|
Title: Warning about imported private keys ! Post by: ciapheap on July 16, 2013, 08:07:05 PM If you import a private key into an Electrum wallet, and also assign a password for that wallet to be encrypted, because of a bug, that private key probably will not be safe yet.
You could either import a private key through the setting panel, or do that from the console. The problem is that if you have used the console, the history of console which is saved in your 'electrum.dat' file, will reveal entered commands in PLAIN TEXT !!! So anybody with access to your electrum.dat file could get those imported private keys in PLAIN TEXT, although there is an encrypted version of that key saved in the file as well. Note: By 'import from console' I mean something like this: >>importprivkey('5KJvsngHeMpm884wtkJNzQGaCErckhHJBGFsvd3VyK5qMZXj3hS') this command would be saved in 'electrum.dat' Title: Solution Post by: ciapheap on July 16, 2013, 08:18:24 PM 1.Close Electrum, then backup electrum.dat
2.open the file in a hex-editor 3.Find 'console-history' in the file. It should look something like this : ... 0ed8', 'console-history': [u"importprivkey('5KJvsngHeMpm884wtkJNzQGaCErckhHJBGFsvd3VyK5qMZXj3hS')", u"dumpprivkey('1JwSSubhmg6iPtRjtyqhUYYH7bZg3Lfy1T')"], 'num_zer ... 4.Carefully remove all fields involving 'importprivkey', e.g. the above history after correction should look like: ... 0ed8', 'console-history': [u"dumpprivkey('1JwSSubhmg6iPtRjtyqhUYYH7bZg3Lfy1T')"], 'num_zer ... - Alternatively you may clear entire history like this: ... 0ed8', 'console-history': [], 'num_zer ... 5.Save electrum.dat. Note: If you want to import any private keys, I suggest that you use import button in settings panel. Title: Re: Warning about imported private keys ! Post by: Stephen Gornick on July 17, 2013, 03:28:35 AM Is this by design, or would this be a security issue that should be fixed (by not logging or obfuscating the importprivkey command)?
Title: Re: Warning about imported private keys ! Post by: ThomasV on July 17, 2013, 09:16:43 AM Is this by design, or would this be a security issue that should be fixed (by not logging or obfuscating the importprivkey command)? This point has been discussed in the past. There's no easy way to 'fix' this... First, note that the same issue arises when you use Electrum (or bitcoind) from the command line; if you are not careful, private keys will end up in your bash_history (or wherever your OS stores shell histories). Thus, the Electrum python console does not create a new risk, with respect to that issue; it only displaces the risk. It would indeed be possible to obfuscate commands like importprivkey in the history. However, the user can do something like this: Code: mykey="foo" Therefore, obfuscating some commands will never be 100% safe, because the very point of this console is to be programmable. The console is useful for debugging and programming Electrum; thus, I am assuming that users who use the python console instead of the gui are geek types, so they are able to understand that issue. But if you have a better solution, please let me know. Title: Re: Warning about imported private keys ! Post by: ThomasV on July 17, 2013, 09:39:09 AM Note:
1. to clean your console history, you just need to do this: Code: gui.console.history = [] 2. use the console if you feel like programming/testing things, but do not put sensitive information in it. Title: Re: Warning about imported private keys ! Post by: tnkflx on July 17, 2013, 02:49:17 PM Note: 1. to clean your console history, you just need to do this: Code: gui.console.history = [] 2. use the console if you feel like programming/testing things, but do not put sensitive information in it. Possible solution: - Display the server MOTD somewhere in a tab titled "MOTD". - Make the console optional with a setting? On the other hand, like you said, the bash_history contains some private stuff as well sometimes... |