The world leader in cold wallets is once again attracting jeers. In question, his new service Ledger Recover soon available for 6 million ledgers.
Ledger Recover?
This is an optional service for ledger owners who wish to entrust their seed to trusted third parties. Need we say more to explain the outcry…
Ledger Recover requires identity verification. The two companies in charge of this KYC procedure (Know Your Costumer) are French Tesi and the alliance of multinationals FIDO. The process includes facial recognition and national identity card.
At the same time, three companies will each obtain a piece of seed encrypted via symmetric cryptography and linked to the client’s identity. Everything is transferred from the ledger to the companies Coincover, EscrowTech And Ledger via three separate, end-to-end encrypted channels.
CTO Charles Guillemet explained himself in more detail in this thread Twitter.
In case of loss of the Ledger, it will therefore be possible to recover its seed (and therefore access to its bitcoins). All you have to do is verify your identity with Coincover, EscrowTech And Ledger so that the three pieces of seed (encrypted) are sent to a new ledger.
The seed will then be reconstituted without ever having appeared in its entirety anywhere outside the ledger. For $10 a month…
Where is the problem ?
First, Ledger’s reputation is not immaculate. The firm has made hacker in 2020. The personal information of 273,000 customers (telephone numbers, physical addresses, first and last names) leaked on the internet.
This week, it was the fact of linking one’s identity to one’s seed that set things on fire. The memes have rocketed:
In addition, technical concerns have flourished on Twitter. The anonymous account @0xfoobar writing :
“The path to the code to send the seed over the internet will be present on your device, whether you subscribe to the service or not. Computer hackers could manage to use it. »
The founder of Solana wants to be reassuring. “If you trusted them before not to exfiltrate your keys, you can trust them now not to when this service is disabled,” he said. “I think the attacking surface is pretty much the same.”
Finally Yes Coincover and EscrowTech obtained the symmetric key used to encrypt the pieces of seed, a collusion between the two firms could make it possible to reveal them.
A seed of 24 words means about 204823 possible combinations, which is unbreakable. But imagine that the seed is divided into seven, eight and nine words. Security would then drop to 20487 in the worst case. A supercomputer would do it in minutes.
This scenario is a bit far-fetched. On the other hand, Ledger will indeed be obliged to provide this key (and therefore the seed) to the Justice if necessary…
Ledger tries to reassure
Ledger CEO Paul Gauthier, CTO Charles Guillemet and co-founder Nicolas Bacca tried to put out the fire during a Twitter space on Tuesday, May 16.
For Pascal Gauthier, the demand is there:
“So many people have asked us for this service. The number of people who need it to take the plunge eclipses all the negative comments I can see on Twitter”he launched.
The CEO had already caused a stir a few months ago at BFM Crypto by advising to put his seed in a safe at the bank…
Charles Guillemet tried to convince him of the difficulty of taking care of his 24-word seed himself:
“If you understand cryptography well, what keys are and how to save your 24 words [la seed], frankly, Ledger recover is not for you. You will probably prefer to remain totally sovereign. But for newcomers, for my mother for example, these 24 words can be a bit complex. »
Nicolas Bacca promises for his part that the protocol will soon be made public:
“You decide whether to use Ledger recover or not. Nothing will happen without your consent. Regarding the security of the protocol, everything has been audited by the Ledger dungeon which has proven itself in the past. In the future, the entire protocol can be verified by everyone. »
A protocol open to all would indeed be a guarantee of trust. We can then check whether it is possible for Ledger to discover the seed of its clients in its entirety.
Let’s end by saying that it’s still not a sea to drink to engrave 24 words on a piece of metal and bury it at the bottom of your garden. The direct competitor of Ledger, the Czech Trezor, for its part recently launched a service to anonymize its BTCs. Two rooms, two atmospheres…
Receive a digest of news in the world of cryptocurrencies by subscribing to our new service of daily and weekly so you don’t miss any of the essential Tremplin.io!
