Bitcoin Forum

Hello,

I understood that Trustwallet is closed source, so it's not great. Atomic wallet has just been hacked. Ledger offers a recovery service that raises questions.

How can we be sure that our private keys have been generated securely?

Thank you

Use open source wallets like Electrum, Bluewallet or Passport hardware wallet for bitcoin, or Unstoppable or Trezor hardware wallet for altcoins. Open source code are available for the public to verify.

Trustwallet, close source
Atomic wallet, close source
Ledger Nano, close source.

I doubt there is a way for one to know how secured a close source wallet key generation is. Since you don't know what's behind the wallet and no developer could be able to check through the code. So no way to know, they might actually have a backup of all users generated keys and phrase. It's only when we have news of hack that we will eventually know.

Exactly, but beyond doubts because you will definitely not know what is included in the code which can be vulnerabilities like spyware or pre-generated seed phrase. Like Ledger Nano, Trustwallet and other close source wallets, nobody knows how the seed phrase is generated. A reason not to use such wallets.

It is impossible to make the necessary knowledge and checks in a security company.
Specialists connect wallets to their servers to check the data sent and the entropy of the seed phrase.
An open source application is easier to hack than a closed source application.

Do not trust; verify. That's the only way to be sure of how your private keys have been generated, in closed source wallets you have to trust, because there is no way to verify, thus choose open source wallets that give you the opportunity to verify their codes yourself and be certain that there is nothing malicious in them.

Many Atomic wallet users were hacked for over two weeks now, but because it is closed source nobody can tell what caused it, only Atomic wallet developers can tell what happened, if it were to be open source, the cause would have been known and those who are affected/unaffected would know what went wrong and what to do next.

It's easier to hack but it's a little less risky for users because they will be aware of what they are about to go in before they could eventually go into it. That's to say, using an open source wallet means you already know if the wallet data is back up into any online cloud or not.
Won't it be completely useless for for hackers to penetrate an open source wallet which they won't fine any data stored inside. Or will they re-write the code for newly generated wallet data to be transfer to their data base ?

Are you saying hacking electrum is easier than hacking Atmoic wallet, trust wallet, Exodus, etc?
If so, you are completely wrong. Electrum is open-source. The code has been reviewed by many people and no vulnerability has been found.
When it comes to a close source wallet like trust wallet, it's possible that there's a vulnerability which makes the attack easier for hackers.

That's why verification is necessary as a way to be sure you're on a secure source about whatever you're doing. And that's why open source wallet is one of such gateway to avoid issues of insecure address cause there's a provided avenue for you to verify and be sure of your security.

I totally disagree with you on this. On the contrary, for me the whole point of open source, is that dozens - if not hundreds - of developers have access to the code and can test it. And this on an ongoing basis, not just a series of tests to validate a project which is then no longer studied (as happens in some companies).
It's the same for OSes, and I sincerely believe that it has been proven many times over that open source is much safer than closed source. Compare Debian and Windows, Electrum and Atomic, etc..etc.. When it comes to security, for me, open source is king.

As hosseinimr93 said, Electrum is open source and is probably one of the safest wallet imaginable.

All of the wallets you mentioned are closed-source wallets; they appear weak and can be easily hacked because the developers can be the source of the hack because the public did not verify the codes given to us as private keys; thus, if the developers do anything to compromise them, we will not know, and our wallets may be hacked, just like the Atomic wallet was hacked with no known reason for information about the hackers.

The best option is to switch to open-source wallets because you can verify your private keys and be sure they are safely generated.

I use only the Electrum wallet for many years and I have no idea how the private keys are generated but because I trust this wallet and I use the right site, I'd feel safe and no worries. And if you think and doubted that your private keys are not safe, then never use them but look for another. It was you to keep what makes you comfortable but if you are using the right site, I'm very certain that those keys are safe and just only for you as the owner of the wallet. Hacks happened when you share your keys with another person or someone got into your computer and found your keys there. Better stored it separately for more security.

