How We Make Fetch Secure
At Fetch, we’re making it easier and more profitable to trade crypto. Today, finding the best prices and executing trades at the best exchange is difficult to say the least. Only the most technically savvy users are comfortable with interfacing directly with smart contracts. We’re making it easy for everybody, not just the few. You can read more about why this is so important and how Fetch works in previous posts.
We hold ourselves to high security standards and get asked often how Fetch keeps user’s secure. Before launching, we want to share a bit on how we make Fetch a secure place for users.
Securing and trading tokens is a complex topic, forcing users to choose between security and convenience. On one end of the spectrum, centralized exchanges manage keys for users and provide an easy to use experience. Great. Unfortunately, they have proven tempting to hackers and have been vulnerable to hacks, again and again. Downloadable applications promise to offer a compromise between convenience and security. Great. Unfortunately, there have been a number that haven’t offered users the security they deserve.
Fetch is a downloadable desktop application which balances a convenient user experience with the highest levels of security. Since it’s downloaded and runs on your desktop, Fetch offers a number of security benefits.
All Private keys and Mnemonics are encrypted locally at rest
We take protecting private keys very seriously (and you should too!). Your private key and mnemonic backup are encrypted using AES-256 and a random 16 byte initialization vector. The user is asked to create a password. This password, retained by the user only and never shared with Fetch, is hashed using SHA-512 with a 128 byte random salt. The password is used in the private key encryption process. The application is zero-knowledge and cannot decrypt the private key or password. Each time a transaction is created the user is required to enter their password to decrypt the private key to sign the transaction.
Transactions are signed locally
When sending ETH, tokens or executing a trade, the Fetch app uses your private key to sign the transaction locally on your computer. That signature proves you initiated and approve of the transaction. The private key is never shared across the network. Even if encrypted, transmitting your private key across the network opens up a host of security concerns that are best avoided. The private key is unlocked with your password, signing the transaction, and immediately discarded from memory.
Private keys remain on your computer
Your private key is the way you prove that assets stored on a blockchain are yours and only yours. Once you create or import a private key into Fetch it remains locally in the application and never shared with Fetch. Zero-knowledge.
Unencrypted information displayed briefly
When you wish to view your encrypted backup mnemonic or private key, it requires a password unlock, which executes only in the component being rendered (we use React). It’s not saved to any part of the state tree. This component has a time out of 30 secs before it resets. This means that when you want to copy your encrypted information, the unencrypted text is not in the application for very long.
Private keys are never shared with Fetch
Fetch is built with a zero knowledge architecture. At no time is your private key shared with Fetch servers. We never have access to it. This comes with the downside that in some cases the customer support we can provide is limited by our lack of knowledge of your transactions.
Private keys don’t have to be entered into a website
If you’ve ever thought twice before entering your private key into a website, you are one of the well informed ones. As a downloadable application, bad actors can’t impersonate Fetch and trick users into entering their keys into a website they operate.
Over the next few weeks, we’ll be releasing more details about how Fetch works and helps you trade more easily and profitably. In summer 2018 we’ll be releasing Fetch, sign up to be one of the first to get access and follow us to stay updated on the journey.
