pull down to refresh

Got our custom signet up and running and working on some LSP improvements for Mutiny. @benthecarman is also working on moving all the browser storage to IndexDB instead of local storage. From there probably continue abstracting out wasm things from mutiny core so that it can run on any device in any programming language. @wefofficial is working on getting the new design and frontend framework of mutiny up to parity with the hackathon proof of concept.
Are you all doing anything special with private keys?
I imagine most XSS attacks can be mitigated with very restrictive content security policies when Mutiny is used in modern browsers - especially considering mutiny's only external "content" comes from chain/gossip/invoice data - but have you come up with anything more sophisticated, e.g. storing keys in a sign only mode using the Crypto API?
reply
Last I looked at Crypto API, there wasn't anything in there we could obviously use or add significant protections for on the XSS side. We do have client side encryption of the sensitive data stored so that needs to be decrypted first before private keys are loaded. Until something like VLS is ready and feasible for some people to run themselves, we are treating the LN side of things in the browser (and in the beginning on chain side too) like a hot spending wallet. There more things that can come on the mobile side or hww side later in the future, and for more advanced VLS stuff but some of that could be year+ down the line.
reply