What To Do with Ledger...
Co-published on Odysee, Publish0x and Read.cash.
By the time you read this, you may already have read several articles, videos, and blog posts about Ledger's major fuck-up. The announcement of its recovery service raised a lot of people's eyebrows. In particular, customers grew very concerned about the sharding of the private keys to 3rd parties and how it introduces a potential backdoor.
Ledger has always advertised its wallets to be secure because the private keys never leave the secure element chip and a firmware update cannot extract the private keys from the chip. However, with the way Ledger Recover works, the private keys can effectively be extracted. Sure, technically the shards are extracted, not the entire private key in .txt. Sure, the individual shard is useless according to Ledger. On the other hand, this runs contrary to what Ledger advertised. Presumably, the only way to get the private key is when you first generate them, write it down, and keep it in a secure place. That presumption turned out to be wrong.
While Ledger says it's optional and requires the user to opt-in, it did not instill confidence amongst the users. Today may be opt-in, but tomorrow it becomes opt-out. What if the firmware extracts your private key without you knowing? What if the government shakes down the 3rd parties that hold the shards and they rat you out?
Making matters worse is Ledger's lack of transparency. While Ledger states that sharding will not happen unless you perform a physical button press to give consent, how can we know that this is case? The firmware is closed source, so there is no way for users to check and verify that there is nothing nefarious built into the code.
So what should be done with Ledger? The backlash is rather severe and while Ledger has been responding to feedback, its responses did little to directly address the privacy concerns. Some have made good suggestions such as make a totally separate hot wallet service with Ledger Recover and not involve the hardware wallets at all. Others have called for Ledger to open source the firmware to which I fully agree and I think more people should follow suit. Trust is a two-way street and giving customers the means to check the code may be Ledger's best option to salvage the PR disaster.
But let's say Ledger lost all of your trust, what is the alternative? Trezor has a similar problem with its partnership with Coinjoin. ColdCard is a good choice as its firmware is available on GitHub, but it only holds Bitcoin. Keystone may be a viable option as it can hold multiple coins and both its hardware and firmware designs are open source.