Can this be modified so that it is calling its own personal_sign_swie method, probaly not that method name though, so we can both enforce the data structure and so that, from the extension level, the request could be modified to represent the contract wallet if one is in place? (I am helping building an ERC-4337 platform and this would be very helpful personal and generally useful too)
I would like to say that for many less technical users the current required information is actually more intimidating and seems riskier than what users may be more familiar with which usually stress that they are simply signing a simple plain text which cannot be used for nefarious purposes. There have been several phishing scams that got users to sign buy or sell orders and other types of data that resulted in theft of assets so this is something end users can be rightly wary of.
For example here are some common signatures to verify: Imgur: The magic of the Internet
For that reason I think sticking with 191 over 712 could be a better choice, even though I do think 712 is technically the right choice.
This is partially why I am suggesting the personal_sign_swie method because the 4337 wallet I am building flags all signature requests for non transactions like this as potentially dangerous. (and actual transactions are provided a preplay showing what events, balance changes, and source code for contracts interacted with).
Can someone please link to any (all) research and discussions regarding user safety…e.g. phishing considerations, domain binding, etc. etc. etc. from this EIP or others. I know there have been a ton of these but over the years but they arent where they need to be which is in the spec itself or linked to from the spec itself.
Right now the only real guidance is “
Both the wallet and relying party have to implement this specification for improved security to the end user. Specifically, the wallet MUST confirm that the message is for the correct domain or provide the user means to do so manually (such as instructions to visually confirming the correct domain in a TLS-protected website prior to connecting via QR code or deeplink), otherwise the user is subject to phishing attacks.” and frankly…thats just not going to get the end user experience where it needs to be.
@wyc are you guys still working on this EIP? What is the status of this?
The industry needs this functionality, and without a standard approved wallets cant start implementing protections on their end.
I see an interesting parallel to the Internet in how browsers are trusted with protecting cookies and only allow certain sites from certain domains to access them. The role of wallets in this EIP is similar - the wallet needs to ensure that the domain and message is correct.
I have seen some comments on the fact that the message structure is intimidating due to eip712.
At the end of the day wallets will hide this complexity and show easy UI to the users.
Users should never see the actual messages being passed.
Just like users today trust the browsers to keep their cookie safe from unauthorized domains - the same will happen to wallets, users will most likely not double check and read the actual low-level message themselves.
Just like you don’t read the TLS certificate messages and signatures yourself - you trust the green lock icon in the browser to tell you that communication with the website is secure.
Im sending these messages here on this forum without verifying anything about how the encryption actually is established.
The whole Internet is built on this “trust the browser” model (and therefore all online banking handling trillions in assets). It is clearly successful. Therefore it makes sense that web3 follows the same model. Let me know if I am missing something.
Therefore, I do not share the concerns about the message complexity/intimidation.
In fact, we need to move away from showing raw-text and do real UI in the wallets.
As long as there is no standard we cant get to work as an industry and build - that’s why I would love to see more activity in this EIP.
Looking forward to more news about this eip! (and of course happy to help in any way I can)
Hey Ivan, absolutely we are still working on this! I’m glad that you share our excitement about how foundational this work is for the ecosystem, and I’m happy to share that there are hundreds of projects using this specification already. Would you like to join our next community call and chat there? You can listen to the one that happened today here:
While I sympathize with your view (and remain optimistic) that eventually the wallets will abstract message signing and create trusted signing UX modals with potentially complex message formats under the hood, this hope simply didn’t match up with our developer interviews across hundreds of dapps and many wallets, including MetaMask. In short, while you may not be worried about message complexity, implementers are…so if you have a proposal that is a shoo-in for introducing a generalizable trusted consent screen for complex message formats in EIP712 then let’s hear it!!! So far, we haven’t been able to get the community to align around such an approach, and there are 3 versions of EIP712 so you have to be specific about which one you are referring to. Are recursive data structures something that all wallets will be able to implement and display a delightful+secure UX around (v3)? How widespread and correct are EIP712 implementations today? Are we committed to EIP712 or is there something potentially even better, such as how some integrity objects like biscuits and macaroons can be implemented via signed protobuf object or even COSE. We need concrete proposals on how this would happen for this direction to be a viable path, but we’re totally open to it in future iterations of SIWE. So please join the community call or discord and we can continue the discussion there.
Hey @wyc thanks for coming back! I will listen to the community call and join future ones. Are they weekly/monthly?
