From c138f08c78eb6600f6dda3f10ad912bcd6d5f31e Mon Sep 17 00:00:00 2001 From: spirobel Date: Wed, 26 Feb 2025 12:52:59 +0000 Subject: [PATCH 1/7] add proposal to build Monero Browser Wallet + selfhostable Payment Links + multisig companion app --- spirobel_monero_browser_wallet.md | 142 ++++++++++++++++++++++++++++++ 1 file changed, 142 insertions(+) create mode 100644 spirobel_monero_browser_wallet.md diff --git a/spirobel_monero_browser_wallet.md b/spirobel_monero_browser_wallet.md new file mode 100644 index 0000000..b182685 --- /dev/null +++ b/spirobel_monero_browser_wallet.md @@ -0,0 +1,142 @@ +--- +layout: fr +title: Monero Browser Wallet +date: Sep 10, 2024 +author: Spirobel +amount: 335 +milestones: + - name: prepayment for first month + funds: 20 XMR + done: + status: finished + - name: Monero Payment Links + multi wallet syncing + funds: 90 XMR + done: + status: unfinished + - name: Monero Browser Wallet + funds: 125 XMR + done: + status: unfinished + - name: Multisig companion app + escrow library + funds: 100 XMR + done: + status: unfinished +payouts: + - date: + amount: + - date: + amount: + - date: + amount: + - date: + amount: +--- + +# Monero Browser Wallet + +## Who + +**Spirobel** + +References: + +#### found and reported a "pay what you want" vulnerability in AcceptXMR + +https://x.com/spirobel/status/1672479215512588288 + +https://github.com/busyboredom/acceptxmr/issues/64 + +#### open sourced a Patreon like tool for Monero + +https://x.com/spirobel/status/1595949928634667008 + +https://github.com/spirobel/monero-discourse-subscriptions + +#### open sourced a merchant focused wallet-rpc + +https://x.com/spirobel/status/1596299822516285440 + +https://github.com/spirobel/monerochan-merchant-rpc + +#### implemented a Monero Browser wallet extension PoC + +https://www.youtube.com/watch?app=desktop&v=4DLcsQ45zoE + +https://github.com/spirobel/monerochan-city-wallet + +#### wallet-rpc library + +https://ccs.getmonero.org/proposals/spirobel_robust_modular_wallet_rpc.html + +https://www.npmjs.com/package/@spirobel/monero-wallet-api + +https://github.com/monerochan-ecosystem/monero-wallet-api + +Contact: twitter.com/spirobel + +## What + +**Result:** Monero browser wallet, selfhostable stripe payment links alternative, multisig companion app, +accessible cross platform Monero library + +The deliverable for this proposal will be: + +1. A selfhostable Stripe Payment Links alternative built on + the [monero-wallet-api library](https://github.com/monerochan-ecosystem/monero-wallet-api). + It is necessary to have a checkout flow with real world use to establish the Wallet-Webapp + interaction UX. The [preliminary UI work](https://x.com/spirobel/status/1871161899410440670) + on this product has been well received. +2. The Monero browser wallet. + The next step is the implementation of the send functionality in the library and the wallet itself. + The second milestone contains all the UI for syncing, sending, error states and the Wallet-Webapp interaction. +3. A Multisig companion app that allows to split spend keys over multiple devices. This means a phone can serve as a second factor to a laptop and both devices need to be compromised to access funds. The work will make use of the [recently audited](https://ccs.getmonero.org/proposals/monero-serai-wallet-audit.html) multisig code. As a side effect it will become more accessible to build escrow and multisignature enabled apps with the underlying typescript library. + +### Implementation + +list of initial tasks: + +- add multi wallet syncing to the library +- integration of checkout flow in the Payment Links app +- enable multi wallet background syncing in Monero Payment Links +- build Monero Payment Links transaction section and transactions tab +- calculate & display aggregate amount per wallet + +- add private key management to the extension +- build indexeddb backend for output storage +- implement spend function +- add transaction history screen to the browser extension +- implement interactive checkout that will remove need to copy addresses + +- add FROST dkg methods to the monero wallet api typescript library +- implement initial connection and setup in extension and multisig companion app +- handle transaction signing & display in the companion app +- implement transaction submission +- recovery from fresh scan + + this task list is not exhaustive and subject to change + +## Milestones + +value commitment: + +The 3 deliverables outlined in the **What** section are the promised outcome of this proposal. +In addition, new functionality becomes available in the underlying library. +The Monero Payment Links product is 110, the Browser Wallet extension 125, the Multisig Companion app + lib 100, in total 335 xmr + +## Why + +Currently Monero shoppers have to copy and paste addresses from the tor browser into their wallets. +This can be made more convenient and secure by a browser wallet. + +The Monero Browser Wallet PoC that I wrote is fundamentally different from typical browser wallets. +Instead of injecting Javascript into the page and excusively communicating via message