Waves Keeper places the highest importance on convenience. Since our browser extension is becoming more popular, our community has begun to wonder just how reliable our solution is. This article aims to explain the product and address any concerns.
Waves Keeper is a browser extension that allows you to manage your private keys and lets you confirm transactions online without exposing any sensitive information to the web. Broadly speaking, it is an improved local key keeper.
Also, it is a secure way to connect dApps with your Waves Wallet. The extension allows authorisation with one click. There is no need to place a SEED phrase to the clipboard or any site.
Encrypted storage
Some people think that local storage is not safe enough, because dApps have access to it. This makes some sense. Even browser developers advise you not to store sensitive information there.
We keep your SEED phrase in encrypted form inside your local browser storage. Here’s how:
- The browser creates a separate storage area for the extension that is inaccessible from the outside
- The SEED phrase is stored there, encrypted by the AES algorithm
- Waves Keeper password is used to decode the SEED phrase
In other words, private data is hidden from anyone except your extension. It is stored locally on your computer. Thus, no one can get to your funds unless they have access to your computer and your Waves Keeper account.
You can find our encryption code here, and see how it is used here.
Transaction signing
Transaction signing is a formal action on a blockchain. It doesn’t require you to enter private data.
Any transaction needs a user’s permission to be signed. The signature is created using the private key. After signing, the transaction is recorded on the blockchain. In turn, the dApp that made a request receives only public data:
- Public key
- Signature
- Transaction data
Authorization
When you start to work with new dApps in the Waves ecosystem, a service has to check that the data belongs to the current user. Verification is carried out using public data:
- Public key
- Signature
SEED phrase cannot be accessed by the dApps on the web, giving you peace of mind that your funds are safe at the point of authorization.
Please be careful
Remember that Waves Keeper’s security depends primarily on you. You work with Waves Keeper via PCs and devices that have limitations and vulnerabilities. Your OS or browser could have backdoors, for example.
Because this is the case, we cannot guarantee the complete safety of your funds. Here are some useful tips to make data leakage less likely:
- We’ll never ask you to share your private key or SEED phrase unless you import your wallet. Never trust any site that asks you to enter your private information.
- Always check the address in the URL bar. When working with Waves Keeper, only use one tab at a time to make transactions and keep the extension locked when you’re not using it. This will reduce the risk of phishing attacks.
- Create a strong Waves Keeper password. If your computer gets a virus and data is leaked, it is easier for hackers to decode a weak password.
- Every action needs permission. Read carefully any messages with transaction data in Waves Keeper. Don’t blindly sign each transaction.
- Don’t forget to update your OS and installed applications regularly.
Also, make sure you hold large amounts of WAVES or other Waves tokens in cold storage like a Ledger. Use Waves Keeper only for interacting with dApps.
We regularly perform security audits and respond quickly to threats. If you have any feedback about how to improve Waves Keeper, let us know in our Telegram channel.
Forthcoming updates
Finally, we are planning to launch a mobile version of Waves Keeper. The world of dApps will be available on your phone! The exact date will be announced in our social media. Stay tuned!
Read Waves News channel
Follow Waves Twitter
Watch Waves Youtube
Subscribe to Waves Subreddit
Waves Keeper: Making Convenience Secure was originally published in Waves Platform on Medium, where people are continuing the conversation by highlighting and responding to this story.