Would you want every website seeing your finances? Probably not. But so far, that's what has been happening on web3. Current Dapp browsers, such as MetaMask, have been revealing the user’s public address to every single wallet the user accesses. This means each website can then access the user’s transaction history, including every payment they’ve made or received using that address that has led to a number of phishing attacks. The company has had other security issues, too--a hacked version of the browser appeared on the Google Chrome store riddled with bugs. But MetaMask is now making things right--by updating its security, and unveiling a bunch of new apps and upgrades to existing software.
First up, the company is implementing Ethereum Improvement Proposal 1102–a series of improvements to Dapp browser security--that will help to protect its users. EIP 1102 was originally proposed by MetaMask itself.
Currently, Dapp browsers work by providing the user’s public address to every website the user visited. This made it easy for Dapps to work because they could simply access the right address and pair it with the matching transaction. However, Paul Bouchon, a developer at MetaMask, admits, “there’s a huge flaw with this because every website a user happens to browse onto, they can access all of their transaction history and a lot of other important information. MetaMask has seen this used in very specific phishing attempts.”
Now, the proposal will require websites to request the user’s public address. This will cause a pop-up box to appear which the user can agree to, or deny. If a malicious website does try to request access, the user will be able to stop them before it's too late. While public addresses are still visible on block explorers, this fix will help obscure the connection between them and their wallets when it goes live on November 5.
“We think this is the best balance between developer experience, on-boarding user experience and privacy protection for new users,” says Bobby Dresser, project manager at MetaMask, on stage at Devcon 4 in Prague.
MetaMask moves into mobile
While MetaMask has solved one privacy concern, the announcement of a new mobile wallet could be opening up another. The wallet connects to your desktop wallet by scanning a QR code, which takes just a few seconds. This earned applause but it raises a few questions–surely this means transmitting the private key over the internet? Yes, and no, according to Bouchon.
“It uses a highly secure web socket connection between the extension and the phone which is only valid for about 30 seconds. It’s encrypted, the time-socket is encrypted and the web socket connection itself is encrypted.”
MetaMask also building a new browser called Mustekala--which is Finnish for Octopus. The browser is designed to reduce the dependency that MetaMask has on a centralized service called Infura. Since MetaMask users don’t run their own node, it has to use Infura to interact with the Ethereum blockchain. The new browser, will enable a peer-to-peer system that weans MetaMask off of its reliance on one service.
Last, but not least, it's expanding to other blockchains that are compatible with Ethereum. Currently, that's basically Ethereum Classic, but in future any blockchain using the Ethereum Virtual Machine will be explorable through MetaMask. Hopefully this time that exploration can be done in private.