) to support your point, you are throwing pretty aggressive comments. I believe my description of the issue is in tune with reality, and I think you should have taken the time to understand it before throwing uninformed accusations at me. I never said that this attack had anything to do with the browser or Chrome in particular. The clipboard is a system-wide interface, and any data the user copy in it is available to read for any process running on the machine. In some cases, it is also stored for long periods. You don't need root access to read the clipboard: this not an attack but an intended functionality. For example, on Android (what 20 30% of people use), any app can read the clipboard but none of them can access the compartmented encrypted storage where apps keep secret keys safe. It is easy to install a malicious app on Android, or malware on most system, but it is considerably harder to break storage compartment - precisely because you need to be root for the second one. All attacks other than peeking at clipboards also request vendor-specific logic once root is acquired. Consequently, those attacks are harder to perform, easier to mitigate (because it involves sequences of code that is easier to flag as malicious) and less likely to hit (which means less likely to happen, because less profitable). In other words, storing a private key plain text and copy/pasting it is orders of magnitude less secure than storing it in an encrypted file as well as leveraging OS security features. I think this is obvious: else nobody would bother implementing those security measures in the first place. This adds up to the fact that the copy/pasting habit itself is what makes most scams profitable. And going even further, you directly accused StellarTerm team of deliberately weakening the application security or intentionally misleading the users (not quite clear what you ment here) to gain some mysterious "profits": Absolutely, as part of their SCF#3 marketing StellarTerm promoted secret key copy/pasting as a fancy sign-in method . Now, there's a gap between using this method - which is insecure - and actively promoting it as part of a vote gathering effort - which is factually misleading people. Misleading applies to situations where someone uses his influence in a way that negatively affects people who trust him. That's definitely what happened here. Again citing your words, "Dude, that's off-limits." Clearly, you started all personal trolly debate on the unrelated matter. I maintain that misleading people on security part of a profit-seeking effort is off-limits. There's nothing trolly or personal there. And btw, bullying someone for exposing & documenting a security issue, and for informing users about crypto good practices, is not much better.

OrbitLens Realistically, you are the only one providing the more or less viable solution for delegated signing with the support of third-party wallets at the moment. It supposed to be stable or at least in production for like a year. Everyone else have only working prototypes at best. So when you started criticizing current StellarTerm key management strategy, and urging them to replace it with delegated signing, which service do you have in mind here? You are happened to be the author of the delegated signer, and the comment is yours, so I assumed that by "we implemented delegated signing" you mean CosmicLink. What else can it be? I think you're mixing things a bit, and I invite you to read my feedback again . I criticized the way StellarTerm uses SEP-0007. Delegated signing is meant to secure the ecosystem by having apps emit transaction requests, but StellarTerm does it the wrong way by offering people to sign SEP-0007 transactions by inputting their secret, which is self-defeating. I criticized the fact that StellarTerm actively promoted this insecure practice. My motivation for point 1 was that Gleb regularly claimed support for SEP-0007/delegated signing in SCF context while he implemented about 10% of it so far. I think that's unfair and given how wrongly it is done in StellarTerm, I felt like pointing it. At no point, I said that StellarTerm had to implement delegated signing, and if I had intended to have them support CosmicLink I'd have used a subtler method. I feel fine with whatever makes user's funds secure. As I already said in my article , keystores are also an option, and we know that other ways are possible as well, although I'd advise against gathering thousands of keypairs together on a centralized server.

