Desktop Suite vs Web Suite. Risk consideration

Hi all,

This topic has been asked around about at least twice and I read the replies so far.
They do not cover my question fully so I hope it is ok to ask here in more detail.

My aim:
I want to reach maximum security in interacting with the blockchain balance using Trezor. In both scenarios, I need to trust someone and since I do not know anyone involved I’d rather go with „trust no one“ sort of Maxime. To fully understand the implications of either alternative let me ask the following

Alternative A) Use Desktop Suite

  • I would need to trust satoshilabs. Is the code open source as is the code for the firmware? How can I be sure that there are no backdoors/malicious functionality?

  • download Desktop app from Trezor: how is it 100% guaranteed, that the file I download is of trezor origin and has not been altered? My guess would be to check if the download has been signed by satoshilabs, which I would do, of course.
    How can I additionally make sure that the file is of good origin? Any suggestions?

  • How is it guaranteed, that the updates are not adding malicious functionality? How can this be doublechecked? Are the updates loaded within the app or is it necessary to download them manually?

  • What would a malicious desktop app be able to do with the funds, since, at least from what I understand, private keys never leave the trezor? What would be the worst case scenario here?

Alternative B) Use web app

  • I would need to trust the issuer of the browser and the bookmark to be good. The quality and origin of the browser would be checked by issuer signing, as with the desktop app. Any additional suggestions to improve on that point?

  • How can I make 100% sure that the bookmark has not been altered since creation? Check certificate and URL? How would the certificate details need to be, to make sure, it is of good origin and not altered by third party?

  • What would a malicious web app URL be able to do with the funds, since, at least from what I understand, private keys never leave the trezor? What would be the worst case scenario here?

Thanks for reading up to this point - I hope that this additional questions lead to full clarity on the risks of the two options.

Tbh, none of them sound good to me, since additional steps and trust is necessary and, as stated above, we seem to live in „trust no one“ times, sadly. So if possible, a real benefit in product design would be, if the trust-requiring steps would be reduced by design.

Nonetheless I really think that Trezor is the best choice and am hoping that you can shed light on the topics above.

Thank you

No ideas from anyone? Topic too long/complex? Any thoughts on how to make it more worthy to reply?

@Petosiris, @forgi
Sorry to bother you. Any thoughts from you guys regarding this topic?

@matejcik: since no one replied since, I hope that maybe you could respond or at least give a hint, why none of the experts responded.

The topic mentioned in my initial post really concerns me and I think it’s worth clarification not only for me but for others as well.

Thank you

The short version is, there is no meaningful difference in terms of security between the web app and the desktop app. Trezor’s security model holds up even if your PC is completely subverted.

With regards to verifying authenticity of Trezor Suite, I recommend starting at the Trezor Knowledge Base which answers most of your individual questions.

Nothing, unless you manually confirm it. The only way an app can touch your funds is nicely ask the Trezor device to do it.

Less than nothing, because malicious web apps cannot even talk to Trezor unless you explicitly click through some confirmations.
If you do that, largely the same thing a desktop app can do.

The biggest risk from using a malicious app is that it will scam you into doing something you didn’t intend to do. The most typical malicious apps will just straight up ask for your seed phrase. It bears repeating that you never ever enter your seed phrase into a computer or tell it to anyone.
Not if the computer claims a FATAL ERROR or YOUR FUNDS ARE AT RISK.
Not if you want to redeem rewards.
Not if the friendly support person on the phone absolutely can’t help you without it. (Remember, Trezor people will never ask for your seed phrase, plus, we don’t even have phone support.)
Not if the police officer on the phone is threatening to charge you with fraud or money laundering or illicit trade or anything.
(Maybe if you are actually physically present inside a real-world police station, and your lawyer, whom you yourself contracted and seen before, is recommending that you do it.)

Second biggest risk is clipboard hijacks, i.e., you copy-paste a crypto address and the malware changes it. Ideally you would always want to confirm the address on Trezor screen to another device, such as your phone.

Thanks a lot for your reply! :slight_smile: