StellarTerm

Project title:
StellarTerm - https://stellarterm.com

Summary:
StellarTerm is an advanced web-based open-source trading client for the Stellar network. Also available as a desktop app.

Goals:

  • SEP-0024 Asset deposit/withdraw support
  • SEP-0007 updates ("Replace" function support)
  • ‘New account’ page redesign (onboarding improvements for newly created wallets)
  • Improved trading interface (stats for asset pair, redesigned asset selectors etc.)
  • Asset details page (every asset will have a rich description with its details, stats, charts, SDEX price, order book etc)
  • Implement ‘Activity’ page (account activity in one place with history)
  • Stellar Core 13 support
  • new header/ top navigation (identicons and and quick profile access)
  • Improvements for signers management (multisig)
  • View historical offers data for trading pairs
  • Redesign "Send" flow (reverse federation, identicons, new interface etc.)
  • SEP-0008 support (regulated assets)
  • Establish a regular release schedule for desktop builds
  • Regular blog posts on Medium
  • Pathpayments integration and support
  • Improvements for real-time notifications (introduce new notification types)
  • Continue Stellarterm website redesign: multiple UX improvements on multiple pages
  • Ledger Nano X support (via bluetooth)
  • Better support for restricted assets (KYC, auth_required, auth_revocable)

Description:
StellarTerm is an open source trading client with local key storage, advanced trading tools, multisig and hardware wallets support.

Main features:

  • Local key storage
  • Open-source software
  • Direct access to SDEX, trade XLM and non-XLM asset pairs
  • Advances charts for new users and pros
  • Desktop applications (macOS, Windows, Linux)
  • Modern and simple interface
  • Ledger support
  • Real-time updates/notifications
  • Support of multisig wallets
  • Supports federation addresses (via federation server)
  • Delegated signing support (currently supports payment and change trust operations)
  • Testnet support

Links:
Web: https://stellarterm.com/
Github: https://github.com/stellarterm
Desktop client: https://github.com/stellarterm/stellarterm-desktop-client
Twitter: https://twitter.com/StellarTerm
Medium: https://medium.com/@stellarterm

I must say that this entry disappoints me.

I've been using StellarTerm for two years for checking prices against XLM, and I've been hoping for delegated signing to be implemented for a while. Yet, on this matter, StellarTerm seems to do everything the wrong way.

Logically, StellarTerm should use delegated signing so that users can safely validate offers using their wallet - and ultimately get rid of this shameful secret key login. But that's not what's happening.

Not only StellarTerm isn't using delegated signing, but it offers to handle transaction requests from other services by signing them with the secret key too...

I mean come on, that's complete nonsense! The very reason we implemented delegated signing in the first place was to avoid sharing those keys.

Crypto golden rule: Never share your private key − isn't the word private meaningful? Teaching people to break that principle is preparing the ground for phishing attacks & is the main reason why people get so easily scammed.

A major component of the Stellar ecosystem enters 2020 with a broken security model: that's quite an issue.

Yet, we can read this interesting piece of communication on Medium:

That's where StellarTerm comes in handy as it features a fast and simple sign in process. Just paste your secret key into the field and you are in, no email or password required. Establish a trustline, place an order and send funds — everything is just a few clicks away.

Wow... so that's a feature now? Do you realize how easy it is to read the content of the clipboard? I tell you: three lines of code.

Just paste your secret key into the field and you are in: That's about the right thing to say to those people who discovered crypto a few weeks ago, isn't it? Oh yes, they're in, that's for sure.

Coming from a newcomer, we could have seen it as a convenient mistake. But coming from a veteran wallet provider & influential member of the community...

Dude, that's off-limits.

    7 days later

    @MisterTicot Hello,

    I must say that this entry disappoints me.
    I've been using StellarTerm for two years for checking prices against XLM, and I've been hoping for delegated signing to be implemented for a while. Yet, on this matter, StellarTerm seems to do everything the wrong way.

    We appreciate the honest feedback and I understand that using the software for a long time may create a strong emotional connection to it.

    But still it is surprising to see this kind of response for the presented roadmap - it's not that revolutionary after all.
    Our goal is to continue improving StellarTerm, one step at a time. And most of our users think we are doing a decent job.

    We are always open to hear the ideas for new features for StellarTerm, we receive a significant portion of them from users.
    They typically do this through issues on Github or just email at support@stellarterm.com. Feel free to suggest new things as they come to mind - no need to wait!

    I have to say, support for delegated signing has not been on the top of the list.
    We understand that it may be useful for some cases, but there are only so many things we can work on at the same time!
    So it might be a while until this fully lands in StellarTerm, unfortunately.

    However, we do have something already. StellarTerm had the support for Ledger for a while, and we are planning to add more hardware wallet integrations soon.

    We are proud to be the only non-official product that is being recommended by Ledger itself:
    https://shop.ledger.com/pages/supported-crypto-assets
    https://support.ledger.com/hc/en-us/articles/115003797194-Stellar-XLM
    (Quite an achievement for a project with a broken security model...)

    However, for most of our users, StellarTerm is the place where they want to make their trades, payments and sign transactions.

    To be clear, we believe that more often our users would want to have some of their transaction requests made by external services handled by StellarTerm, rather than vice versa.
    That's why we offer to register StellarTerm as a handler for SEP-0007, and this is completely optional for our users.

    To address your point about security of pasting private keys on the website:

    • StellarTerm has the secret phrase which protects our users from entering private keys on fake websites.
    • We promote multi-signature as much as we can, and StellarTerm has the leading multi-signature support for Stellar. With the multi-signature enabled, leaking your master private key will cause only a mild inconvenience, as you'll need to create a new wallet and move your funds there to restore the high security level.
    • StellarTerm comes with a desktop version, which is rather popular for our users. It provides an additional level of security, as the code is not downloaded over internet each time.

    So, I would argue that StellarTerm provides at least the same level of security as other popular online services which ask for a secret key (Stellar Account Viewer, Stellar Laboratory, MyEtherWallet, etc).

    Also going forward, I would prefer this conversation to be more professional, and tone down on the emotions - I'm hoping for your co-operation on it! Our content person was a bit confused to be called dude 🤷‍♀️btw.

    Finally, not doubting your skill level, but would love to see those 3 lines that read the clipboard content.

    I'm assuming you mean you can do this in the modern browser environment, without any interaction of the user?
    Maybe even while user is doing something entirely different in the system (like working in a MS Word)?

    That sounds very dangerous, the last time I checked it was not possible:
    https://developers.google.com/web/updates/2018/03/clipboardapi#security_and_permissions
    https://developer.mozilla.org/en-US/docs/Web/API/Clipboard/read

    So, please - I'm hoping to see you back in this thread. That would be a learning experience for many readers. Who knows, we might even have to escalate this to the teams working on the browser security, because it contradicts the official documentation!

    MisterTicot That was rude. You proved to be a very intelligent person, so why such a strange insult out a thin air? Actively promoting your technical solution (and as we all saw, you are doing this almost every single day through all possible Stellar-related media channels) is ok, but demanding something and criticizing another service for not using it... well, it looks weird at best.

    Delegated signing is important, I'm advocating for it myself. But it all comes to the usability in the end. In the foreseeable future, StellarTerm, as well as other DEX interfaces, won't use your CosmicLink solution as a primary log-in/signing option for obvious reasons. Of course, unless you change the UX completely and address all fundamental problems of your approach.

      MisterTicot-the-emotional,
      MisterTicot-the-unprofessional,
      MisterTicot-the-unknowledgeable,
      ...-the-insulting,
      ...-the-dirty-marketter,
      ...-and-his-poor-UX,
      ...-and-the-wailers.

      That's quite a narrative you're building there!

      Your ability to reverse the situation is undeniable. In any case, I'm not the one who decided, two weeks ago, to market secret sharing as a fancy sign-in method.

      Properly informing people about how to stay safe is critical to the success of cryptocurrency. When a security-educated developer finds profitable to communicate against that goal − because that's what the whole story is about − that's a serious issue.

      It has to be dealt with publicly and genuinely. First of all, because users deserve a chance to realize they've been misled; But also to prevent the whole idea to become somewhat accepted − which would be a disaster for Stellar.

