Abuelau, ChuckOne, you should really read this: https://blockchain.info/wallet/technical-faqand pay attention to TwinWinNerD. If you can't sign transactions offline (that is without transmitting private keys to anyone), you can't build a secure web wallet. Period. The way to do this in the browser is via JS a-la blockchain.info. It has nothing to do with TRUSTLESS as it is promoted. As I already pointed out: In the end, you have to trust somebody.I know what you mean, but it is not really trustless. Blockchain.info is as trustless as possible. """""""" Server Side The site currently runs on 4 dedicated servers, hosted in a locked cabinet. All servers run behind a dedicated cisco security appliance with intrusion detection. On the servers themselves various "booby traps" are set to alert the webmaster if an intrusion is detected. The java code deployed to the Site is deployed in a single war (zip) file. Each server monitors the checksum of this file to detect any unauthorised changes to the code. In order to make reverse engineering our encryption schemes more difficult the the java class files are obfuscated using proguard. A copy of every wallet is stored all our servers. Additionally the latest 50 versions of a wallet are stored on Amazon S3 and can be restored from the [Import / Export] section. The server side code that handles wallets is open source. The site is not vulnerable to CSRF requests as no login details or sensitive data is ever saved in session cookies. In the time the Site has been running there has been handful of XSS vulnerabilities reported. None of these were on a wallet page and could not have resulted in any direct loss of funds. """""""""
|
|
|
Yes but the signing happens on your server, that is the problem. With blockchain.info type wallet, NOTHING leaves the browser. Only the broadcast happens on the server there. This is a HUGE difference.
Why is it such a big difference? If an attacker has a keylogger you may lose your coins the same way in mynxt.info and blockchain.info. What is important is that the wallet is encrypted and in order to decrypt it you need the user's password. Whether the decrypting happens on the server or on the browser, I don't think this is such a big deal. In fact, I can imagine people developing a malware that you get in your browser (since your browser holds an unencrypted version of your wallet). The really big difference is, that the person that hosts the wallet can spend your coins if you send your password. Because if you sign serverside, your wallet has to be decrypted atleast once for a short period of time. You as the owner of the server can interfere if you chose to, or if your server is compromised and bad code is implemented coins can be stolen. That is the reason that the guy that created blockchain.info said that all wallets that don't offer browserside signing WILL be hacked/scamed. Well, of course the guy would say that. Everyone will say their product is better. The fact is: you need to decrypt the wallet at some point in order to spend coins. The decryption can happen on the browser or the server, and to decrypt it you will need to type your password. Don't forget when you sign up in blockchain.info you ALSO type your password on their website. There's no guarantee that they didn't save a copy of your password somewhere. What I am saying is that I don't see the "save in the browser" as being any safer, to me this is more marketing that actual security. If there's any security experts here please prove me wrong (and I will be happy to be proven wrong). You get this wrong i think. You don't operate on "their website". You can actually download the java code and run it WITHOUT internet connection, then you reconnect and broadcast the transaction. There is a BIG difference. They are NOT able to steal your password. He isn't some random actually, but one of the most respected member of the whole bitcoin community. I understand what you are saying. But I think you don't understand what I am saying. Tell me one scenario where an attacker would be able to steal your NXT from wallet.mynxt.info but not your Bitcoins from Blockchain.info using the same technique. Btw, I am not questioning any individual. Blockchain.info is a company and as such you would expect it to do what companies do (earn money, spend money, do marketing, sales, plans, etc). If one computer is hacked than ONE person loses money. If your server is compromised, he gets access to every wallet that logs in.... If you decide to collect the passwords and go rouge .... The argument is extremely simple... Read this: http://bitcoin.stackexchange.com/questions/5249/how-secure-is-blockchain-info
|
|
|
Question:
How much do you think would a java based blockchain.info-like wallet for NXT cost to program? Do you think it would be worth to start a bounty for that?
