I was willing to tolerate Ledger's issues here (I'm a user and I've heavily recommended their products) if they fixed them -- the problems never should have happened, but they are marginally better than Trezor in a lot of other ways.
Unfortunately, the Ledger team appear to be asshats, so there's every reason to fear using them in the future, even if they've fixed this specific issue. If they're going to handle a legit issue like this (downplaying it, etc.), I'm not willing to trust them.
I'd love to see three products created:
1) Split client/server wallets (so you don't need to trust the operator or your local machine alone); some work has been done on this. Also, split PC + SGX or phone + secure element wallets. This is basically software-only in cost, but at higher security, so it would be suitable for $0+ balance accounts.
2) A low end ($20?) wallet with a cheap display and button. If you retailed them at $100 but sold them to providers at $40 they could probably give them away for a lot of accounts; basically like Yubikeys but with displays.
3) Some higher-end hardware wallets; essentially HSMs plus display/input. HSM technology basically stagnated in 1995; there's a lot of need for something better today. This could be in the $10-50k per unit range for a lot of high-value keys if actually implemented well and in a way which had no "trust us" demons. There are hundreds or thousands of potential customers, and more by the day.
At at previous job, we made an HSM. We spent a lot of time considering manufacturing and evil maid attacks. There are solutions.
The biggest important leap of faith is that the manufacturer must be able to lock themselves out of the device. This involves physical tamper resistance and people processes. And lots of key management.
I don't trust any hardware wallet, that's why I use a brain wallet I forked from the keybase.io team to use the stronger argon2 hash function, takes 4 minutes to generate a wallet (with the strong setting that comes with the golang version), good luck trying to brute force this one.
> I was willing to tolerate Ledger's issues here ... if they fixed them
> Unfortunately, the Ledger team appear to be asshats, so there's every reason to fear using them in the future, even if they've fixed this specific issue
Your first two lines completely contradict each other.
The problem wasn't the breach, it was their messaging around the breach. I accept that most products have bugs, even security-critical bugs in security products (although this one was a bit extreme to tolerate...).
The Nano S isn't really an HSM-containing-wallet. It (and the Trezor) are somewhere between a smartcard containing just the keys and an HSM. There's "trusted" display and input, but not the whole wallet. The Nano S also does have an element of "trust us" vs. an easily verifiable design.
Unfortunately, the Ledger team appear to be asshats, so there's every reason to fear using them in the future, even if they've fixed this specific issue. If they're going to handle a legit issue like this (downplaying it, etc.), I'm not willing to trust them.
I'd love to see three products created:
1) Split client/server wallets (so you don't need to trust the operator or your local machine alone); some work has been done on this. Also, split PC + SGX or phone + secure element wallets. This is basically software-only in cost, but at higher security, so it would be suitable for $0+ balance accounts.
2) A low end ($20?) wallet with a cheap display and button. If you retailed them at $100 but sold them to providers at $40 they could probably give them away for a lot of accounts; basically like Yubikeys but with displays.
3) Some higher-end hardware wallets; essentially HSMs plus display/input. HSM technology basically stagnated in 1995; there's a lot of need for something better today. This could be in the $10-50k per unit range for a lot of high-value keys if actually implemented well and in a way which had no "trust us" demons. There are hundreds or thousands of potential customers, and more by the day.