events, it uses a REST api. +The initial trigger in the PoC still happens through a message, but the plan is to get rid of that. +As a result the checkout will work in a Javascript disabled environment while providing the same seamless user experience. + +The browser is still seen as a potentially large attack surface. +Even with all the security features and sandboxing techniques that +modern browsers employ, there is still the risk of 0day exploits. +This risk can be mitigated by spreading the secret key among multiple devices and necessitating access to all of them to sign a transaction. +The goal of the last milestone is to make this easy through the use of a multisig companion app. + +tldr: the browser wallet makes monero web shopping more convenient and secure From 82f985eef3da3b0ae2695419f7b8073c3f0ce64f Mon Sep 17 00:00:00 2001 From: spirobel Date: Wed, 26 Feb 2025 13:01:45 +0000 Subject: [PATCH 2/7] fix typo --- spirobel_monero_browser_wallet.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spirobel_monero_browser_wallet.md b/spirobel_monero_browser_wallet.md index b182685..038ad67 100644 --- a/spirobel_monero_browser_wallet.md +++ b/spirobel_monero_browser_wallet.md @@ -129,7 +129,7 @@ Currently Monero shoppers have to copy and paste addresses from the tor browser This can be made more convenient and secure by a browser wallet. The Monero Browser Wallet PoC that I wrote is fundamentally different from typical browser wallets. -Instead of injecting Javascript into the page and excusively communicating via message events, it uses a REST api. +Instead of injecting Javascript into the page and exclusively communicating via message events, it uses a REST api. The initial trigger in the PoC still happens through a message, but the plan is to get rid of that. As a result the checkout will work in a Javascript disabled environment while providing the same seamless user experience. From e127efee1feec678aa43dbb74901f874347d81d0 Mon Sep 17 00:00:00 2001 From: spirobel Date: Wed, 26 Feb 2025 15:26:49 +0000 Subject: [PATCH 3/7] fix date --- spirobel_monero_browser_wallet.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/spirobel_monero_browser_wallet.md b/spirobel_monero_browser_wallet.md index 038ad67..e691a98 100644 --- a/spirobel_monero_browser_wallet.md +++ b/spirobel_monero_browser_wallet.md @@ -1,7 +1,7 @@ --- layout: fr title: Monero Browser Wallet -date: Sep 10, 2024 +date: Feb 26, 2025 author: Spirobel amount: 335 milestones: @@ -22,7 +22,7 @@ milestones: done: status: unfinished payouts: - - date: + - date: amount: - date: amount: From fab8fd81281c20a1329e8bed2c137206dcab2724 Mon Sep 17 00:00:00 2001 From: spirobel Date: Sat, 1 Mar 2025 05:06:52 +0000 Subject: [PATCH 4/7] expand why section --- spirobel_monero_browser_wallet.md | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/spirobel_monero_browser_wallet.md b/spirobel_monero_browser_wallet.md index e691a98..024a54f 100644 --- a/spirobel_monero_browser_wallet.md +++ b/spirobel_monero_browser_wallet.md @@ -125,18 +125,20 @@ The Monero Payment Links product is 110, the Browser Wallet extension 125, the M ## Why -Currently Monero shoppers have to copy and paste addresses from the tor browser into their wallets. -This can be made more convenient and secure by a browser wallet. +The goal is to **remove all friction from the privacy enabled web shopping experience**. Currently most **Monero shoppers** have to copy and paste addresses from the tor browser into their wallets. This opens the door to unnecessary opsec failures, as it is easy to get confused and intimidated by long strings of random numbers. -The Monero Browser Wallet PoC that I wrote is fundamentally different from typical browser wallets. -Instead of injecting Javascript into the page and exclusively communicating via message events, it uses a REST api. -The initial trigger in the PoC still happens through a message, but the plan is to get rid of that. -As a result the checkout will work in a Javascript disabled environment while providing the same seamless user experience. +**A core part of staying private and safe online is to compartmentalize identities.** Qubes OS made some advancements in improving the UX of this activity by coloring different windows that are tied to different identities in a unique way. -The browser is still seen as a potentially large attack surface. -Even with all the security features and sandboxing techniques that -modern browsers employ, there is still the risk of 0day exploits. -This risk can be mitigated by spreading the secret key among multiple devices and necessitating access to all of them to sign a transaction. -The goal of the last milestone is to make this easy through the use of a multisig companion app. +The reality is, that installing a different operating system is a large ask for the average person. At the same time we need to onboard as many people as possible to these habits, so we can operate safely in the crowd. -tldr: the browser wallet makes monero web shopping more convenient and secure +The other venue of attack is **using the browser for compartimentalization.