Also - if you are interested I would love to interview you on our youtube https://www.youtube.com/channel/UCgWS9Q3P5AxCWyQLT2kQhBw
Interesting points about the implementers as it is key they are on board.
Do we know their reasoning for it?
Do they envision a future in which the users will read and verify the full messages?
It would be great to interview end-users and do end-user testing.
Wallets will choose whatever will make them outcompete other wallets. (interesting episode on wallet competition The Crypto Wallet War is coming | E08 - YouTube)
So if we have users preferring a solution wallets will consider it seriously, and that’s also how we ensure that we build things the users like and leads to mass adoption instead of building tech for other techies
One concern I can understand is that of being responsible for this secure UI. I can imagine wallets wanting to put all responsibility on the user to read and verify everything.
But that’s not how browsers are doing it with all Internet security, and where would the web be if users had to verify all SSL encryption etc.
So maybe it makes sense to have a format in which some wallets show the raw-text and some wallets can do a nice UI and we let the market decide who wins.
Regarding the message types - I need to do more homework as I am only familiar with them on a very high level. And I am probably not the correct person to give opinions on the exact technical pros and cons of each format.
I am not sure where we are at exactly in the process but I would propose something like this:
- Create an official working group consisting of wallets, projects, infra providers
- Come up with milestones, for example - agree on message format, agree on desired UI, etcetc
- Set deadlines for each milestone
- Do regular checkins with the working group
Do we have some sort of official working group yet?
I stumbled upon an ambiguity in this EIP, can you please help resolve it?
Pointing out one concern with this: making a blanket statement that signing “a simple plain text CANNOT be used for nefarious purposes” isn’t totally true. What the end user signs is a hash of the message, and therefore if there’s any option to change parts of the message, an attacker could use that to adjust the message hash the user signs to something the attacker wants.
For example, taking a scenario of a particular NFT marketplace uses EIP712 messages for creating sale offers, and a separate website uses EIP191 “simple plain text” messages to log in: Common structures already in the wild for those sort of use cases have either “nonce” values or datetime values in the structure of those messages that can be manipulated. For this example, let’s say the marketplace’s EIP712 message has a “valid until” date that only needs to be in the future, and the website’s login prompt has a “nonce” value that any random value is valid for. If Alice has a specific NFT that Eve wishes to attempt to spearphish Alice for, Eve could construct a “sell offer” in the marketplace’s EIP712 format, hard-coding Alice’s holding address and the NFT’s identifiers. Eve then makes a fake website emulating the website that uses EIP191 text messages to log in. Because Eve can change variables on both of the text messages, she then has to search for a hash collision between them. Because of the birthday problem, this is much easier than just trying to find a collision for a single hash value.
Once Eve finds a “valid until” datetime value and “nonce” value that cause both the EIP191 text message and the EIP712 message to hash to the same value, she can send Alice a link to Eve’s fake site, and when Alice clicks to “log in”, the EIP191 message that pops up is a “simple plain text” message, but if Alice signs it, Eve can attach that signature to an EIP712 message and steal Alice’s NFT.
Even if a text message appears “static” (the login text message to sign is just “Sign this message to log into example.com”), and Alice knows that, Eve could still use tricks like inserting zero-width-spaces to make the text message look the same rendered to Alice, but actually hash to something different.
There’s more that wallet software can do to help users determine if the message is not what it should be, but I think the answer is not to train users to expect “a simple plain text CANNOT be used for nefarious purposes”.
In this draft EIP, the motivation is stated for “non-blockchain services”. (The motivation could be more clear about what is its purpose, separately from what already exists and does not exist.)
So considering the motivation, several parts of the specification seem inappropriate:
- chain-id – websites are off-chain and therefore chain-id is not relevant
- “… For Contract Accounts,” section – contracts already have a mechanism for logging in, and this contract authentication is entirely out of scope of the motivation
This proposal will be improved if the chain-id section is removed. Please note that customers have a limited attention span, and the MetaMask mask wallet has a strictly limited number of pixels (that can’t be resized) for reviewing message signatures. Therefore, every inclusion of an unnecessary thing, like chainID, reduces the security of the system.
This note is not my comprehensive review of EIP-4361 DRAFT.
While replay attacks targeting the sign-in process isn’t very common especially not when it comes to chain ID, I still think it’s worth it. This piece of information doesn’t necessarily need to be seen by the user, wallets can improve this UX by perhaps checking the chain ID against the currently connected chain ID? Just some random thought by a non-UX person, but again I still think it’s necessary. Your points are valid but they seem to be design problems, not technical ones.