search

sparrowwallet / sparrow

Desktop Bitcoin Wallet focused on security and privacy. Free and open source.
https://sparrowwallet.com/
Apache License 2.0
1.27k stars 179 forks source link

[Feature] Make PayNym retrieval opt-in #709

Closed RequestPrivacy closed 1 year ago

RequestPrivacy commented 1 year ago

Note - it might be that some of the following statements are based on a flawed understanding of payment codes and PayNyms on my side. I appreciate clarifications.

Description

System: Linux (Kubuntu 22.04LTS) Sparrow: 1.6.6

I've recently created a new wallet and once I clicked on Tools -> Show PayNym, Sparrow automatically retrieved the PayNym (i.e. the short descriptive name and robot picture) from Samourai's paynym.is site.

I recall that this was previously an opt-in feature (might be wrong here).

As far as I understand it, PayNyms in the sense described above are not mandatory, as the real deal is the underlying payment code starting with PM8....

Feature Request

  1. Disable automatic retrieval of a PayNym by defaulting to a button which has to be clicked for kicking-off the retrieval (making the process opt-in).

  2. Offer a tooltip or dialog explaining the reliance on an external server and company (Samourai) and its potential privacy implications (it seems to me that paynym.is is an open directory where all PayNyms and their followers can be viewed). Further make it clear, that every collaborator with whom you shared your payment code can retrieve your PayNym (and its followers?) from the site: paynym is_previewPaynym

  3. Add to the tooltip the extract from the Sparrow Docs http://sparrowa7io5pz6ud3ehqzosvepbxbxt2zphmkjsylp2zgxooko23pqd.onion/docs/spending-privately.html#soroban-paynym-payment-code "You can perform a collaborative two person coinjoin with either payment codes or PayNyms on Sparrow. If you are collaborating with a Samourai user, you will need to use PayNyms, and add each other’s PayNym to your respective contact lists."

Reasoning

If someone knows that a wallet is used just between Sparrow clients or users who do not want to use or understand payment codes/PayNyms accidentally clicking on "Show PayNyms" or "Find Mix Partner" there shouldn't be made an externally connection without their consent.

nyxnor commented 1 year ago

Agree with the reasoning, if I could suggest something, a dialog box maybe explaining a little bit of paynym.is and its advantages and disadvantages before accepting the connection would be great to protect against unwanted retrieval from the application side.

rapidlab309 commented 1 year ago
  1. The retrieval isn't automatic, I've never seen it was generated automatic.
  2. It's true, and I've tested it, the PM8TJ.. code is all needed to make any BIP47 TX, as well as Stowaway & StonewallX2 on Sparrow
  3. Having it on the documentation is good idea
  4. The website (PayNym[.]is) won't show every PayNym, only the recent one & won't show who you follow/followed by.
RequestPrivacy commented 1 year ago
  1. I just re-tried with a new wallet, first time opening the PayNym setting:

https://user-images.githubusercontent.com/72392544/196027025-d73d2835-d5c3-4bff-9848-33939ce7772a.mp4

It looks as if Sparrow tries to retrieve the PayNym. Opening it a second time (unfortunately not filmed):

Paynym_retrieval

Then I went into Tools -> Find Mix Partner and here it retrieved the PayNym automatically!

After that going back into Tools -> Show PayNym

Paynym_retrieval_2

So either both menus try to retrieve the PayNym or at least the Tools -> Find Mix Partner does. I definitely haven't asked Sparrow to retrieve a PayNym, just switched between menus and yet there the PayNym is. That isn't something which should happen imho.

  1. Have you tried this only on Sparrow + Sparrow, or also on Sparrow + Samourai transactions?
  2. If for both, this should indeed be reflected in the docs, bc they make it sound as if you need the PayNym for transacting with/to Samourai Wallet users
  3. It seems I got that wrong in that it doesn't show the information to the web. But what Samourai collects internally isn't known, right? Please don't get me wrong, I have no reason to distrust the Samourai team nor do I think the information that could be leaked is particularly relevant. Still, these are things the users have to decide for themselves so:

PayNym retrieval should be an informed opt-in, even more so if your point no 2) is valid for both use cases.

rapidlab309 commented 1 year ago
  1. I'm not sure if it tries to retrieve or if it's just looking if the code is linked to any known PayNym. Will need to take a look into the code, or might @craigraw could elaborate on this one. I couldn't reproduce the generation of PayNym at any point if it's unwanted, both on macOS & Windows (using 1.6.6).
  2. I tried Sparrow to Sparrow only, will try Samourai to Sparrow & Sparrow to Samourai later on.
  3. I agree, hoping it's not neccersry and easier to explain in docs.
  4. I'm not part of Samourai, and if you don't want to opt-in you should be able to. TDev declared it's an opt-in option (as for BIP47 at least in Samourai). I think that it would be wise to get to their support or Telegram group and ask about the information on PayNym[.]is; I have no idea and won't want to mislead anyone about it.
craigraw commented 1 year ago

Use of PayNyms is opt-in. There is an application-wide setting in the config file

"usePayNym": false,

which is by default false. To get it set to true, you must have explicitly opted in by clicking the "Retrieve PayNym" button, as indicated in the following screenshot:

Screenshot 2022-10-17 at 08 31 42
RequestPrivacy commented 1 year ago

True, there is such an option in the config file. Okay, this leads me to the following questions:

  1. Was/is there a setting in the UI where I can toggle this on/off AFTER I set it to true by clicking on the button?
  2. Is there a need to make this application-wide instead of wallet specific?

I don't know if it adds value to others, but I would prefer to have the choice in each separate wallet.

craigraw commented 1 year ago

Was/is there a setting in the UI where I can toggle this on/off AFTER I set it to true by clicking on the button?

No - as one has already sent the payment code to paynym.is, so disabling it later is perhaps less useful than it would sound in the UI.

I don't know if it adds value to others, but I would prefer to have the choice in each separate wallet.

Can you motivate this use case? I prefer to treat different sets of wallets with different privacy requirements using different configs with the -d flag to set Sparrow home, which is less mental burden (for me anyway).

RequestPrivacy commented 1 year ago

I never thought about using the -d flag for separating use cases. Thanks for the advice.

First of all it has something to do with Sparrow not behaving like I expected it to do. The fact that @nyxnor agreed and even @rapidlab309 was unsure (in the sense that he expected it to be always opt-in, not just before the first "agreement") makes me think others might also be taken aback by this behavior - although I am certain most won't care.

Use cases or motivation:

As I now know what's going on and have workaround feel free to close this issue when the others have no comments and/or you don't see a need for further action.

Thanks everyone involved in the discussion!

craigraw commented 1 year ago

Understandable - although a lot of thought has gone into balancing these kind of concerns with making it easy enough to use, communicating all the detail without overwhelming the user can be difficult.

At least a hint in the docs towards editing the config file (set "use paynym: false or -d flag for separating via different configs) would be cool for control freaks like me.

I've made some changes to https://sparrowwallet.com/docs/spending-privately.html and https://sparrowwallet.com/docs/faq.html#where-does-sparrow-store-data to indicate that PayNyms (and by extension connections to paynym.is) are strictly opt-in, and can be configured in the config file.

craigraw commented 1 year ago

Closing this off.