Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deprecation of eth_sign #1930

Closed
1 of 3 tasks
kumavis opened this issue Aug 16, 2017 · 9 comments
Closed
1 of 3 tasks

Deprecation of eth_sign #1930

kumavis opened this issue Aug 16, 2017 · 9 comments
Labels
area-provider Relating to the provider module. type-security

Comments

@kumavis
Copy link
Member

kumavis commented Aug 16, 2017
edited by danfinlay
Loading

gradually deprecate eth_sign

  • include developer deprecation warning (link to personal_sign spec and eth-sign-util)
  • disallow usage except for known domains e.g. etherdelta, admin.gnosis
  • eventually remove completely
@kumavis kumavis added area-provider Relating to the provider module. P1-asap type-security labels Aug 16, 2017
@2-am-zzz 2-am-zzz added the ready label Aug 28, 2017
@2-am-zzz
Copy link
Contributor

2-am-zzz commented Sep 6, 2017

We will discuss this at our long term planning meet next Tuesday.

@danfinlay danfinlay mentioned this issue Sep 18, 2017
Merged
@danfinlay
Copy link
Contributor

We might want to actually change the current behavior in favor of the personal_sign behavior, per discussion here.

@kumavis kumavis added P1-asap and removed P2-sooner labels Feb 26, 2018
@kumavis kumavis removed their assignment Feb 26, 2018
@bdresser
Copy link
Contributor

bdresser commented Jun 6, 2018

Work done in this PR, waiting to merge until EIP 712 is finalized

@bdresser
Copy link
Contributor

EIP 712 is merged! unblocked ~

@bdresser bdresser removed the blocked label Jun 18, 2018
@danfinlay
Copy link
Contributor

Blocked by us actually implementing EIP 712 per spec.

@bdresser bdresser mentioned this issue Jul 23, 2018
Closed
@danfinlay
Copy link
Contributor

We have learned that adding a sufficient warning on the signature confirmation screen may have qualified as informed consent, and I would suggest this method no longer requires deprecation as long as we continue to adequately convey its gravity in the languages that we distribute under.

@danfinlay danfinlay removed the blocked label Nov 16, 2019
@danfinlay
Copy link
Contributor

Correct. This is not blocked, I just am no longer sure it is necessary, as the signing method is in active use, as it's very useful for low-level development and prototyping.

@danfinlay
Copy link
Contributor

That is one way of tucking it further away, but in my experience, this would just result in some applications instructing users to enable "developer mode". I think explicit warning is really the only tool we have to protect users, and we are already employing it. I'm not sure what we would gain by tucking it further away, other than friction, when we don't see any attacks successfully happening along this vector.

@jacobc-eth
Copy link

Given the staleness and lack of need for this, I'm going to go ahead and close this issue.

@rmeissner rmeissner mentioned this issue Nov 30, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area-provider Relating to the provider module. type-security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@danfinlay @bdresser @kumavis @2-am-zzz @jacobc-eth