Replying to Avatar JackTheMimic

It's just an address check against a given Xpub. The signer and the wallet app are just cross referencing the same address list. Basically ensuring the keys on the signer are connected to the produced address.

COLDCARD Q

-Txn comes in, Copy it as QR

-Scan the QR code with your COLDCARD Q. The device will show you the address and ask you to press 1 to verify ownership.

-If the address is verified successfully, the COLDCARD will show "Verified Address" with details about the address. If the address cannot be found, the Q will show "Unknown Address".

Very similar workflow for keystone as well.
Avatar
nick 8mo ago

Software wallets are typically not the attack vector! See what i said above re verifying address against sender's view and clipboard malware

Reply to this note

Please Login to reply.

Discussion

Avatar
JackTheMimic 8mo ago

I guess I don't understand what scenario we are talking about. In most cases of payment, you either own the domain that is displaying the address QR for your counterparty or you are in person to display the QR. In your proposed scenario you are sending a payment invoice over an unencrypted messenger? That on its face is an attack vector so, maybe I am misinterpreting what you mean.

Avatar
nick 8mo ago

Yeah! Anywhere along the transmission from wallet to sender, can be clipboard malware (most common) where you copy an address and the malware pastes in a similar but different address, or browser malware which substitutes addresses within web requests (after you hit withdraw on an exchange), or malicious QR code scanner, or intercepted during unencrypted message transmission like you say.

Software wallet is indeed a domain you control, can verify signatures etc. The other stages are less in your control.