Which part? Do you mean the iPhone mobile app? Or the website? The part where blockchain.info works within you browser and no information leaves your browers, only the encrypted backup on your server. As i understand, we can now sign transactions without the client? We basically need an online wallet WITHOUT trust. How is that possible? Your browser downloads the java file (code?!?) and your wallet gets decrypted only within this java environment on your browser. With bitcoin you can prepare a transaction locally, you don't need a connection to the blockchain for that. After you have finished signing the transaction, you can broadcast it. No sensitive information ever leaves your browser! The thing is that NRS does not yet have API to accept signed transactions. CFB is working on that, as I understand it. Once that is done, the browser can sign the transaction and broadcast it to any public node. Oh, i though that is ready already. Well then this is on hold anyway.
|
|
|
Yes but the signing happens on your server, that is the problem. With blockchain.info type wallet, NOTHING leaves the browser. Only the broadcast happens on the server there. This is a HUGE difference.
Why is it such a big difference? If an attacker has a keylogger you may lose your coins the same way in mynxt.info and blockchain.info. What is important is that the wallet is encrypted and in order to decrypt it you need the user's password. Whether the decrypting happens on the server or on the browser, I don't think this is such a big deal. In fact, I can imagine people developing a malware that you get in your browser (since your browser holds an unencrypted version of your wallet). The really big difference is, that the person that hosts the wallet can spend your coins if you send your password. Because if you sign serverside, your wallet has to be decrypted atleast once for a short period of time. You as the owner of the server can interfere if you chose to, or if your server is compromised and bad code is implemented coins can be stolen. That is the reason that the guy that created blockchain.info said that all wallets that don't offer browserside signing WILL be hacked/scamed. Well, of course the guy would say that. Everyone will say their product is better. The fact is: you need to decrypt the wallet at some point in order to spend coins. The decryption can happen on the browser or the server, and to decrypt it you will need to type your password. Don't forget when you sign up in blockchain.info you ALSO type your password on their website. There's no guarantee that they didn't save a copy of your password somewhere. What I am saying is that I don't see the "save in the browser" as being any safer, to me this is more marketing that actual security. If there's any security experts here please prove me wrong (and I will be happy to be proven wrong). You get this wrong i think. You don't operate on "their website". You can actually download the java code and run it WITHOUT internet connection, then you reconnect and broadcast the transaction. There is a BIG difference. They are NOT able to steal your password. He isn't some random actually, but one of the most respected member of the whole bitcoin community.
|
|
|
Question:
How much do you think would a java based blockchain.info-like wallet for NXT cost to program? Do you think it would be worth to start a bounty for that?
Which part? Do you mean the iPhone mobile app? Or the website? The part where blockchain.info works within you browser and no information leaves your browers, only the encrypted backup on your server. As i understand, we can now sign transactions without the client? We basically need an online wallet WITHOUT trust. How is that possible? Your browser downloads the java file (code?!?) and your wallet gets decrypted only within this java environment on your browser. With bitcoin you can prepare a transaction locally, you don't need a connection to the blockchain for that. After you have finished signing the transaction, you can broadcast it. No sensitive information ever leaves your browser!
|
|
|
Yes but the signing happens on your server, that is the problem. With blockchain.info type wallet, NOTHING leaves the browser. Only the broadcast happens on the server there. This is a HUGE difference.
Why is it such a big difference? If an attacker has a keylogger you may lose your coins the same way in mynxt.info and blockchain.info. What is important is that the wallet is encrypted and in order to decrypt it you need the user's password. Whether the decrypting happens on the server or on the browser, I don't think this is such a big deal. In fact, I can imagine people developing a malware that you get in your browser (since your browser holds an unencrypted version of your wallet). The really big difference is, that the person that hosts the wallet can spend your coins if you send your password. Because if you sign serverside, your wallet has to be decrypted atleast once for a short period of time. You as the owner of the server can interfere if you chose to, or if your server is compromised and bad code is implemented coins can be stolen. That is the reason that the guy that created blockchain.info said that all wallets that don't offer browserside signing WILL be hacked/scamed.
