201 sats \ 5 replies \ @netstatic OP 17 Jul 2023
While I agree that @fluffypony's concerns about the security of web wallets are valid, the examples he cites as security threats apply to the distribution of desktop wallets as well. Attacks such as BGP rerouting, domain squatting, and the potential for a malicious Cloudflare worker can compromise any online service, not just web wallets.
Also I called it FUD because at the end of the day he IS disparaging the app, irrespective of the reason stemming from its architectural decisions. Read “@MutinyWallet is a terrible idea and NOBODY should use it!” and “It is literally impossible to secure a web wallet attack surface”. It is said in a matter of fact way and under the assumption that a sizable amount of users are vulnerable to having their funds stolen in the ways he describes.
Despite this fact, the my monero website still provides a way to not just access, but create new web wallets as grubles has pointed out in one of the replies (https://twitter.com/notgrubles/status/1680912592733192192). If it was such a big issue for @fluffypony, I’d imagine due diligence could be done rectifying his own work by trying to force users to withdraw or at the very least prevent new wallets from being made.
Furthermore, there’s an air of presumption that the creators of the Mutiny wallet don’t know the risks and aren’t actively trying to mitigate it. As @benthecarmen says “he's not wrong that there are risks, but the alternative is praying to daddy apple and google for permission” (https://twitter.com/benthecarman/status/1680631437085626369) seemingly indicating a prior understanding that there are tradeoffs with this approach.
Another comment highlights that the app is a PWA, which should limit some of the attack surfaces described (like having to constantly worry about the correct js bundles being received from the server). There’s a tiny concession by @fluffypony (https://twitter.com/fluffypony/status/1680936318820294657), but only after he seemed to hand wave any security concessions on a previous comment (https://twitter.com/fluffypony/status/1680764906667220992).
Anyway this is probably my last comment on the matter. Users will inevitably continue to use and test Mutiny Wallet, exploring its security and efficiency firsthand. Rather than dismissing the project altogether, I just wish @fluffypony would highlight specific vulnerabilities and suggest potential solutions. The sentiment, "If I couldn't protect a significant amount of my Monero users from web wallet theft enough to justify its on-going development, no one can!" seems dismissive and unhelpful.
reply
0 sats \ 4 replies \ @llamabyte 17 Jul 2023
Fluffy promoted a shitcoin, not monero, recently. I don't get him.
reply
0 sats \ 3 replies \ @DeltaClimbs 18 Jul 2023
He is incredibly obese. How do you expect a "man" who cannot take care of his body to act as a human?
reply
10 sats \ 0 replies \ @duvel 22 Jul 2023
Ad hominem attacks are not a good basis to start a discussion.
reply
0 sats \ 1 reply \ @llamabyte 18 Jul 2023
Recent pic: https://imgur.com/a/7Bq9CLC
reply
0 sats \ 0 replies \ @DeltaClimbs 18 Jul 2023
Nice, good for him!
reply
103 sats \ 0 replies \ @siggy47 17 Jul 2023
We don't live in a risk free world. People can choose to keep their sats on Wallet Of Satoshi or even an exchange and trust someone else. I'd prefer to double check my url. If I screw up, that's my problem. Besides, it's not like Mutiny Wallet is meant for long term storage of large amounts of bitcoin.
reply
165 sats \ 3 replies \ @Peialto 17 Jul 2023
I don't think this is a kind of FUD, they are trying to bring awareness and cautions among users.
reply
0 sats \ 1 reply \ @Norbert 18 Jul 2023
FUD as in Facts U Dislike.
reply
0 sats \ 0 replies \ @Peialto 18 Jul 2023
Not that I don't like it, it must have a basis of facts. Totally different from information that I am asuming. FUD happens it it happened multiple times. Don't get confused on what I want to point out in my previous comment. I am with you all when it comes to real FUD.
reply
0 sats \ 0 replies \ @byzantine 17 Jul 2023
yea his concerns are 100%. a PWA can rug you at anytime without your interaction
reply
98 sats \ 5 replies \ @ursuscamp 17 Jul 2023
I think all of his points are valid concerns. Many are just related to phishing, however, which means discerning users will not be fooled. Doesn't mean it's not a problem, but it just means that the users should be aware which domains they are visiting.
reply
0 sats \ 4 replies \ @0330830bf9 17 Jul 2023
Shitcoiners hate personal responsibility. Making sure users verify a domain is is inconceivable, it's much better to be complacent in running any unverifiable shitwallet that paid Apple's ransom.
reply
0 sats \ 3 replies \ @thrown 18 Jul 2023
There are more people using custodial services for Bitcoin than just about any other “shitcoin” in existence
reply
0 sats \ 2 replies \ @0330830bf9 20 Jul 2023
Good. Bitcoin is winning.
Shitcoins exclusively sit on exchanges for degen trading, while Bitcoin custodial services are kept in check by the armed preservation of self-custodial optionality.
reply
0 sats \ 1 reply \ @thrown 20 Jul 2023
Literally moving the goalposts. But that’s okay. You fail there too. Monero and LTC are used more than BTC lol.
Why not come up with talking points that actually support Bitcoin? We need a better class of maximalist honestly.
reply
0 sats \ 0 replies \ @0330830bf9 20 Jul 2023
Ahhh shitcoin boiiii with 0 intellectual honesty. Not surprised based on the first take.
reply
595 sats \ 0 replies \ @orangesurf 17 Jul 2023
Fluffypony gives useful insights having been involved with hardening a web wallet for many years.
The criticism is well founded IMO, PWA are a security minefield unsuitable for a sensitive application like a bitcoin wallet.
This isn't to dismiss the impressive work done by the mutiny devs, the app works well and looks great. The architecture is the issue.
reply
28 sats \ 2 replies \ @nicosey 17 Jul 2023
He FUDs the fact its web, not the wallet or implementation itself
reply
3 sats \ 1 reply \ @siggy47 17 Jul 2023
You're right, but the products are very different, and the web in 2023 is not the same as it was in 2017 when he stopped trying.
reply
1 sat \ 0 replies \ @nicosey 17 Jul 2023
Listen, I am not a fan of the web approach either. However its horses for course, mutany are hiding anyting here.
reply
85 sats \ 0 replies \ @clr 17 Jul 2023
I think his comments are valid. Personally, I prefer to use a dedicated app. I understand that there are people who might want to use a web wallet for whatever reason, but they should be aware of the risks.
reply
2 sats \ 0 replies \ @thrown 17 Jul 2023
I suggested pinning the front end to a service like IPFS where you know that you’re only using a certain version number and not going to get an upgrade of the app without your knowledge.
Seems like a good solution to me, but I was dismissed by the creator of Mutiny Wallet with “IPFS is a scam” or some similar comment. Completely ignoring the idea itself. Ignore IPFS, let people host the front end on github pages or something. The idea is making the hosting accessible and easy for people so they don’t need to worry about forced upgrades.
Why wouldn’t this idea work?
reply
2 sats \ 0 replies \ @spacewrangler 17 Jul 2023
He's not wrong....this isn't 'FUD', just valid concerns.
reply
1 sat \ 0 replies \ @guts 17 Jul 2023
I still believe his concerns are valid.
reply
1 sat \ 0 replies \ @premitive1 17 Jul 2023
they also bring up that MyMonero wallet lost their uses millions of dollars due to poor user interface...
reply
0 sats \ 0 replies \ @warif2570 17 Jul 2023
Kurang kerjaan itu former xmr
reply