I'll go through UX questions. Remember that I never claimed that Cosmic.link is perfect, and in fact, there are many improvements on the way. Yet, I think that it offers a satisfying yet secure experience to its 1.5k regular users, and I invite you to experience it by yourself . Some improvements on my roadmap: MisterTicot Publish a TxRequest library that doesn't depend on StellarSdk (450kb). Design a solution for applications to acquire user publicKey/wallet. Provide helpers for short-circuiting Cosmic.link (direct application-wallet communication). OrbitLens Each action takes a lot of time and requires multiple confirmations. Case: a user wants to remove two active DEX offers and place a new one. Each time she has to wait for the redirect to CosmicLink website, confirm the transaction, wait for the redirect to, say, a SEP-0007 wallet, confirm the transaction again (this a required step, I guess there is no need to explain why this is important), provide her credentials, press "submit", and wait for the redirect back to StellarTerm. Repeat this 3 times yourself and you will understand why this is frustrating. It is possible to shortcut Cosmic.link and go directly to the wallet. As mentioned, I'll release helpers to make this easier to implement. Nowadays, Cosmic.link offers an automatic redirection option that shortcuts its interface as well (although technically it goes through Cosmic.link). Now, the issue of having to sign each transaction also happens with hardware wallets, which is the very UX delegated signing is meant to mimic. An option here is to pack actions together and to offer to sign everything at once. Single-page applications (like StellarTerm, StellarX, Lobstr, and many others) rely on the client-side state. When a redirect occurs, the application is unloaded and loses the entire current state. So it either needs to encode and transfer the state in the callback URL, or save it temporarily somewhere, for example, in the browser local storage. [...] Equilibre.io is a single-page application that uses delegated signing, NiceTrade.co is another one. None of those suffers the drawback you described here as they don't use redirection but iframes or popups. Something you can do, when apps have no critical information anymore, is to store client-side state into LocalStorage which keeps data over sessions (the aforementioned apps do so). There is no way to retrieve the user's public key. The only way to implement this with your current logic is to ask a user to sign, say, an empty transaction. We won't ask a user to input the public key directly, right? Because asking for a public key and then using a delegated signing to confirm the transactions is the worst UX I can imagine. [...] In Equilibre.io , I simply ask for pubkey/federated. This is similar to what many wallets implement as read-only accounts , and transaction signing is required only for writing . One nice trick is that we can standardize the pubkey/address field id attribute, and leverage browser auto-filling to get a cheap yet efficient read-only login solution (sign in with pubkey). The browser will propose your addresses across websites the same way it does with emails. NiceTrade.co proposes either login with public key (works as described) or with sep10, in which case delegated signing callback property is leveraged (available in both sep7 and CosmicLink). We discussed the fact that sep10 transactions don't make their purpose very clear (a network: Won't be validated could be clearer). This is mostly a sep10-related problem. In any case, those 2 options have room for improvement. Option 1 could be improved by CosmicLink passing pubkeys to the application providing user grant permission, and option 2 could be improved by adding specific UX constraints to sep10 (a specific way to display sep10 tx to users). Poor onboarding flow for new users. Case: a new user decided to explore StellarTerm and see how it works. When she clicks the login button, the browser redirects her to the CosmicLink website, which is literally hostile to newcomers. What transaction should she sign if she doesn't have any Stellar account in the first place? What's the signing method, and which one she supposed to choose, "Stellar Laboratory" or "Copy/Paste XDR"? What does the "Register as web+stellar links handler (SEP-0007)" means? What's an "Automatic redirection"? [...] This pertains to the Cosmic.link UI itself rather than delegated signing. I'm in the process of upgrading the client-side framework I used for Equilibre.io and to port Cosmic.link & StellarAuthenticator on top of it. Then, I'll improve the Cosmic.link UI. It is also possible to develop an alternative UI on top of cosmic-lib and other Cosmic.plus libraries, which provides most of the Cosmic.link logic at that point. How do you suppose to support mobile platforms? Maybe this is covered somewhere, but I didn't find. Opening a CosmicLink URL from the app is pretty straightforward, but what about returning the response back to the caller application once the transaction is signed? [...] That's what the callback parameter is for. There is also the option of listening for transaction submission from the parent frame, which is something I'd like to implement but designing it is somewhat of a puzzle given the number of configurations involved. We already found out some cases will have to be left unsupported (mobile signing + callback that don't submit = impossible to catch submission from parent frame). OrbitLens [...] but this is not essential because copy-pasting secret at least once is potentially almost as dangerous as using it all the time. The fact is that copy-pasting is ubiquitous and it can't be easily addressed right now because the existing ecosystem tools are not mature enough. Many applications have addressed it already in many ways, and I'd advise against using "it's difficult" as an excuse for not implementing solid security. In fact, any excuse that goes toward lesser security should be looked at as suspicious, as in most cases it doesn't hold the test of healthy reasoning. I can start a new thread if you like, as discussing theoretical problems of the whole ecosystem in the StellarTerm thread doesn't seem right to me, especially after that heated dispute. Moreover, can we please just turn this page and continue debating on the things that really matter for the future? I'm genuinely interested in your opinion about improving delegated signer flow, and it would be cool to hear your thoughts on the highlighted problems as I'm engaged in this matter myself. Then let's do just that!

