Trezor - Private Key JSON-RPC/Sign view is it possible? (MetaMask => Frame)

Hi!
Classic MetaMask with Trezor user here!

From what I have read, even from topics/FAQs like - (Using Trezor on infected PC’s), I don’t think it’s possible to access the Trezor’s private keys, and when I mean “access” I mean MetaMask e.g., meaning an extension to “ask” permission to check the private key (I think there isn’t any RPC call even to do it).

So my 2 questions can be divided in the following ones:

  1. Does anyone have already tested Frame (frame.eth @ Twitter)? Is it “trustable”? “Can” we trust on MetaMask (if yes, why?)

  2. We are starting to see some “Sign” operations being asked to authorise. From what I see/read this is (one of) the actual problems with UI/UX because it’s very difficult to see what we are signing right? What can be the risks?

Thank you!
(Carrot) Regards

Hi @therabbitsneaks

Generally, when a third party app is used, only public keys are exported. The private key never leaves the device. All txs are signed by private keys safely stored on Trezor device.

Speaking of frame.eth, never tested, nor used it anytime before.

Hi @pavel!
Thanks for your prompt response!

So, conceptually, even if someone is using a “fraudulent”/“hijacked” app/extension, the private keys couldn’t be extracted, right? Users would only to be careful with what they are approving, watching it in Trezor on-screen.

As stated in the OP, in the future the “problem” is most probably when we start to see instead of doing/approving transactions, when we start to see “sign” transactions with EIP-712 e.g. the UX/UI on-screen for the Trezor will need to keep up, right?

Thank you.
Best Regards,
C

Correct.

Right, as far as I know, recently our devs have been working on EIP-712 already.

1 Like