      Don't be naive: cryptocurrency is a highly competitive space, and if a crypto A can't get it right, crypto B will. Fortunately, there are few places around where you'll see secret disclosure presented as a satisfying sign-in method. But from a credibility standpoint, having a few already comes at a cost.

      I realize that you (both) are making efforts to turn this into something personal or, at least, into a trolly debate on an unrelated matter. Yet, I believe my feedback was clear & focused on a well-defined issue. If you don't want to deal with it, fine, but I'm not willing to digress into low-value disputes. I'm pretty sure we all have better things to do.

      5 days later

      Replied here as my thoughts mostly relate to the "clipboard vulnerability" and CosmicLink itself.

      Is it still possible to add newer projects for trading on stellarterm? We prefer it over stellarport.

      @EthereumX You can trade any Stellar asset on StellarTerm without explicit listing, as they are discoverable by asset domain or just through issuer address.

      Here's the link to EthereumX trading page for example:
      https://stellarterm.com/exchange/ETX-GCEFMSNWXTALXQPRQFIXOMWJHZFDEQJBM26RGEDZUDFMU32JB6WJGRJX/XLM-native

      I've noticed that your domain lacks CORS headers though:
      https://stellar.sui.li/toml-check/etxco.com
      https://github.com/stellar/stellar-protocol/blob/master/ecosystem/sep-0001.md#specification

      Without CORS headers, StellarTerm can't fetch your asset icon or read the contents of the toml file - so I think you should get that fixed.

      We are planning to add automatic asset discovery to StellarTerm shortly.
      We are always looking for new quality assets and listen for requests from users and issuers, and continue to list new assets manually upon review from our end.

      Hey, Stellar community.

      Several new StellarTerm updates have been pushed live recently.
      We are also excited to share a preview of the upcoming updates releasing in the near future.

      Latest updates

      StellarTerm

      Activity page:

      The outdated 'History' page got a new refined look and is now named 'Activity'.

      From here, you can manage all of your active orders or browse transaction history divided into dedicated categories (Trades, Payments, Signers and Trustlines). This update also significantly improves the history loading time so you can locate the transaction much quicker.

      Improved real-time notifications:

      The real-time notifications (that users can see in the bottom right corner) have been updated and improved. Also we've added new notification types like a “new trustline is established” or a “signer is added to your Stellar account”.
      The support of notifications for multisig wallets has been added as well. When you sign a transaction in the multisig service, the notification should now quickly appear in StellarTerm.

      Trading updates and other improvements:

      There are a few small but sweet improvements for the traders out there. The asset selector got updated and now features a fresh new design along with the latest stats for the selected trading pair.
      When editing a live offer, you can now quickly swap pair sides to see buy offer as a sell offer (and vice versa).

      Coming soon

      StellarTerm

      The team has also been working on some big updates coming in the near future. Here is the preview for some of those:

      Redesign of login, onboarding and send pages:

      We are currently working on the redesign of various pages with the goals of improving usability, transparency and matching the new design styles of the project.
      The 'Send', 'Log in', and 'New account' pages are among the first things that will be updated in the near future.

      Support of SEP-0024 protocol:

      We are actively working on bringing the full support of SEP-0024 to the StellarTerm. Users will be able to deposit external assets, withdraw Stellar assets and view the history of deposits and withdrawals using the current Stellar account.
      We are aiming to support all existing SEP-0024 compliant anchors, so users will be able to withdraw and deposit various fiat and crypto assets soon.

      it will be more usefully to make the app simple and user friendly instead. I've tried to download and use this app so many times unsuccessfully to the point where I got discouraged .

      • gleb replied to this.

        NoelMartialNguemechieu

        it will be more usefully to make the app simple and user friendly instead.

        That's our constant goal. We are always looking for things that can be simplified or explained better.
        If you could share more details about what was confusing for you here or privately at support@stellarterm.com that would be greatly appreciated!

        In the meantime, we are happy to know that StellarTerm has made it to the Finals of this SCF round:

        Thank you for your support!
        Don't forget to vote in the final round - the voting only lasts until the new year.

          13 days later