Ah, now I finally understand what "automatic redirection" is. Quite an interesting approach. You save at least one website interaction for users. They will still need to provide credentials and confirm the signing request in the target wallet, but this option definitely saves a few seconds on each operation. Still, the problem remains. Users have to wait for at least 3 browser redirects and provide credentials, so each operation takes 10-20 seconds instead of one click as before. That's maybe ok for Equilibre and other apps that imply a few transactions a month, but completely ruins the trading experience (say, a dozen trades a day). Although I really like how you implemented interaction with hardware wallets. As for all other questions... Looks like you completely missed some of my points, as your answers do not address most of them at all. And I checked NiceTrade.co. I must say that it's the worst login form I have ever seen. Forcing a user to save a public key separately (where? in text file?) and copy-pasting it (following your logic, that's a big no-no, as it may break user's privacy by associating a person/device with a Stellar account) each time when a user needs to log in, and then requesting the credentials again after following a series of redirects – that's terrible. Even requesting to sign an empty transaction is better than that, at least it's possible to authenticate a user and retrieve a pubkey in one go. About my statement that copy-pasting is ubiquitous: Many applications have addressed it already in many ways Nope. I haven't seen any other option across the entire Stellar ecosystem. If you need to submit transactions on behalf of an existing account, you need to either request a secret key (at least once) or use delegated signing. Given current progress, mature delegated signing tools for Stellar Network will be ready in a year or so (hopefully). So... Re: clipboard security I never said that this attack had anything to do with the browser or Chrome in particular. For example, on Android (what 2030% of people use), any app can read the clipboard but none of them can access the compartmented encrypted storage where apps keep secret keys safe. The browser Clipboard API (I didn't mention Chrome specifically as this API is supported in Chrome, Firefox, and other popular browsers) was just an illustrative example for one of a few attack vectors exploiting the potential vulnerability you mentioned without breaking the sandbox. The Android example, of course, demonstrates much stronger case than, say, Windows XP (may it rest in peace) or careless Linux user running all processes under the root privileges (btw, why we are overlooking them?) For the particular case you described, I can agree that "it is orders of magnitude less secure", as you wrote. However, my main point here is that a compromised system (with the malware code in userspace) can't be viewed as secure even with all the delegated signing in place. Android Autofill framework and Accessibility API (previously it was used by password managers like LastPass to interact with text input of third-party apps) make it much simpler to steal login/password credentials. And if users are naive enough to install the malware, they will also allow all the requested app permissions without thoroughly reviewing them. So the app storing user's secret key on the server can be as easily hacked as the one requesting it directly from the user. It's always worth mentioning specific details about the environment and prerequisites in security-related articles. This adds up to the fact that the copy/pasting habit itself is what makes most scams profitable. It would be really awesome to check statistics supporting this claim. I maintain that misleading people on security part of a profit-seeking effort is off-limits.... And btw, bullying someone for exposing & documenting a security issue, and for informing users about crypto good practices, is not much better. Cherry-picking facts and describing an issue from a specific angle only to exaggerate a problem and support a particular theory (or application) doesn't seem so pure and selfless to me. Someone might even say that the intentionally misleading article that purposely omits important facts and attack prerequisites in profit-seeking effort may be viewed as unethical. But we are all adult people here and we never throw such absurd accusations at one another, right? Also, I apologize if any of my previous questions/comments upset or distressed you. By no means they were planned as bullying. And I rest assure you that none of your statements offended me. Thanks for taking time to answer my questions.

Cosmic.link ~ Transactions over URL

OrbitLens

MisterTicot That's really exciting to watch how you keep diverting the context of the conversation.

I described UX issues of using pubkey in the login form in addition to transaction signing – you proudly reply that signing interface never requests it.
I pointed that the entire flow takes at least 3 redirects (website->CosmicLink->wallet->website callback) – you keep denying that and claim that "There's no configuration under which Equilibre.io requires 3 browser redirections + providing credential for tx signing" despite the screenshots that prove your statement is wrong. What's next? I can suggest you a case without redirects at all - when a user visits CosmicLink and closes the page at once. See, the problem of redirect is solved!
I expanded my statement about ecosystem websites using private key copy-pasting at some point – you slapped this as "unrelated" to the problem of secret keys copy-pasting.
I said that the problem of copy-pasting secret keys in the compromised environment is hyperbolized as the signing process in the untrusted system can't be considered fully secure by definition – you focus entirely on abstract concepts of secret keys sharing ignoring everything else.
I illustrated an example of compromised privacy (leaked public key) vs stolen money (leaked secret key) to show that you concentrated only on one side of the problem – you are making fun of it.
I agreed that the "clipboard problem" exists, it is ubiquitous, and should be addressed, debating only the UX of the proposed solution – you keep repeating your "secrets sharing" mantra to generalize the problem. "Do you agree that secret key should be safe? If yes, I'm right about everything else."
I stated that any other project can be accused of the secret key copy-pasting just because there is no other way to implement some scenarios – you mention the fictional "private keys copy/pasting promotion" (I re-read twice and didn't spot any "promotion", only the technical process description plus standard marketing stuff), admitting that you selectively and intentionally attacked a single person based on generalized argument. So it is all personal, despite your previous excuses.

Re: StellarExpertID

Yes, I have presented it more than a year ago, it was one of the SCF round finalists, it is still on our roadmap. Originally, it was a prototype, and I offered SDF(the most reputable entity in the ecosystem) to curate the development and host it, but they were reluctant to run the service (as it potentially concentrates even more power in their hands) and wanted to see it as a community effort. Back then I offered collaboration to you and Paul, but Paul was focused on multisig, while you had your own adamant vision.

Since then, the project has undergone a dozen major refactorings, two security audits, has been rewritten almost from scratch to address a huge list of issues, required features, and security considerations. Some questions about UX I asked earlier were directly related to the real-world problems we faced once we tried to integrate our signer into our own products. I spent an enormous amount of time to design a bullet-proof architecture that is both secure and flexible enough to build a good UI on top of it. We even had a dedicated developer working exclusively on this project for some time. Currently, the entire project code is in private repositories and will be open-sourced immediately after we release the public beta version. The old repository is there just for the sake of keeping history.

The only reason why it is not released yet is my reluctance to ship the imperfect application. We'll be dealing with other's people money and privacy, so the security on top of the bulletproof two-way protocol is paramount here. Contract stability is essential for all other apps who will use the API in the future. Changing things like encryption schemes, key storage format, or communication protocol can be really tricky since we don't have access to user data on our side.

Again, someone with lower standards could say that it is production-ready for more than a year; it just doesn't look particularly attractive and has some known limitations. But I say that it will be released only when we ensure that core functionality works flawlessly and we can be certain that our users are safe and enjoy the improved UX instead of cursing us.

The "inspired by my work" assertion looks hilarious considering the fact that our project has completely different architecture and much wider functionality. It was inspired by Metamask, MyEtherWallet, and OAuth. But if you are by chance the inventor of the delegated signing concept or maybe even public-key cryptography (as one might think based on your dogmatic statements), then, of course, kudos to you.

MisterTicot

lol... You even found a way of making me partly responsible for the non-release of your software. I did not see that one coming.

In any case, I'm not interested in continuing a conversation that is aimed at proving me wrong at all costs rather than genuinely sorting the true from the false. I think I already answered every point of importance at least twice and I'm not interested in repeating myself or endlessly deriving on every detail of every sentence.

I believe you made your point a few times as well & I'm as unconvinced as you are. Let's leave it that way and peacefully enjoy Christmas.

dzham

Welcome to Stellar. We don't have CSW, but we have more drama.

MisterTicot

dzham Same story than Sep7: issues I described day 1 were finally acknowledged after 1 year and a half of sweeping under the carpet.

MisterTicot

Cosmic.link did it to Stellar Community Fund finals!

Thank you very much for the strong support! The second round will define how much funding Cosmic.link and other projects will receive − which means how much time I'll be able to dedicate to improve this project and the related libraries.

Meanwhile, I released js-ledger-wallet v2, which includes helpers for multi-accounts handling: Changelog | Documentation

MisterTicot

Big thanks to those who helped to turn this project into a winner!

With your votes, Cosmic.link can claim about 9% of the SCF prize pool which will finance several months of additional work & long-term updates. A solid collection of open-source utilities is a must-have for any ambitious cryptocurrency platform and you're helping to build just that.

Let's keep on raising the cryptocurrency fundamentals by sharing code & knowledge! 🙂

Website: Cosmic.plus | Reddit: r/cosmic_plus | Keybase: @cosmic_plus

« Previous Page