zkSNACKs / zIPs

zkSNACKs' Improvement Proposals
37 stars 14 forks source link

Password Protect Wasabiwallet #39

Open btcpirate opened 5 years ago

btcpirate commented 5 years ago

As of now everybody opening the machine wasabi is running on can see transaction history (coin join history) of all wallets.

The easiest way (UX related) to password protect the whole wallet would be to offer a checkbox when setting up the wallet password that says "encrypt wallet" so if a user ticks the box he will be asked at every launch of wasabi to enter this password to gain access and prevent unauthorised users to open the wallet, check the balance, see the history, etc...

nopara73 commented 5 years ago

Idea ACK. I was surprised we didn't have an issue already opened for this. I added it to the technical plans document to the "Extending the Scope of Privacy" section.
Not sure if password is the best thing that can be done (but it might be very well the only thing that can be done) because requiring a user to remember two different passwords is silly.
One thing to note, whoever will tackle this in the future: Do not reuse existing wallet password for this! If encryption is broken here, then the wallet funds are lost, too.

lontivero commented 5 years ago

We already discussed this a couple of times with different level of analysis and last time we agreed that someone with physical access can do many things, it could simple open and view the wallet file, sent it to himself, install malware and similar actions.

"Protect" the UI with a password can improve the feeling of security/privacy but that will not be something real, just an illusion.

btcpirate commented 5 years ago

I do think that it is important to understand what this password is useful for. If you just think about protecting your wallet balance/history from been seen by anybody with a few min access to your laptop than it is of course valuable. Because nobody with short time access to your machine can just open wasabi wallet and check balance, history, transaction IDs.

So password would not protect from a state actor who has seized your machine and has months/years to work on it. But a password would protect your ballance/history/transaction Ids from anybody who is using your machine for a short time or has access to it because you forget to lock it or leave it running on your desk for a few minutes. So there would be many cases where a password protection (with auto lock after certain time) would add value to ones privacy/security.

nopara73 commented 5 years ago

It's duplicate btw: https://github.com/zkSNACKs/Meta/issues/36

nopara73 commented 5 years ago

I was surprised we didn't have an issue already opened for this.

We did:)

MaxHillebrand commented 5 years ago

Yes, agreed with @btcpirate, we should do everything possible to defend against all levels of attacker. Yes, there is not a perfect fix for defending against super adversaries, but this already solves many issues in context for low-level attackers.

molnard commented 5 years ago

This is solved by https://github.com/zkSNACKs/WalletWasabi/pull/1681. I am closing this.

nopara73 commented 5 years ago

"solved" is an ambitious word 😄

molnard commented 5 years ago

Rephrasing:

P.S.: The lock screen is truly just for locking the screen of the wallet. With some "hacking" in the UiConfig, the lock screen can be turned off.

MaxHillebrand commented 5 years ago

Can we please re-open the issue? I think it is an invaluable feature to have encrypted wallet file, as the xpub must be protected as well as the xpriv if we want to preserve privacy. The screen lock does not encrypt the wallet file at all.

An interesting consideration is how this would work with the upcoming multi wallet support. A wallet is only loaded after the password is typed in? From a UI point of view, I would have it like the Test Password tab, but make it mandatory to load the wallet this way, and use the password to decrypt the wallet file temporarily.

molnard commented 4 years ago

Encryption is doable. On the other hand, if the goal is to prevent malware-like activity you must know that accessing Wasabi's memory (with a debugger) is not a big deal.