Atomic wasn't open-source ?

That's why it's important to always verify with the PGP signatures when downloading wallets. This gives you peace of mind afterwards.



Why is Atomic Wallet not open source? (https://support.atomicwallet.io/article/184-why-is-atomic-wallet-not-open-source)

You always have great tips that seem insurmountable to me.  :-\

It's not very difficult and it is always very good for your security to be familiar with PGP!

If you are interested by verifying your Electrum, here is an excellent topic from DireWolfM14 about it :     
[GUIDE] How to Safely Download and Verify Electrum  (https://bitcointalk.org/index.php?topic=5240594.0) and here (https://www.youtube.com/watch?v=lCG3c8a7HZI) is a Youtube video I found on bitcointalk some time ago, which is cool too if you prefer video tutorials

cool merci !

I use Electrum because it's a wallet with very good reputation that has been around for many years and generally it didn't fail. It has been reviewed many times by the best experts in the field, so it's very unlikely that there are any critical vulnerabilities or backdoors. In my opinion the only wallet better than Electrum is Bitcoin Core, but it requires full blockchain sync, which has been for some reason going very slowly for me, so for convenience I'm using Electrum instead.

You want to ensure that your coins are safe from whom? For example, all wallets fail to protect you from physical attacks or social attacks, as hackers can collect information about you and use it to access your computer and know the password for decryption. Therefore, keep your investments silent and always use an airgapped wallet that will not connect to the Internet.

Then, the open source wallets, which have been reviewed by thousands of developers, are safer than the closed source wallets, which may not be reviewed by many, so your use of well-reviewed open source wallets reduces the risk of losing your investment.

using open-source airgapped wallets better than hot wallet.
Increasing your technical knowledge, following the news reduces the possibility of losing any coins if any vulnerability is discovered.

Thus, it is an ongoing process of reducing risks to be closer to zero.

You only can know it if that wallet is open-sourced.

If it has an open source code, you can check code and see that wallet as backdoors or not. If you can not check codes, you will have to rely on reviews from others but Bitcoin community is big and if an open-sourced wallet has backdoors, many developers in community will warn us about that.

[LIST] Open Source Hardware Wallets (https://bitcointalk.org/index.php?topic=5288971.0)
[LIST] Open-source Lightning wallets (https://bitcointalk.org/index.php?topic=5252739.0)

Close or Open source wallet, it just depends on you how to safely, It's vain if using open source wallet but you don't know how to read the source code on Git Hub.

It's happening to me, open source wallet is just giving me convenience, but I can't read how safe, because I can't read the code on Git Hub.

So if you want to be safe, and can't read the code, Use the old wallet used since the beginning, for example, bitcoin core (*) which was created by Satoshi Nakamoto where always updated by the developer forum. Electrum wallet is safe also, which is widely used and always has much support from a legendary member here.

*bitcoin core is the official Bitcoin wallet, I always suggest my friend download that wallet 1st on his PC. I know that little complicated, but if understands, I am really sure he will be safe and understand to save his private key and wallet.dat.

As little as I've learnt since I join this forum, I still believe the best means of securing our assets or wallet is by using hard wallet and avoid interacting with decentralized apps we do not completely trust in order not to get out wallets or recovery phrases compromised.

No chief you are wrong, It's actually the other way round. Closed source wallet are easy to be hacked because there are less people looking through the source codes while open source as the name implies, the code is made open for everyone to verify. So there are many eyes looking through it and if there's any bug or security threat, it is quickly reported and the harm can be averted. I've not read or seen any open source wallet hack report and I'm not saying that it can't be compromised either. Users can lose funds in their open source wallet if they are careless with their seed phrase or click phishing links.

Bitcoin does not have any official wallet, Bitcoin is a decentralized network, so there is no official wallet, website or whatever. Bitcoin core is just the first Bitcoin software created by Satoshi that one can use to run a full node. Spv wallets are also very safe to use, instead of downloading Bitcoin core when you do not have enough storage space, just use a good spv wallet like electrum. Bitcoin core would definitely give you more privacy than spv clients, but other than that your funds are safe in a good spv wallet.

If you are using the right crypto wallet, non-custodial and fully open source then you can be rest assured that it's generated successfully, the future safety of your private key is in your care, you need to keep the private key safe from leaks and hijacks online, the best way to store your keys are offline and private to yourself only, if you can do this then your assets will be safe.

When the wallet is safe, it is our duty as users to secure the key properly. there are many methods that can be applied to secure wallet keys. Each method has a different level of difficulty and security. I usually use a stainless steel plate ring to record the key and store it in a safe place in my opinion. I also save in digital form but with good protection and rarely connected to the internet. having backup storage is also necessary.

Thank you but I didn't ask how to secure the keys.


Ok which wallets for example ?


Thank you for your answers. In order to fully understand the question I asked and get some interesting answers, I'd like to make it clear that it's not a question of knowing how to secure your keys, but how to generate them securely. If you secure badly generated keys, it makes no sense. Thank you  :)

Have you found the answer you want?

I think I understand what you mean now. To create a secure key, you must turn off the internet during the wallet setup process and generate the key. You also need to secure all that data offline including passwords and seeds, or if possible, move your wallet files to an offline location and use them only the next time you access the wallet. But I do it with electrum, not on Trustwallet.

You don't make your wallet more secure just with disconnecting your device from internet when creating the wallet.
If your wallet to be secure, it should be created on an airgapped device. This means that you should create your wallet using a device which has been always offline and will be never online.


This is not enough.
Note that the wallet file isn't permanently gone once you remove it. That's why there are tools that can be used to recover deleted files.

actually I'm not sure of the existing private key, by looking at previous wallet hackers
but by reading from friends' suggestions I think I will buy one of the open wallets as mentioned, because so far I only believe in truswallet and the like

Trustwallet is not open-source and it's not recommended, that's what I read on the forum.

Another question : are hardware wallets like bitbox or Trezor considered as air-gapped ?

I think the real question is :  could a device be considered as air-gapped once plugged in a computer which is not air-gapped itself ?

It is doable but you couldn't use your Trezor to send any Bitcoin in this case

Not all hardware wallets are airgapped. Both bitbox and Trezor are non-airgapped.
You can visit the topic created by dkbit98 to know some airgapped hardware wallets.
AirGapped Hardware Wallets (https://bitcointalk.org/index.php?topic=5361456.0)

If you don't have the funds to buy an open source hardware wallet, use electrum, it is a software wallet and is free to use, mind you to download it only from the official website, if you download it from anywhere else, you might prolly get a fake version of it and incur losses.
There are airgapped hardware wallets like Passport, but you can also build your own airgapped wallet with electrum and it'd be completely safe if you do everything perfectly.

The term air-gapped comes from the fact that the connection between your device and the place where the private key is located is air so you can guarantee that there is no physical medium connecting the two parties.

In other words, all communication methods that do not guarantee physical linking are acceptable, and the most prominent example of this is the QR code, which is an example of high privacy, since in this way your currencies can only be accessed by physical attack or brute force, which is impossible if the private key is truly random generated.



is hardware wallets have to be air-gapped to be secure? hardware wallets are secure, even if they are not air-gapped. Nevertheless, they allow you to easily manage several crypto-currency pairs, which is difficult in air-gapped systems.

Not only the term "air-gapped" can be applied to specific devices but also to networks of devices and systems. If you have a network of devices (a standard LAN, for instance) in which one of the devices has had direct communication with the external Internet, that means your network no longer should be considered air-gapped. On the other hand, if you physically connect your hardware wallet to an isolated computer (which is part of the air-gapped system), your device remains to be an air-gapped one, despite of direct connection via USB cable or some other physical means. To transfer a signed transaction from an isolated network, you can use such means of indirect (non-Internet) communication as QR-codes, microSD cards, or mesh networks.