Secure Chat Starts with Decentralized Identity
How Console Protects Communities
March 16, 2023
September 1, 2022
0 min read
Identity compromise is the root cause of nearly all Discord hacks.
At Console, we’re innovating on how our Web3 chat app can protect communities from identity compromise. Here are five reasons why we believe Console is the best Web3 Discord alternative.
1. Web Wallets Protect You From Discord Bot Hacks
On Console, there’s no need for third-party bots. Verification with Discord bots leads to a whole host of security issues. With Discord, your individual security relies on the security of the bots you install, the security of the bots’ employees, and the digital hygiene of your community’s admins. Using bots for identity creates a large surface area for attack!
By removing authentication with bots, and natively building web wallet chat directly into Console, we removed an entire class of bot-related vulnerabilities.
2. Token-gated Communities Filter Spam
Token gating allows you to decide who has access to your Web3 community.
Admins of each Console community can choose their gating rules. Admins will choose from the following Web3 gating tools:
- Wallet Address — Anyone who connects with a web wallet (MetaMask, Hiro Wallet, etc) can join your community
- Tokens — Anyone with a number of tokens can join your community. At the moment we support ERC-20 (Ethereum) and SIP-010 (Stacks) standards.
- NFT —Anyone with a particular NFT can join your community. If you have an NFT community we will read directly from your smart contract, or you can use our whitelist feature to secure your chat.
- .eth — Anyone with a .eth (ENS) name can join your community.
- .btc — Anyone with a .btc (BNS) name can join your community.
Token gating uses the blockchain to verify true members of your community and keep spam out. If you have additional ideas for token gating, or additional chains you’d like to see supported, please let us know on Twitter @consoledao.
3. Console Doesn’t Own Your Identity, You Do!
When the Ledger Wallet was hacked in 2021, I feared for my parents’ safety. The headline read, “Hacker publishes stolen email and mailing addresses of 270,000 Ledger cryptocurrency wallet users.”
It turned out it wasn’t the Ledger Wallet that was hacked; it was the mailing list of everyone who had purchased a Ledger wallet. Why is that so scary? When I purchased my Ledger, I sent it to my parents’ house. Now, my parents’ address was published on the Internet in connection to the Ledger hack. Anyone could see their home address and make the reasonable assumption that there could be a Ledger Wallet, potentially with a lot of cryptocurrency, in the house.
Data breaches leave us all feeling unsafe. Sometimes it’s a home address; other times it’s an email used for targeted phishing attacks or for identity fraud. Facebook, Github, Equifax, and Bank of America have been victims of data breaches, resulting in millions of users' private data being stolen – data that is used to target you with spear-phishing, bank fraud, identity theft, and other hacks.
“Not your keys, not your money,” is a common refrain in the crypto community. The phrase means: If you are trusting your cryptocurrency to a third-party like Coinbase, Cash App, or Open Sea, then you don’t really own those assets because they’re not fully in your custody. You trust these apps, but they are the owners of your assets.
At Console, we like to say, “Not your keys, not your identity.”
We don’t store your private keys in our database. We store a record of your public web wallet keys, and it's up to you to sign them on your web wallet for access. If Console’s database were hacked, we don’t have access to your identity. We can’t masquerade as you. We can’t read or look at your messages.
Google used to use the slogan “Don’t Be Evil” to remind employees to practice good moral judgment. At Console, we take the approach of “Can’t Be Evil.” We don’t have your identity, you do.
4. End-to-end Encryption In Private Rooms
Group chat is secured with end-to-end (E2EE) encryption, the same level of privacy used by Signal and WhatsApp. Your E2EE data is never stored on our servers; data is only ever stored on your device.
Community rooms will not use E2EE and instead will use AES256 Encryption. Why? If your community uses E2EE new users won’t be able to see chat history. What we’ve heard from a majority of communities is that there is a need to preserve a community’s history, and to make that searchable for new members.
Therefore groups rooms have the option for E2EE (data stored only on your device), community rooms use AES256 encryption (stored on our server, but encrypted), and DMs are always (by default) secure and private.
Secure Chat vs. Safe Chat
While ideally all technologies should be “secure” at a minimum, a secure technology is often not enough. Safe technologies are secure technologies that are difficult to use incorrectly or insecurely.
Console aims to be safe by design.
We’re taking a progressively decentralized approach over time, and recognize that safe Web3 chat starts with secure identity. As such, Console will never use “email/password” for authentication. Only decentralized identities.
In doing so, we believe we’ll be able to lead Web3 communities onto a new “Can’t be Evil” internet. We’d love to have you join us. Please follow us on Twitter @consoledao and let us know what security features you’d like to see.