Is Ledger Open Source? Is it Trustworthy?
Jan 15,2024
KEY TAKEAWAYS:
— The Ledger, consisting of both hardware and software, stands for security first, but it also is committed to open sourcing as much of its tech as possible to make its ecosystem as trustless as possible.
— Ledger Live is fully open source, with parts of the OS following suit, including the cryptographic library, Ledger Recover and more.
— Ledger devices have never been hacked; due to the Ledger Security Model protecting each of its devices and apps.
The Ledger ecosystem goes way beyond hardware, aiming to give users the knowledge and power to look after their own assets. Offering world-class security is at the core of Ledger’s ethos—not just for its hardware, but for its software too. A team of world class experts and engineers, along with the white hat hackers in the Ledger Donjon, work together to make sure your crypto stays safe from both physical and digital threats when transacting within the ecosystem. Due to this team and Ledger’s world class security model, Ledger devices have never been hacked.
Alongside this focus on security, Ledger has a commitment to its community and dedication to self-custody. It aims to be as transparent and trustless as possible. To work towards these values, Ledger open source as much of its code as possible.
However, revealing all of the code to anything may also reveal a vulnerability. There is a lot of code in the Ledger ecosystem, and some might not be as safe to share as others.
As a result, some of Ledger’s ecosystem is open source, but other parts are not. It’s all about keeping your crypto as secure as possible.
Let’s explore the ecosystem:
Is Ledger Fully Open Source?
Ledger Live
Yes, Ledger Live code is completely open source under an MIT license, meaning you are free to copy or fork it at will. That means anyone can become a developer of an app on Ledger Live. Some developers may decide to create a solo integration where there is no interaction with Ledger, no code review or Ledger-led support for your community. This is completely fine, but the rarer of the two options.
The other option is to have your blockchain or app supported fully in Ledger Live. This involves various Ledger teams, including product, and support, which will help you release an app that pleases everyone.
That said, no matter which method you choose, Ledger Live code is completely open-source, so the choice is really yours.
Ledger Firmware
For now, Ledger firmware is partly open source. Firmware primarily refers to the embedded software and operating system of Ledger devices. So far, the cryptographic library, which is part of Ledger OS, is already completely open source. Plus Ledger Recover will also follow suit, allowing everyone to audit cryptographic protocols and even build their own fragments backup provider.
In addition, the Ledger SDK is also fully open source, meaning that anyone can build applications for a Ledger device. Beyond that, 50+ applications in its ecosystem are already open source.
There will be more open sourcing plans to come for the operating system but these may take some time. That’s because lots of elements of Ledger’s operating system, BOLOS, can not be revealed.
To explain, BOLOS operates on the Secure Element chip, a specialized tamper-proof chip often used in passports and bank cards. This level of security is only achievable using this chip, however, the terms of using it prohibit Ledger from revealing the operating system’s full workings . That means any code released must be refactored to abstract the chip-specific characteristics.
So, while Ledger’s Operating System and firmware are not fully open-source, there are lots of elements within them that are. Plus, there’s a lot more planned in the months and years to come. Open sourcing has always been a key consideration with Ledger, and the open source roadmap is testament to that fact.
Is My Crypto Safe on a Ledger?
Yes—your crypto is safe within the Ledger ecosystem: Ledger devices have never been hacked. This is due to a combination of security measures:
Firstly, Ledger devices sign transactions offline and operate separately to your internet connected device. This keeps your crypto safe from two key threats; malware and spyware. To clarify, if you have malware or spyware on your internet connected device, your Ledger device (and its screen) will be unaffected. You can always trust the details of a transaction on your Trusted display.
Next, your device is also protected from physical hacks, so even if your device falls into the wrong hands, they can’t access your accounts. Ledger devices use the Secure Element, a specialized chip often used in passports and bank cards. Although not all of the operating system, BOLOS, is open source, parts of it are. Plus more elements will become open source in the future. The chip itself is tamper-proof; resistant to countless physical attacks. Plus the devices and their firmware are thoroughly tested by white-hat hackers in the Donjon. This means to gain physical access to your wallet, someone must know the PINcode, so of course your PINcode must remain a secret.
To follow, Ledger Live provides a secure gateway to access web3 apps and services. It’s also fully open-source, allowing you to verify each app’s code. Plus, all Ledger Live apps benefit from a clear signing plugin that allows you to read every transaction in human readable form. This lets you explore web3 apps without worrying about malicious smart contracts.
Ledger: The Security Baseline for Web3.0
Ledger ensures your financial security in Web3.0 and blockchain, wishing you a safe landing in the world of Web3. The flagship standard in the realm of security; we do it better than anyone else.
Purchase Ledger
Previously, many users in the Greater China region chose to purchase LEDGER products from overseas due to difficulties in domestic purchasing. However, this approach had long shipping times, required self-clearing customs, and carried the risk of customs delays. Additionally, users were concerned about the authenticity of the products they were buying. Now, as top channel service experts, ShangYi Group aims to address these issues comprehensively. Products will be shipped from Hong Kong with fast logistics and no customs risk. Furthermore, the products are sourced directly from the French headquarters to ensure authenticity and eliminate the risk of counterfeit products.
By purchasing through the official channels in mainland China, customers can also access official after-sales services, providing assistance with any questions or issues that may arise during use.
As the authorized distributor for Ledger in China, please verify the official website at www.sy-collection.com or visit the LEDGER website to get redirected to authorized reseller, clicking on the Greater China region to access the Shangyi official website. For customers in the Greater China region, it is advisable to make purchases through official channels to safeguard your digital assets.