[kiratp]

The only way to be sure that your HSM is about to sign what you told it to is if it shows you what was sent to it to sign. Otherwise you’re trusting that something didn’t MITM between your computer and the HSM (eg: driver) such that you see one thing but end up signing something else.

[woodruffw]

I don't think this is true: I can be certain that my HSM signed what I wanted it to sign by verifying the signature against my known input. I know what I asked it to sign, so this is trivial.

A screen doesn't eliminate the necessity of this check; it's a pure convenience. And that's not to say that it's a bad one, per se, just one that is in tension with the normal key management desiderata (as few moving pieces as possible, as little code as possible, etc.).

[lxgr]

> I can be certain that my HSM signed what I wanted it to sign by verifying the signature against my known input.

But what if, after checking, you realize that instead of "send $50 to $friend for dinner", you signed "send my life savings to $fraudster"? That's the main attacker model of cryptocurrency wallets.

[woodruffw]

That's the kind of attacker model I wouldn't invite in the first place!

But more seriously: I've never fully understood why this is such a common issue with cryptocurrencies. My understanding of how Bitcoin works is that you need to actually submit your transaction for inclusion in a block, meaning that you have ample opportunity to verify the transaction's correctness before offering it for submission. Why aren't hardware wallets encouraging that?

[jallen_dot_dev]

> you have ample opportunity to verify the transaction's correctness before offering it for submission

I think the idea is malware on your computer could submit the signed, fraudulent transaction against your will.

[lxgr]

Where would you verify the transaction and potentially choose to not submit it?

If it's on your computer or phone, this means that you trust it enough to not need a hardware wallet in the first place.

If your computer is compromised, you can trust the attacker to take care of the submission for you.

[IanCal]

How is the rest of the network supposed to tell the difference between you signing and submitting a transaction and you signing and then a malicious program on your machine submitting the transaction?