A lightweight web wallet for Zcash

This is just general stuff off the top of my head. I know others covered this, but I havent considered metamask yet. it is actually on my security review todo list.

If I get time (I probably wont), but this info is still really useful if someone could do it please) I am not too familiar with the specifics of each of the different applications of this idea.

You have listed a number of “web based local generation” pojects, but i am doubtful they all work identically.

So far you have listed 3 of the downsides of general wallets.

You have missed a lot, i.e. server security, MITM, phishing attacks, vhosts, DNS attacks, network observers, machine admins (think hostile work/machine environments), local file access, local ram access (these dont have to lead to security issues but they need to be tested and assessed) -

Could you please provide more details on your defense in depth approach.

“Even though we will be encrypting all local storage” This statement means very little. - at what point are you encrypting? general best practice is to do this in containerised ram then write to disk.

There is no costing outlined for test methodology or testplans. What is your plan for testing? You will probably be spending quite a bit of of your resources on testing. This is generally the case when you “do something new”. I see a lot of expense on development and R&D but little on making sure it actually works and is safe.

tagging @alchemdydc because this kind of software has unquie security issues. Alchemy has contributed to the OWASP, which you will need to go over and probably pay someone to test it. idk. like I said I havent fully checked the scope, i know how myetherwallet works tho.

If you would like me to add extensive information about the issues you will face, how to mitigate them, write test plans, organise testing and triage of bugs (a lot of simple bugs turn out to be potential security issues)

They might do. Do you have a rough idea of the start up 12 month costs for server mantience, SLA’s, dedicated boxes, etc? User adoption may not cause massive issues depening on how you design the site.

I will have a brief look at the sites you listed and see the different methods for implementation. its not going to be exhaustive. I might take a look at metamask.

Thats only one layer of security and not particularly good at that. sure it does what it is supposed to under very narrow conditions, but the devices are just not designed for that.

sure, but it is pretty easy to put a custom OS on an iphone or android (even remotely if the device is >2 years old. “checkm8 apple” and various root exploits on android devices.) FDE might help. I have it on my work phones…

The biggest issue is and always will be user education.

I’d also like to see the previous implementation available for benchmarking. Wasm should not be more than 2x slower than native. Therefore, if we accept the performance of low tier phones, running wasm on a decent desktop should be reasonable too.

No, it’s ask more questions and get feedback from the community.

1. Is a webwallet something that the community would utilize?
2. Is a plugin something that the developers would be interested/able to do?

I believe @adityapk00 has it somewhere in the ZecWallet repo?

@Shawn thank you for the feedback from the ZMOG review. We’re absolutely open to pivoting to a MetaMask style implementation. We will start researching and revising our proposal accordingly.

Sorry to be late to the game. But, I absolutely love this proposal. I’m only now just discovering the work that aditya and str4d among others have put towards this.

I think the most desirable output of these wasm-adjacent proposals would be an open source npm-installable module that could be inserted into different webapps, browser plugins and desktop and native apps.

If the performance problems are not too onerous and can be improved upon, web is the most desirable and popular development platform. If we could provide a smooth onboarding of developers …

Uptake of a single wallet/webapp by endusers might not reveal much demand. But, ease-of-development for high-level developers in UI/UX could be a gamechanger. A browser-capable npm module could be a tool that drives innovation and adoption much more than a single wallet/site/app…

Any fresh source out there to try to build today?

Hi @adityapk00 , thanks for your work; I tried to run your old WASM branch. It still builds and runs; but, it has a 502/CORS error requesting https://lightwalletd.zecwallet.co/cash.z.wallet.sdk.rpc.CompactTxStreamer/GetLightdInfo

Do you know if this is just a change on the server side? Is there still a way to run a web version of zecwallet-lite?

To get this to work, you need to run the light wallet server on https (it usually works on grpc). There’s no simple way to do this, but I had done it by proxying it through envoy.