In an August 6 announcement, the team behind MetaMask unveiled its newest version: 4.9.0. A couple main updates include support for Trezor hardware wallets and integration with Ethereum Name Service (ENS) domains. The blockchain Dapp bridge will also stop automatic Ethereum provider and Web3 injection into webpages starting November 2.
The MetaMask team, however, recognizes how impractical it would be for users to move their funds in and out of a hardware wallet each time they wanted to use a Dapp or a cryptocurrency exchange. Considering this, the crew spent the past few months working on Trezor support so that the team could "get [it] right from scratch," including a code refactor, or a simplification of the existing code, to "easily integrate different key signing strategies."
With the Trezor integration, users can check their account balances, sign transactions (like sending Ether or tokens), and sign messages (to log into certain Dapps) – or basically all the functions previously available through MetaMask. The key difference, though, is that users' private keys remain in their hardware wallets, so individuals can feel more confident and secure in participating in the Ethereum ecosystem.
In addition to Trezor, the MetaMask crew plans to add support for another hardware wallet, Ledger, and is currently exploring different approaches to integration.
The second main feature of MetaMask version 4.9.0 is ENS compatibility. The team partnered with Infura, a scalable blockchain infrastructure, to resolve .eth domains. According to MetaMask, accessing sites via ENS enables them "to be updated by smart contracts instead of the traditional DNS [Domain Name System], potentially reducing the risk of DNS related hacking and phishing." The team also notes that many users, such as those who use Chrome, will see permission requests, which are legitimate and part of the ENS integration.
Although ENS support currently relies upon Infura for distribution and security, MetaMask is "working towards including more and more of the security client-side over time." Kevin Serrano of MetaMask told ETHNews that the ENS' integration of .luxe addresses this October should not affect .eth compatibility, although the team "may adopt .luxe resolution" if it finds "a significant adoption uptick in the future."
Additionally, MetaMask will join other Dapp browsers – such as Status, Mist, and imToken – in stopping automatic Ethereum provider or Web3 injection into webpages. As it stands, Dapps are automatically connected, allowing them "to access the blockchain, propose transactions, and read their users' account addresses."
According to the MetaMask crew, however, this method poses a privacy issue in that malicious websites can "fingerprint," or track, Ethereum users to run targeted phishing scams and intrusive advertising campaigns. Furthermore, bad actors have unrestricted access to the information available via the Ethereum blockchain, including users' balances and transaction histories.
With the Ethereum provider or Web3 instance no longer injected during page load time, Dapps will be required to request permission for users to access their sites. The requests will take the form of login buttons (pop-ups from the MetaMask extension), and the Ethereum browser will cache approved sites so that users do not have to log in each time. According to the MetaMask team, the approval process will be like that of granting camera or microphone access on a smartphone.
This change in the MetaMask design will also take effect November 2 to allow Dapp teams enough time to update their software. The crew believes this modification, although a difficult decision to make, was "better than leaving [its] users prone to privacy violations."
Besides these major updates, MetaMask has also improved its user interface (UI), including a simpler, clearer confirmation screen. Users can see these alterations on the browser extension's Beta UI.
Update (8/9/2018): This article has been updated with information about .luxe integration.