Suggestion: improve convenience and security for wallet updates

The issue i would like to see improved:

  1. Most people neither know what a checksum is nor how to calculate it.
  2. The published checksums on the website aren’t signed by anyone (user can’t confirm if they are trustworthy)
  3. In any case, for a regular person the existing security schemes are not user friendly. Most people lack the basic computer literacy to even understand what this is about (yet alone to confirm the legitimacy of a file they downloaded from the internet).
  4. In the hypothetical case that the beam.mw website gets hacked, the published checksum can be manipulated (no pgp signature).

The general idea of the proposed solution:
The wallet should have a functionality that checks if a newly released wallet version has been signed by Beam and can be trusted.

  • this should not require any special knowledge from the user.
  • It could be added e.g. as a “check safety/origin of new wallet update” button in the wallet settings menu.

Proposed checking scheme:

1. Have a beam “master” pgp signature that is only used to assign a separate “trusted” pgp signature. This separate “trusted” signature is authorized to publish the official checksum for each new wallet update. (The “master” signature only exists, to maintain the ability to remove and reassign the authorization to publish checksums of wallet updates. This is only needed in the case that the “trusted” pgp key gets stolen/compromised.)

2. The “master” pgp signature gets hardcoded in every wallet release.
3. When the user presses the respective button, he has to indicate the newly downloaded file to be checked
4. The wallet then looks up the most recent published authorized “trusted” pgp signature (authorized by the beam “master” pgp signature)
5. Then it pulls the published checksum (signed by the authorized “trusted” pgp key from the previous step)
6. Then it calculates the checksum of the file indicated by the user.
7. Finally, it tells the user if the updates comes(or doesn’t come) from a trusted source (Beam).

The basic idea is to make wallet updates both safer and fool proof at the same time. The current system has various attack surfaces and isn’t great for people with limited computer literacy.

In any case, the published checksums should always have a pgp signature. As a user, once I know the “trusted” public key, i can confirm the origin of all future checksums and thus of the files i download.
An example of a very rigorous scheme can be found on the Qubes OS download page (https://www.qubes-os.org/downloads/), however it is cumbersome and lacks usability for regular people. Hence why the suggested wallet functionality.

Maybe there are more elegant or better methods than what I suggested above, my knowledge of the subject is rather basic. Would be great to hear feedback on these ideas from the team or others with deeper understanding of the matter.

4 Likes

Nice to see someone else who is interested in this subject.
I’ve been struggling for a while to get Beam devs to take release signing more seriously.

I’m very familiar with PGP, master/subkeys, signatures, hash fingerprint / checksums, etc.

But I find your proposal a bit difficult to understand…

In the above quote, did you mean to use the word “key” instead of “signature”?

And by “assign” did you mean “certify”?

As written, I’m not getting it, but I believe you are proposing to add an automatic update system like what the Monero GUI already does. It’s a model where users trust that if the first wallet download is legit, then future upgrades are all verified by OpenPGP signature checking routines built into the software itself. Right?

If so, then yes – sounds great!

Like this idea or something like it. Seems UX inefficient to have to be aware of when Beam is hard forking and then go to the website and download a new version and trust that the website is safe at that time