Trezor & Metamask. Why?

I rarely write some manuals: here and today-not quite an instruction / guide to action, rather-a set of theses. But extremely important.

And yes, Ledger Nano and the like are also suitable: just among the “hot” at hand was Trezor. Otherwise, it makes no difference: if only they understand how the device works, what it is open in the sources, etc.D.

General introductory

First and again: a hardware wallet can be one of the types of implementation of cold storage, but only. It looks like this:

And yes, the present Cold storage – complex infrastructure With dozens of components: starting with the same wallet devices, continuing offline transaction, delimitation of access, etc.P., ending with copies on iron/paper/wood/stone. And I am silent about the protection of the perimeter;).

But this is a topic for a separate conversation. The main thing is to understand the essence of Euler’s diagrams above.

So why Trezor is in a metamask?

Immediately on the facts: firstly, when you integrate Trezror into metamask, you will immediately complicate the entry procedure. And for yourself, but more importantly, for an attacker. What kind of profit does this give in the end?

01. If you apply all safety primitives (see. In the article), you will have a “clean” browser for crypto operations, and plus it will be a separate account on the input, which in its own way can complicate the life of the Fisher (at least the difference in accounts):

That is, it turns out such a ladder:

Hence: each upper step makes sense if there is a lower one, but the reverse dependence is not so obvious.

02 I rarely use mm in itself. Usually they go to him with a trailer:

• Etheaddresslookup;
• Some kind of verification of links: https: // www.Virustotal.COM/GUI/Home/url or DR.Web or something to your taste.

03. Each of the elements (Trezor & Metamask) have their advantages:

• Let’s say you can make a very long password to enter Metamask;
• It is also free to do automatic de-authorization after time (you need to go to “Settings”: further “additional”: after-“Automotive timer https://gagarin.news/ru/news/patterns-in-trading-the-most-popular-crypto-analysis-figures/ (minutes) ”);
• Tokens are more familiar to me to look just at mm, but alternatively:

• The signature does not pass after 2 clicks, but 4-5 stages (first a transaction appears in MM, then there is a transition to the signature in Trezor, then-confirmation of the PIN code, which protects against keys at least somehow, and then you can already monitor the data on the screen of the device itself);
• Trezor is easy to turn off from PC/Mac/etc., So while he is outside the network – Your funds a little more security: even if an attacker selects a password for mm and t.P.

At the same time, you get the advantages of each of the systems + their synergy. Yes, you also get a lack of two systems and their synergy: say, for a long time it was impossible to sign transactions in Polygon using the “Mm+T” ligament: an EIP-15 error arose …, as there were problems with the same network in Opensea when freezing NFT and so on.

But the game is definitely worth the candle.

In addition, there are a lot of pleasant buns:

1. Say, if you use Gnoss-Safe, then using the MM+T ligament, it is easier to regulate GAS for execute transactions than just from a trisor, and it’s safer than just with mm-for sure;
2. In the same safe, give +1 security level (multisig itself, access to it, signing through a bunch);
3. You can also more confidently, with the trouser disconnected, use different Web 3.0 services analyzing balance, tokens, etc.P. And sometimes requiring non -gaze signatures ..

To make it even clearer – this is the list of attacks from which the mm+t ligament often helps:

– Banal, but still a worker (which Metamask itself prescribes in this case – by the link: as for me – their measures are clearly not enough): often leaving the funds goes through the usual ligament “Fishing + Spam”; – AKA Selection of passwords: Obviously, for mm, this attack takes place, but for the bunch of mm+t – a greater extent; – hacking private keys from mm in storage facilities (another story); : “Say, transfer money to a friend. Copied the address of his wallet, and Trojan in the clipboard of the exchange replaced this address with his . Not every user retains vigilance and Revealing Address after copying. Especially if this address looks like a set of more or less random characters ”;
1. And many others…

Of course, this will not help if you have already got to the phishing site and, say, believes that you will give money for IDO, but in fact, send the fraudster. But this is a separate and also a long conversation.

conclusions

You can leave the public Wi-Fi networks from a Win-laptop under the admin with the login and password “Admin/Adimin” and “marry” Metamask, torrent links and all this without firewall and antivirus … and then blame everyone and all at once what web 3.0 bad.

And you can try to figure it out and make the world better. Choice? Of course – after you: