FYI: Due to issues with U2F support in other browsers any actions using a Ledger within Misthos require you to be logged in via Chrome. Read here how to set up integration if Chrome is NOT your default browser.
At Misthos, we are always thinking about the security of the funds in your wallet. As a testimony to this, Misthos was the first to deploy risk mitigation strategies in multisig wallets, to make sure that your team’s funds are continuously accessible even as the group of custodians changes. Today we are taking the security of the Misthos multisig wallet one step further and rolling out the first commitment on the roadmap that we shared a couple of weeks ago.
Starting today we officially support securing your funds stored in Misthos with keys provided by Ledger hardware devices. Using a Ledger device to hold the keys and perform the signing of transactions within Misthos is a significant security improvement as it reduces the need for trust in a number of key areas of the wallet. We recommend anyone using Misthos to use it in combination with a genuine Ledger device for anything other than nominal amounts.
To give a better understanding of how we have integrated Ledger here is an overview of the cryptographic keys involved in Misthos, what their purpose is and how they relate to each other:
1. Blockstack-ID seed: This is the master seed you generated when you created your blockstack-ID. It is stored in the local storage of your browser and password protected. Given your system has not been compromised only the blockstack-browser app should have access too it. Nevertheless since it is necessary to keep it stored on your internet connected device there are some risks involved. Should it be lost or stolen, whoever acquires it will be able to log in to all blockstack apps, see all your blockstack data and in general impersonate you within the blockstack eco-system. Needless to say it is critical to store it as safely as possible (for example in a password manager, potentially with offline backup).
2. App-specific blockstack key: when logging into an app via blockstack, the app is presented with an app-specific private key that is derived from the master key of the blockstack-ID you are logging in with. This key is also stored in local storage of your browser but only the specific app you logged into has access. This ensures that each blockstack app has its own scope for encrypting and storing data, and apps cannot by default read each other’s data or the master seed.
This key is used to authenticate to Gaia hub where your app-specific data is stored. In Misthos the public key is exposed via your Gaia storage in a way that other users of Misthos can read it in order to encrypt data for you and also verify that actions you performed were really submitted by you.
3. Venture wallet key: In Misthos every Venture has its own Wallet scope and this is where Ledger integration comes into play. Without using a hardware wallet, the keys that secure your funds will be further derived from your app-specific blockstack keys. This chain of derivation means that if your blockstack-ID seed or the app-specific blockstack key are compromised, so is the ability to sign for transactions in Misthos. Since Misthos Ventures are intended to be used as multisig wallets this shouldn’t be catastrophic in most cases. In order to actually steal funds an attacker would, after all, need to gain access to the keys of multiple Partners of a Venture. But nevertheless, this is not ideal as the keys that secure your money are derived from keys that are stored on your internet-connected device, which in this context should be considered a risk regardless.
One way to mitigate this risk is to use a Ledger device to provide the Venture wallet key. And exactly this is what is now possible. When integrating your Ledger with a Venture, the keys used to secure and sign for the bitcoin held by the Venture wallet no longer have any relationship to your blockstack keys. Should your blockstack keys be compromised, the worst an attacker can now achieve is reading and potentially manipulating your data but not actually signing any transactions that would transfer ownership of funds. As the private keys never leave the Ledger device this reduces the number of components that could potentially lead to a leak, hence significantly reducing the attack surface.
Ledger device integration is now live on Misthos, and the setup is quick and easy. For your reference, we’ve created a short guide on how to set it up.
We hope you benefit from the additional security provided by this integration, and we look forward to your feedback. Reach us via contact@misthos.io or on Twitter.
