Verify trustworthiness of domains used with wallet

[sleepiJoe]

If we provide a list of "trusted domains" for the stacks-wallet, we could warn users, when they connect to a (new) domain? Will there be a need for democratically voting to include new "trusted domains"? 🤔

or do we already have that as a separate addon?

Issue opened @andresgalante Let's discuss the idea on github 😊

KR, sleepi on discord

PS: I can't add labels...

[kyranjamie]

+1 to this. The idea has been floated before. Metamask has this feature.

I'd imagine this would use a blacklist, rather than a whitelist, owing to the complexities/work involved in administering it an okay-list.

A democratic voting system for trusted domains is an interesting idea. Complex, though. It'd need to be resistant to abuse, etc. The implementation of this would be out of scope of the wallet itself, a SIP maybe?

[sleepiJoe]

Related issues:

Warn user with extension about website visits that indicate possible phishing attacks Enhancement 💡 extension security #676 opened on 11 Nov 2020 by markmhx

enhancement: add anti-phishing phrase feature to Connect Enhancement 💡 stale #556 by fluidvoice was closed on 9 Feb

[markmhendrickson]

This is related: https://github.com/hirosystems/stacks-wallet-web/issues/676

My first thought here is that it would be most robust to pursue such domain verification with a decentralized mechanism vs. a single Hiro-controlled white or blacklist.

As @kyranjamie suggests, perhaps someone can produce a SIP that can be used for network users to vouch for particular domains in a standardized way via contract signing. Then the wallet and other clients can read this data and show users just how much (and what kind) of vouching their currently viewed URL as received to date, showing affordances, warnings and the like when things look either good or bad.

I..e this SIP could detail ways for users to indicate URLs as safe or dangerous for authentication and transacting. BNS could come into play as well to see just which users have vouched.

cc @larrysalibra

[sleepiJoe]

As a current example, I wanna present the website stacksgiveaway.com (WARNING SCAM) where someone is promoting a STX-airdrop with the currently used wallet address: SP1GY8SWFHQDM35NSGFY2C534R2AJCC6NPMETTTVG (WARNING SCAM)

We should be able to warn users in the web-wallet that they are sending stacks to a scammer. I'm okay with a blacklist too. It will be more practical in the future. What do you think about that @kyranjamie ?

[kyranjamie]

Agreed, we should proactively be warning users of scams like a this. While we'll never catch all of them, a best-effort would still be worthwhile.