Signing messages is a way of letting the receiver know the wallet is yours, you proof ownership. Most signing functions use personal_sign which is totally harmless. Why? I’ll explain below.
The personal_sign code is publicly available, this method called ‘sign and verify’ forces the content you are about to sign to be fully readable (UTF-8 encoded) to any person. Hence why it is popular for login services - like the one running on this board. personal_sign method does not allow transactions to be impersonated.
So whenever you sign a transaction, look at the message content. Can you understand it all, is it plain English? Then it’s probably harmless.
For example, when you sign up/login with your wallet with us, you will see a message in MetaMask like this:
talk.markets wants you to sign in with your Ethereum account:
0xYourAddress
Sign-in with Ethereum
URI: https://talk.markets
Version: 1
Chain ID: 1
Nonce: XXX
Issued At: 2022-07-07T05:38:30Z
Me and you both understand all the content in the message, there are no hidden functions or wallet drainers. There for it’s safe to sign. Before you can sign, you need to connect with the website. Is connecting safe? Why don’t you find out?
Source
https://docs.metamask.io/guide/signing-data.html#a-brief-history
In-depth
Some more in-depth information on this topic.