Which function should be used to sign message locally? Which function is the most secure?
Web3JS – Understanding web3.eth.sign, web3.eth.accounts.sign, and web3.eth.personal.sign Functions
web3js
web3js
Which function should be used to sign message locally? Which function is the most secure?
Best Answer
Which one you should use depends on whether you're running a node (like
gethorparity), and whether that node has an unlocked account.Scenarios:
eth.accounts.signeth.signeth.personal.signeth.sign
eth.sign(dataToSign, address [, callback])is a convenience function that accepts an address that your node controls, and returns a Promise for a string that is the signature. It will only work on accounts that are already unlocked.A risk factor is leaving your account unlocked. That means that any process capable of interacting with your node has arbitrary access to act on your behalf.
eth.personal.sign
eth.personal.sign(dataToSign, address, password [, callback])is nearly the same, but allows you to include a password for accounts that are locked.A risk factor is passing your account password around in plaintext. Anything with access to that variable has your password.
eth.accounts.sign
eth.accounts.sign(data, privateKey)is a lower-level tool that allows you to pass in the private-key directly. It is synchronous, and returns more details than just the signature.A risk factor is passing your private key around in plaintext. Anything with access to that variable can do arbitrary things with your account.
Security
You're right to be paranoid, but the problems are less likely to come from the web3.js library itself, and more likely to come from how you store the variables, and ports you leave open for access. Note that web3.js v1 is still in beta, and I'm not sure when they last had a security audit.
Be very careful, and get your code audited by well-respected security professionals.