monero-project / monero-site

https://getmonero.org
BSD 3-Clause "New" or "Revised" License
287 stars 391 forks source link

downloads: mark wallets that could leak data #2019

Closed erciccione closed 1 year ago

erciccione commented 2 years ago

Closes #2011

netlify[bot] commented 2 years ago

Deploy Preview for barolo-time-757cf9 ready!

Name Link
Latest commit 8bfb05f382b3af6bd7478a4b89427e1b597930d1
Latest deploy log https://app.netlify.com/sites/barolo-time-757cf9/deploys/62f608a311b86d00093125f7
Deploy Preview https://deploy-preview-2019--barolo-time-757cf9.netlify.app
Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site settings.

SamsungGalaxyPlayer commented 2 years ago

While I understand the sentiment behind this, I don't think it accomplishes the goal.

The issue is that IP address connections are unhidden by default. I think it is arguably worse that some apps use completely random remote nodes without protecting one's IP, which is clearly worse for privacy than just pinging a price API.

Take Monerujo, where one can use their own remote node, but it's not enabled "by default." Feather uses clearnet connections to other nodes for wallet syncing even, "by default." I argue Cake's default nodes are just as "trusted" as Feather's default nodes.

If you want to focus on the defaults, one option is changing the asterisk to "Makes clearnet connections to other servers by default, which may be disabled in settings depending on the app." This would realistically cover all the named apps. Every named app here syncs with a remote node over clearnet by default, leaking one's IP.

Practically, what you're probably looking for is "This wallet makes clearnet connections to other parties which can't be disabled within the app directly. We recommend using the wallet with system-wide Tor or i2p for the most sensitive uses."

Arguably, then your current applied asterisks are assigned appropriately until Cake Wallet allows disabling of those in a first-time startup process. Though I'm not sure if MyMonero allows disabling of everything entirely; maybe they do? Thoughts?

erciccione commented 2 years ago

@SamsungGalaxyPlayer see https://github.com/monero-project/monero-site/issues/2011#issuecomment-1230000852

SamsungGalaxyPlayer commented 2 years ago

Drawing a line and singling out a less-sensitive price API lookup makes zero sense to me. Connecting to an external remote node is significantly more sensitive, and this action is undertaken by Feather, Monerujo, and even the official GUI "by default."

I've given my comments above and they remain unchanged, which includes wording that addresses the core issue.

nahuhh commented 2 years ago

Agree with @SamsungGalaxyPlayer There pinging remote nodes is no different.

The issue with the price api (at the time of writing) is it cannot be disabled and ships enabled by default. Meaning, even im using a local node it is still making an external connection.

Mymonero allows LWS afaict, so it should be able to be used privately. In practice, I cannot advise as to what connections it makes.

Edge and apps using MyMonero backend are in a whole different of category of "centralized backend".

Open source

  1. Best: Private by default. Opt in to connect to remote nodes or servers. (CLI, GUI)
  2. Great: tradeoff some privacy for UX. auto connect to remote servers. (cake, monerujo, stack, feather?)
  3. Convenience: Forced remote backend (edge)

This being said, every wallet pre v0.18 was making calls to moneropulse