** And before anybody complains: no this does not involve untrusted javascript frontend code. + +There is a big difference between a browser wallet and web wallet. A web wallet is a flawed experiment that is borderline custodial, as it runs wallet code inside the context of a website. This is not to be confused with a browser wallet. +**A browser wallet runs trusted code as a compartmentalized, constrained program inside of a sandbox.** + +There is a massive opportunity here to reduce friction by making it easy to separate online identities. The TOR browser currently enables the use of one separate TOR circuit for each tab. **Imagine we have one monero address per tab that is used for login and to send and receive payments.** It makes it much harder to mess up. + +The potential that a browser wallet opens up goes beyond that. It opens up a new design space that means that **innovation can be modular**. The barrier to building something new is drastically lowered if you don't have to publish and distribute a wallet application to make the change that you have in mind. Users don't have to install new apps to try what you built. + +One last concern that comes up is that there might be zero day exploits in the browser, as it exposes a potentially larger attack surface. This can be mitigated by making the wallet a multisignature wallet and **using a second device like an android phone or a monero seedsigner to authorize every transaction.** +This means two devices need to be compromised to capture funds, which is unlikely. \ No newline at end of file From da2ae1cf7df907d0a05af7187b26be18dbca5466 Mon Sep 17 00:00:00 2001 From: spirobel Date: Sat, 1 Mar 2025 05:11:18 +0000 Subject: [PATCH 5/7] expand why section --- spirobel_monero_browser_wallet.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spirobel_monero_browser_wallet.md b/spirobel_monero_browser_wallet.md index 024a54f..1c9e51d 100644 --- a/spirobel_monero_browser_wallet.md +++ b/spirobel_monero_browser_wallet.md @@ -131,7 +131,7 @@ The goal is to **remove all friction from the privacy enabled web shopping exper The reality is, that installing a different operating system is a large ask for the average person. At the same time we need to onboard as many people as possible to these habits, so we can operate safely in the crowd. -The other venue of attack is **using the browser for compartimentalization.** And before anybody complains: no this does not involve untrusted javascript frontend code. +The other venue of attack is **using the browser for compartmentalization.** And before anybody complains: no this does not involve untrusted javascript frontend code. There is a big difference between a browser wallet and web wallet. A web wallet is a flawed experiment that is borderline custodial, as it runs wallet code inside the context of a website. This is not to be confused with a browser wallet. **A browser wallet runs trusted code as a compartmentalized, constrained program inside of a sandbox.** From 4e97ffeeb04fdc261bd860d02d6aab7a88410a5e Mon Sep 17 00:00:00 2001 From: plowsoff Date: Sun, 2 Mar 2025 15:48:50 +0000 Subject: [PATCH 6/7] front matter date / whitespace --- spirobel_monero_browser_wallet.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/spirobel_monero_browser_wallet.md b/spirobel_monero_browser_wallet.md index 1c9e51d..82460c3 100644 --- a/spirobel_monero_browser_wallet.md +++ b/spirobel_monero_browser_wallet.md @@ -1,7 +1,7 @@ --- layout: fr title: Monero Browser Wallet -date: Feb 26, 2025 +date: February 26, 2025 author: Spirobel amount: 335 milestones: @@ -22,7 +22,7 @@ milestones: done: status: unfinished payouts: - - date: + - date: amount: - date: amount: From 30290b8242420788bb480d72b5555b457b3d33d7 Mon Sep 17 00:00:00 2001 From: plowsoff Date: Sun, 2 Mar 2025 15:52:42 +0000 Subject: [PATCH 7/7] end with newline --- spirobel_monero_browser_wallet.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spirobel_monero_browser_wallet.md b/spirobel_monero_browser_wallet.md index 82460c3..89d8d9f 100644 --- a/spirobel_monero_browser_wallet.md +++ b/spirobel_monero_browser_wallet.md @@ -141,4 +141,4 @@ There is a massive opportunity here to reduce friction by making it easy to sepa The potential that a browser wallet opens up goes beyond that. It opens up a new design space that means that **innovation can be modular**. The barrier to building something new is drastically lowered if you don't have to publish and distribute a wallet application to make the change that you have in mind. Users don't have to install new apps to try what you built. One last concern that comes up is that there might be zero day exploits in the browser, as it exposes a potentially larger attack surface. This can be mitigated by making the wallet a multisignature wallet and **using a second device like an android phone or a monero seedsigner to authorize every transaction.** -This means two devices need to be compromised to capture funds, which is unlikely. \ No newline at end of file +This means two devices need to be compromised to capture funds, which is unlikely.