Ethereum

You use Chrome. Imagine for a moment that Chrome sent 𝙚𝙫𝙚𝙧𝙮 𝙐𝙍𝙇 𝙮𝙤𝙪 𝙫𝙞𝙨𝙞𝙩𝙚𝙙 to Google.

That would be outrageous, right?

web3 is about doing better than this.

Well, what if your wallet did the very same thing? 👇

Contributor @ /walletbeat.

Censorship resistance requires privacy.

The above screenshot is a network capture of a popular browser extension wallet.

Which wallet is in the screenshot?

That's not important.𝗣𝗿𝗲𝘁𝘁𝘆 𝗺𝘂𝗰𝗵 𝗮𝗹𝗹 𝘄𝗲𝗯𝟯 𝘄𝗮𝗹𝗹𝗲𝘁𝘀 𝘄𝗼𝗿𝗸 𝘁𝗵𝗶𝘀 𝘄𝗮𝘆.

That needs to change.

𝙒𝙝𝙮 𝙬𝙤𝙪𝙡𝙙 𝙬𝙖𝙡𝙡𝙚𝙩𝙨 𝙙𝙤 𝙩𝙝𝙞𝙨?

UX. Wallets need to fetch token balances etc. This leaks your Ethereum address.

But... why also leak the site you are visiting? Wallets want to check if the URL you are on is a known scam site.
They snitch the URL by doing so.

𝙄𝙨 𝙩𝙝𝙚𝙧𝙚 𝙖 𝙗𝙚𝙩𝙩𝙚𝙧 𝙬𝙖𝙮?

Yes.

Chrome warns you when you are about to visit a scam website as well (a feature called "Safe Browsing"), yet does not leak every URL you visit to Google.

(Caveat: Chrome has an alternative feature called "Enhanced Safe Browsing" which 𝗱𝗼𝗲𝘀 leak the full URL you are visiting to Google.)

(Don't use it.)

𝙒𝙖𝙡𝙡𝙚𝙩𝙨 𝙘𝙖𝙣 𝙙𝙤 𝙩𝙝𝙚 𝙨𝙖𝙢𝙚.

A wallet should 𝙣𝙤𝙩 leak more than one of the following at once:

1️⃣ Your IP addres.
2️⃣ Your Ethereum address
3️⃣ The URL you are visiting

The technology to avoid leaking this exists.
Just a matter of execution.

walletbeat

𝙃𝙤𝙬 𝙙𝙤 𝙬𝙚 𝙜𝙚𝙩 𝙩𝙝𝙚𝙧𝙚?

/walletbeat is doing its part. 🫡

This is tracked as part of the 🔗 𝗔𝗱𝗱𝗿𝗲𝘀𝘀 𝗰𝗼𝗿𝗿𝗲𝗹𝗮𝘁𝗶𝗼𝗻 attribute.

It asks: Can a third-party correlate your Ethereum address with other personal information?

𝙒𝙝𝙖𝙩 𝙘𝙖𝙣 𝙄 𝙙𝙤 𝙖𝙗𝙤𝙪𝙩 𝙩𝙝𝙞𝙨?

2 things:
1️⃣ Try doing a network capture on your wallet! See below for instructions. You'll probably be surprised at what you find.
2️⃣ Let your wallet dev know you care about this. File bugs, write feedback, cast about it.

𝙃𝙤𝙬 𝙩𝙤 𝙘𝙝𝙚𝙘𝙠 𝙬𝙝𝙖𝙩 𝙢𝙮 𝙬𝙖𝙡𝙡𝙚𝙩 𝙞𝙨 𝙙𝙤𝙞𝙣𝙜?

   Manage Extensions
→ Details
→ ☑️ Developer Mode
→ Inspect views: Service worker
→ "Network" tab

Now keep that window around while doing transactions on your favorite frontend.

Hope this was informative!

If this type of thing is interesting to you, consider contributing to /walletbeat. This sort of thing is what we watch for so others don't have to. 🫡

Looking for help with network captures of popular wallets and recording what they leak.

𝙃𝙤𝙬 𝙙𝙤𝙚𝙨 𝙞𝙩 𝙙𝙤 𝙩𝙝𝙞𝙨?

It hashes the domain part of the URL, pick the first few bytes, and retrieves a list of domains whose first few bytes are the same.

It retrieves this list through an anonymizing proxy.

Google doesn't learn your IP, nor the site you visited.