In a series of media appearances, executives stated the French wallet-maker would make part of its code open-source and add additional security protections.
After a week of controversy around its new seed- recovery service, French wallet-maker Ledger has been on a PR offensive, including a Twitter Spaces event with Ledger CEO Pascal Gauthier on Tuesday afternoon and appearance by the same executive on CoinDesk Television Wednesday morning.
The message? Ledger has listened to its critics and is prepared to make changes to its approach.
โEverybody isย quite sad at Ledger when you yell at us. Onย theย otherย hand, itโs okay because we get better and we will always strive to be good servants of the community,โ Ledger CEO Pascal Gauthier stated withinย a Twitter Spaces session on Tuesday afternoon.
The yelling in question was the criticism Ledger faced after announcing its next key recovery service. The service will allow users to keep an encrypted backup of their wallets with a set of 3 custodians, including Ledger itself. Numerous Ledger users and observers questioned the safety of the proposed service regarding potential hacks, user data leaks and abuse of trust by Ledger itself.
On Tuesday, Ledger wasย releasedย a letter saying that it heard its usersโ concerns and decided to change course: it will open-source the Ledger Recover code before launching the service, Gauthier wrote.
Alongย with that, Ledger will offer additional security feature to the Recover setup: while the encrypted backup will be stored by 3 custodians, users will have an option to likewise create a passphrase, so that even if the custodians collude and recover the private key, they still willย not able to move funds without the passphrase.
Inย theย end, nothing is 100 percent trust-less for an average user, Gauthier stated in an interview with CoinDesk Television Wednesday morning.
โ Thereย is always a minimum of trust that youย must to have in any hardware wallet that youโre going to use. And we are attemptingย to make the part of the operating system as the one that you have to trust as small as possible and open everything else,โ he said.
To open-source or not to open-source
The decision to open-source the code came as a response to the critics pointing that itโs impossible to audit Ledgerโs new feature because the code is not public. Nonetheless, the open-sourcing pledge comes with a caveat: Ledger wonโt be publish code for all of its firmware for security reasons, the companyโs CTO Charles Guillemet stated in a Twitter thread.
The smartcard chip in the Ledger wallet, which is where all the operations happen and usersโ private keys are stored, have built-in protections against physical tampering, Guillemet wrote. โBecause this know-how is the IP of manufacturers, they doย not want it leaked, preventing Ledgerโs firmware from being fully open source,โ he added.
Ledger will โgradually open-sourceโ most of its operating system, beginningย with the controversial Ledger Recover feature, Guillemet wrote, but โthe other parts will take a little more time since it hasย toย be refactored to abstract the chip-specific characteristics under NDA from our OS.โ
Ledger does not believe that open-source is a โsilver bullet for security,โ the firmโs co- founder Eric Larcheveque stated during the Twitter Spaces. โWe chose closed source because we believed it brings a higher level of security,โ he added
Guillemet likewise stated that inย theย end, even with the open sourced code, users have to trust the wallet manufacturer โ Ledger or else โ with the safety of their cryptocurrency. Otherwise, users would have to build their devices from scratch, including all the physical parts, the code and the compilers turning that code into working applications, Guillemet stated, and thatโs ofย course not an option for the โmillions of usersโ Ledger desiresย to onboard in the coming years.
โSecurity theaterโ
For the same reasons, Ledger did not choose to create a completely new product for the users interested in the key recovery functions, instead making it an opt-in upgrade for existing wallets. Several participants of the Twitter Spaces event stated this mayย be a way to avoid the PR catastrophe Ledger went through over the new feature.
Onย theย otherย hand, making a new product for the new feature would be โa security theater,โ Ledgerโs chief experience officer Ian Rogers stated: โI can take a Ledger and put it in a different box with a different name, but it would still have exactly the same sort of potential threat vector.โ
That existing wallets can be upgraded for the new feature was the most controversial part of Ledger Recover. Numerous observers pointedย outย that Ledgerโs main selling point has been that private keys never leave the device. And now it turns out that the same devices that are not supposed to reveal the private key essentially can broadcast the backup to the outside world.
To add insult to injury, Ledgerโs Twitter account responded to this saying that โit is and always has been possible to write firmware that facilitates key extractionโ in a Monday tweet that caused outrage and was thereafter deleted.
This should not be a shocker, Guillemet stated during the Twitter Spaces, because thatโs the way Ledger works: to interact with different blockchainsย teck and smart contracts, the walletโs operating system must access the private key. And the operating system hasย toย be upgradeable because blockchainsย teck themselves likewise upgrade and implement new features from time to time.
Thisย implies that the programs running on Ledger always could have been changed in a way that concerns private key handling โ thatโs something a user hasย toย accept by default, and the fact that users did not realize that came as a surprise for Ledger itself, Guillemet said.
The ghost of the subpoena
Another controversial part of the Ledger Recover isย theย factย that the service, which is offered as a paid subscription, requires users to go through know-your-customer (KYC) checks. A Twitter user nicknamed @Zk_shark requested whether Ledger will readily respond to any Government subpoena requesting data of the Ledger Recover users.
He recalled the infamous case of 2018, when Coinbaseย Cryptoย exchange complied with the IRSโ request to provide data of 13,000 users. Thereafter, 10,000 Coinbaseย Cryptoย exchange users received a letter from the tax agency suggesting that they canย potentially have failed to properly report their crypto-related taxes. The IRS did not disclose the source of the usersโ data.
Gauthierโs response was: if you fear this scenario, doย not use Ledger Recover. Nonetheless, receiving such subpoenas is not something that is bothering the company. โWe donโt think itโs very easy to subpoena a service like Ledger Recover,โ Gauthier said.
Nonetheless, he added, โif you want to be definitely censorship resistant, you should just not activate the function.โ
