Trezor and Ledger, two of essentially the most outstanding {hardware} pockets producers, have lengthy been locked in a rivalry.As a part of Cointel
Trezor and Ledger, two of essentially the most outstanding {hardware} pockets producers, have lengthy been locked in a rivalry.
As a part of Cointelegraph’s interview with Charles Guillemet, the CTO of Ledger, he revealed that the connection is extra complicated than it could appear at first. Regardless of the rhetoric, cooperation and respect could be discovered as nicely.
A collaborative rivalry
Guillemet mentioned that he doesn’t know who began the rivalry, because it goes again to the “very starting of the Ledger and Trezor firms.”
“I feel issues received extra critical once I created the Donjon, which is our inside safety workforce,” he conceded. The Donjon was one of many first improvements launched by Guillemet when he joined Ledger, as a consequence of his perception that the one technique to design a safe system is to “attempt to break it, many times.”
Whereas the Donjon targeted on Ledger wallets, additionally they started opponents’ merchandise. “At the start that was largely by curiosity. We simply wished to know how they work,” he mentioned.
That examine resulted within the workforce discovering vulnerabilities in “every single pockets that we checked out.” Guillemet famous:
“If you discover a vulnerability, the proper factor to do is to report it to the seller. And that’s what we did.”
The distributors then mounted the vulnerabilities, even giving bounties to Ledger a number of the time. Relating to Trezor, he talked about a “battle of PR” between the businesses, including:
“On the finish, one factor which is totally true, is that the pockets safety of Trezor improved rather a lot due to us.”
Whereas Guillemet didn’t keep in mind the precise variety of vulnerabilities reported to Trezor, he mentioned they have been about “six or seven.” All of them have been patched besides one, which was unfixable as a result of basic design of Trezor’s chips.
Resulting from this, the Ledger workforce didn’t disclose its particulars, although they have been independently reported a 12 months later by Kraken’s safety workforce.
Open supply vs. safety
The rationale why the bug is unfixable is that Trezor makes use of a so-called MCU chip in its pockets, which is utilized in widespread family home equipment and was not meant for safe knowledge storage, Guillemet defined. When requested why, he mentioned that this was a aware design alternative:
“They’re of robust perception in open supply philosophy, and if you use the Safe Component, you must signal an NDA with the chip producer, which prevents you from giving any data on what is going on on contained in the chip.”
The Safe Component utilized by Ledger comprises many countermeasures, which an open supply firmware would doubtless reveal. Based on Guillemet, safe components are unacceptable to Trezor as they wish to preserve their software program fully open.
Guillemet mentioned that open supply software program is “an excellent factor” and famous that he personally contributed to some initiatives. “However if you design a safety system, I feel safety is a very powerful factor.”
Whereas he conceded that open supply software program may very well be a safety profit as a result of further scrutiny, this isn’t sufficient:
“Because it prevents you from utilizing a devoted Safe Component, on the finish you find yourself with a much less safe system.”
Guillemet shared that he has a “good relationship personally with individuals at Trezor,” referring to them as “very fascinating guys” — even when the 2 groups’ philosophies are totally different.