SSL/TLS for IRI: Using HTTPS with the Upcoming Trinity Wallet

Security May 20, 2018

Update: The IOTA reference implementation (IRI) is deprecated with the Chrysalis network upgrade and will no longer work with the protocol changes. We recommend switching to the Hornet or Bee node implementation.

Update: The IOTA Trinity wallet is deprecated with the Chrysalis upgrade and will be replaced by the new Firefly wallet. You can easily transfer your tokens following these instructions.


With the Trinity mobile beta approaching, it is important that node owners are suitably prepared. Mobile app stores require that all data traffic is encrypted with SSL/TLS. If you’re not sure what SSL and TLS do, here’s a quick video to explain it:

Mandatory SSL/TLS is necessary in Trinity for a few reasons. First, Apple requires App Transport Security (ATS) to be enabled in all apps submitted to the App Store. Developers who submit apps without ATS must justify their decision to disable it. Additionally, browsers such as Google Chrome plan to mark any website that does not use HTTPS as “not secure.”As part of the Foundation’s continued efforts to follow best practices, Trinity will not allow non-HTTPS connections.  

Unlike online stores, node owners do not handle highly sensitive information like credit card numbers. Trinity does not send your seed anywhere, so encryption isn’t imperative as there is no risk to your funds. However, if unencrypted, the data that the wallet sends can pose a potential risk to your privacy and user experience.

Let’s say you go to a coffee shop and connect to the public WiFi. An eavesdropper is there, listening in on your connection. You open Trinity and send some IOTA to pay for your coffee. Without the encryption TLS provides, the eavesdropper can see the transaction you sent and know that it was you who made it. One of the main pillars of distributed ledgers is pseudonymity; by sending your transaction over an unencrypted connection, the eavesdropper now knows the balance of your address along with some information about your transaction. With TLS, the transactions you make on the Tangle are less easily connected to your real-world identity.  

If you’re a user, you don’t need to do anything. In the upcoming Trinity wallet all supported nodes will be using HTTPS.

If you’re a node owner, it’s now easier than ever to get an SSL/TLS certificate and install it on your node if you use Ubuntu or Debian. In collaboration with community member eukaryote, we’ve developed a program to automatically install a free certificate from Let’s Encrypt. We are excited to release an accompanying tutorial on the new IOTA Ecosystem website!  

Update: This program may cause issues with IRI Playbook installations. Playbook users should not use this program at this time.

Tags

Rajiv Shah

DevOps Engineer @ IOTA Foundation | Data Science @ Penn State University

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.