Why is EOSJS JsSignatureProvider considered insecure?

261 views Asked by At

In the eosjs docs (https://developers.eos.io/manuals/eosjs/latest/faq/what-is-a-signature-provider) it's said that JsSignatureProvider is insecure. Why exactly it's insecure? I'm kinda new and would like to use it in my backend pet project. I feel like if I'm gonna write my own signature provider I would just reinvent eosjs JsSignatureProvider.

1

There are 1 answers

0
Serg Metelin On BEST ANSWER

The main reason why JsSignatureProvider is insecure is that the constructor takes the private keys directly to perform the signing (which can be exposed to potential attack vectors, i.e., malicious extensions, etc.).

A more secure way may be to route the signing requests to a secure enclave without exposing the private keys, perform the signing there, and get back the signature.