MobyMask, a new initiative from the MetaMask team to help proactively protect users from phishing, uses a dynamic web of trust for sourcing phishing reporters
Today crypto-phishing is out of control; it has become the domain of extremely professional organizations targeting many innocent people who are trying to participate in new forms of digital ownership with crypto.
You may have previously read about MobyMask, a new initiative from the MetaMask team to help proactively protect users from phishing, using a dynamic web of trust for sourcing phishing reporters.
That original version of MobyMask made it possible for any reporter to invite (or revoke invitations) for additional reporters, as well as submit (or clear) phishing reports. That first version had three major shortcomings:
Because every report is on the blockchain, in order to benefit from the safety benefits of the list, each user needs access to a full node, and must trust that full node with whatever they want to be kept safe from: twitter users, websites, anything. This was not great for privacy.
Because every report is on the blockchain, it costs some crypto to file every phishing report, which is not ideal. The phishers are clearly phishing cheaply, and so reporting them must also be cheap.
Because every report is on the blockchain, the average wallet is not keeping a local copy of the phishing list, and is unable to participate in helping keep their network peers safer.
In that article, I mentioned how I hoped those problems could be addressed by some kind of truly peer-to-peer light client network that enabled users to help directly share select portions of the blockchain that are relevant to them (in this case, the phishing list). I mentioned Laconic at that time, which was still operating in stealth mode, so most people didn’t know how it might relate.
Today I’m excited to announce that Laconic is coming out of stealth mode, and they chose MobyMask as a first demonstration of the power of their system.
Laconic is premiering today and launching a special MobyMask-caching Ethereum light client, which greatly reduces the cost for an individual or organization to host a trustworthy copy of the MobyMask anti-phishing registry. This creates a lightweight server process from which web services like MetaMask, WalletGuard, and Phishfort can start drawing their MobyMask phishing detection data, in a way that is easier for anyone to self-host.
Laconic is also working on a TypeScript version of their Watcher, which makes it possible for the list caching and peer-to-peer replication of that data to happen entirely from the browser.
In another future update, Laconic will also make it possible for users to gossip “counterfactual” phishing reports, which will allow phishing reports to have no cost to the reporter. These messages will be shared between peers, but will be fully provable on-chain, and the blockchain will only be needed for resolving conflicts in the registry and revoking access to reporters.
People running the MobyMask watcher client will both contribute to a more phisher resistant web, and gain access to a private API for looking up phishing reports, which they can then share as they like, either at no cost or for a fee.
While the initial version is a web of trust rooted within the MetaMask team (and reporters are invite-only, so there is currently no way for just anyone to start reporting), we aim to eventually allow users to subscribe to any number of roots of trust for reporting phishers, eventually allowing every user to be their own root of trust for sharing or sourcing phishing information, and eventually a similar system can work for verifying credible sources of other kinds of information, too (yes, that’s a big goal!).
In its final phase, we hope that any user who wants to will be able to run a “watcher” as part of their own wallet, and so the server costs will become effectively none, while the benefits are fully mutually beneficial among those participating.
In Historical Context
At MetaMask, this is a very special day for us. At our first ever team retreat, a number of our team members (including Aaron Davis, Herman Junge, and Dmitry Ryajov) had a vision and kicked off a very similar project we called Mustekala. That work eventually stopped for various reasons, but we’ve long known that letting users cache state for the contracts they care about is a missing ingredient in allowing smart contracts to more fully decentralize.
In my office, I still have the original notepad sheet that the Mustekala team filled out when first forming the concept. It was a wonderful time, a great idea, and has remained out of reach until now.
At Laconic, Rick Dudley and his team have spent the last six years doing the hard work of building a special fork of Go-Ethereum (geth) that serves the Ethereum data in the IPLD format, which makes it cheap and efficient for clients to request proofs of blocks of storage, so they can peer gossip it, as well as the client side code that enables clients to gossip incomplete “slices” of the blockchain state, and exposes that state via a GraphQL API. It’s hard to overstate what an achievement this is for bringing down the computational cost of privacy, scalable data distribution, and also speed of data lookups for users who repeatedly use the same contracts but don’t necessarily run their own full node.
Get Started Today
If you want to try out MobyMask, you can head to mobymask.com. If you’d like to try out self-hosting an IPLD-gossiping fork of geth, you can get started using this guide from Laconic here. If you’d like to build a browser-based application that draws from the Laconic MobyMask network, you can monitor progress on the mobymask-watcher here.
If you’re a developer who’d like to try setting up Laconic to help gossip and distribute access to another smart contract, you can follow the Laconic docs here.
If we’re going to build anything of value out of decentralized technology, we need to basically eliminate phishing from the equation. It’s going to take a lot of our creativity and ingenuity to put it all together, and we’re happy that Laconic and the Delegatable framework combine so well to create a highly scalable and privacy-preserving application whose safety remains rooted on the blockchain.