lukechampine
commented
2 weeks ago Good call -- this was originally implemented because the normal signing flow only supports "simple" transactions (SC/SF inputs and outputs, with a miner fee), making it impossible to use a Ledger to sign e.g. a file contract or a Foundation subsidy address update. But those cases can be handled without introducing a fully-general signing flow (which is indeed much too easy for an attacker to take advantage of).
The application allows a user to sign a hash without custom configuration. Blind signing breaks the device threat model for many reasons explained here.
If blind singing is needed, a special flow must be implemented that disables blind signing by default and refuses the associated commands. If the user really knows what he is doing he can then enable blind singing in the application parameters at his own risks.
Recommendation: This feature is not used by the SIA wallet (https://github.com/siacentral/ledgerjs-sia/blob/main/src/sia.ts). So if it's ever needed it can be removed from the code base. If it's still needed, the blind signing requirements must be implemented to guarantee security by default.