Please clarify warning in README

[jonathancross]

The following warning is unclear:

It is very obviously insecure. DO NOT USE it for generating or decoding any sort of serious secrets.

• Is this saying this python implementation is incorrect and uses insecure methods of generating shares?
• Or that its shares might be incompatible with other implementations (like the Model T firmware)?
• Or is it saying that generating SLIP-39 shares using a general purpose computer is insecure because of attack surface? (meaning "use an air-gapped system")
• Or something else?

[matejcik]

It's clearly saying that it is insecure; not incorrect nor incompatible.

The implementation is not using any sort of hardening techniques. The calculations are probably vulnerable to many side-channels, secret handling is done using standard memory, secrets are taken from shell command line (which usually gets stored in shell history), and the results are dumped to stdout. Although the random generation method should be OK, no effort was spent on ensuring that. The purpose of this tool is to be a reference implementation against which other implementers can check correctness, not an actual end-user tool -- hence, end-user-friendly warning, "insecure, do not use for serious secrets".

We might add something to the effect of "if you need to use this, do it on an air-gapped system", do you perhaps have a wording in mind?

[jonathancross]

Yeah, I think such a warning would be a great addition.

If you need to use this, do it on an air-gapped system as it might leak secrets to shell history, temp tiles, insecure use of memory, etc.

Would you still consider this inadvisable?

Thanks!

[jonathancross]

Would be great if we could get this fix to the README merged into master :-)

[matejcik]

fixed in 9ebff7d