search

SeedSigner / seedsigner

Use an air-gapped Raspberry Pi Zero to sign for Bitcoin transactions! (and do other cool stuff)
MIT License
691 stars 161 forks source link

Edit suggestion for - "away" from all online devices #189

Closed punterwantsawhalepass closed 1 year ago

punterwantsawhalepass commented 2 years ago

may need to change that, away made me think of distance

"You must keep your seed words private and safe. Never store your seed words on an online device."

newtonick commented 2 years ago

Issue is referencing this line of text/code: https://github.com/SeedSigner/seedsigner/blob/5e007e501044f518f8d3c8ab9505901cfba249bb/src/seedsigner/views/seed_views.py#L768

punterwantsawhalepass commented 2 years ago

this might also be good language.

"You must NEVER allow your Bitcoin seed words to come into contact with the Internet."

source: https://observablehq.com/@jimbojw/grokking-bip39

SeedSigner commented 2 years ago

Just taking a stab -- "Never input your seed phrase into a device that connects to the internet."

jdlcdl commented 1 year ago

I'm a big fan of communicating these caution messages as effectively as possible.

I think seedsigner already does a very good job of this, but I have no illusions that it can't get even better over time.

Off on a tangent... @kdmukai has already put a considerable amount of work into his inital_multilanguage branch, internationalizing the codebase so that translators can get to work on these types of messages (and all others); in fact, messages like these are already translated in more than a handful of languages. I've taken an interest helping out and have tried to continue his work in a copy of his branch. What does this tangent have to do with the topic? That we won't ever get these messages perfect, that they'll evolve over time as new threats emerge and understandings become commonplace.

...and updating these types of messages NOT in the codebase, but rather in the locale-specific catalogs/messages.po files is the place to do this never-finished work. (just my 2c).

This way, hopefully, a few special communicators from all over the world can hone-in on protecting the folks they communicate best with... and then any types of textual changes made in the future can truly be translator work and not codebase work... (because 'en' would be a translated language too). In a way, this issue also supports getting multilanguage seedsigner to release.

Thanks for hearing me out!

newtonick commented 1 year ago

Just taking a stab -- "Never input your seed phrase into a device that connects to the internet."

+1 for this option if just trying to resolve the immediate issue

kdmukai commented 1 year ago

Photos of proposed updated screens would help here (or rather in a PR). Sometimes messages just don't look/read quite right onscreen.

jdlcdl commented 1 year ago

Photos of proposed updated screens would help here (or rather in a PR). Sometimes messages just don't look/read quite right onscreen.

I agree, especially since it's not obvious where different phrases will wrap. Back here shortly with some images of all the proposed phrases in this thread... with the help of "enteropositivo/seedsigner_emulator".

jdlcdl commented 1 year ago

Thanks to the work in enteropositivo/seedsigner_emulator, this was easy to do from my desktop.

Once we decide on one of these, I'll be happy to verify that it indeed looks the same on the seedsigner. If anyone would like to propose changes, just leave a note here, I'd be happy to get a screenshot while this procedure is fresh in my head.

Currently: issue_189_current

Proposal A and B, thanks to @punterwantsawhalepass issue_189_proposal_A issue_189_proposal_B

Proposal C, thanks to @SeedSigner (w/ a +1 from @newtonick) issue_189_proposal_C

Not specifically mentioned in this issue, a related warning screen for SeedQR currently looks like: issue_189_current_SeedQR

Assuming Proposal C is desired and carried over to the related SeedQR warning, they might look like: issue_189_proposalC1_SeedQR issue_189_proposalC2_SeedQR issue_189_proposalC3_SeedQR issue_189_proposalC4_SeedQR issue_189_proposalC5_SeedQR

btw: They all have the same pulsing-red-border... it's just that my screenshot's didn't capture them.

jdlcdl commented 1 year ago

I prefer Proposal C, because:

Of my added SeedQR proposals: I like both:

Never photograph or scan it
into a device that connects
to the internet.

and

Never scan or photograph it
into a device that connects
to the internet.

...over the versions with 2x "it"; and to use "photo" like a verb instead of a noun also doesn't sound right.

jdlcdl commented 1 year ago

ATTENTION: I had hoped that the SeedSigner Emulator would accurately represent where text would wrap, but this is not the case everytime. :(

I'm going to issue a pull request for this, leaning towards Proposal C and carrying similar text into the SeedQR warning. I'll take photos of what it really looks like on SeedSigner hardware.

SeedSigner commented 1 year ago

Thank you for your work on generating these previews.

bitcoinprecept commented 1 year ago

Some better late than never thoughts on the topic here... (without thinking through any specific proposals to the outstanding edits proposed above)

Some people may not fully think through what it means to interact with "devices that connect to the internet" (or however it's phrased in the multiple variations above). I think it's worth offering users a clear warning to not interact with their seedphrase data within site of webcams of their cell phone camera. This may be an edge case not worth solving for within the limited Seedsigner UI, but it's worth considering that your camera could be a vector to spy on you/steal your data even if you don't voluntarily "take" a photo with it.

The best practice, in my opinion, is to be fully away from internet connected devices and cameras when interacting with seedphrase data. If it were possible to relay this concept to users, that would be my vote.