|
|
|
QUICK UPDATEAtomic-Trade will be adding Nxt. I'm paying for integration with my own funds since AT agreed to add USD/Nxt trade abilities. This will allow any users to buy Nxt with USD directly. Currently AT only offers USD/BTC trading, so we will have an advantage over other alts on the exchange. Also, when I get home this evening, expect Nxt to lead the voting in Mintpal ![Wink](https://bitcointalk.org/Smileys/default/wink.gif) Wow good news. When will Atomic Trade add it you think? Not sure, he is working on it asap and I've contacted a few members here to help him integrate as he had some api questions. Also, if anyone else wants to offer him help with integration, here is the contact email (subject "Nxt Integration") info@atomic-trade.comWill you disclose how much you paid for that? Sure, 2.5btc. Thank you, i actually thought that they might charge an order of magnitude more.
|
|
|
QUICK UPDATEAtomic-Trade will be adding Nxt. I'm paying for integration with my own funds since AT agreed to add USD/Nxt trade abilities. This will allow any users to buy Nxt with USD directly. Currently AT only offers USD/BTC trading, so we will have an advantage over other alts on the exchange. Also, when I get home this evening, expect Nxt to lead the voting in Mintpal ![Wink](https://bitcointalk.org/Smileys/default/wink.gif) Wow good news. When will Atomic Trade add it you think? Not sure, he is working on it asap and I've contacted a few members here to help him integrate as he had some api questions. Also, if anyone else wants to offer him help with integration, here is the contact email (subject "Nxt Integration") info@atomic-trade.comWill you disclose how much you paid for that?
|
|
|
The part where blockchain.info works within you browser and no information leaves your browers, only the encrypted backup on your server. As i understand, we can now sign transactions without the client?
We basically need an online wallet WITHOUT trust.
I don't understand... anyone knows how it works? Is it secure? Will another mybitcoin.com situation occur again?Yes, it is, and no, we are protected from such situations as all of your private keys are encrypted with your password before leaving your computer. We do not hold a copy of your password, and thus are unable to view or spend your Bitcoins. You retain full control of your private keys, so your wallets can never be seized or blocked and can be imported into any desktop Bitcoin client. -------------------- Basically how i understand it: This website is only a gateway that broadcasts transactions that you sign on you computer. No password/privatekey leaves your computer/browser. This is how wallet.mynxt.info works. The user password is used to decrypt the wallet. Without the user password we cannot decrypt the wallet. And everything in wallet.mynxt.info is just a gateway to the actual Nxt network. We make API calls to NRS to send and receive Nxt. Yes but the signing happens on your server, that is the problem. With blockchain.info type wallet, NOTHING leaves the browser. Only the broadcast happens on the server there. This is a HUGE difference.
|
|
|
The part where blockchain.info works within you browser and no information leaves your browers, only the encrypted backup on your server. As i understand, we can now sign transactions without the client?
We basically need an online wallet WITHOUT trust.
I don't understand... anyone knows how it works? Is it secure? Will another mybitcoin.com situation occur again?Yes, it is, and no, we are protected from such situations as all of your private keys are encrypted with your password before leaving your computer. We do not hold a copy of your password, and thus are unable to view or spend your Bitcoins. You retain full control of your private keys, so your wallets can never be seized or blocked and can be imported into any desktop Bitcoin client. -------------------- Basically how i understand it: This website is only a gateway that broadcasts transactions that you sign on you computer. No password/privatekey leaves your computer/browser.
|
|
|
Just a quick update for those not following the other thread: Nxtopia bounty has broken the 20,000 NXT mark after receiving our latest donation from msin. -- Nxtopia -- MMORPG built on-top of the NXT networkcurrent bounty: 20,500 NXT5000 - jl777 1000 - swartzfeger (Transaction id: 12550164158045962834) 3000 - chanc3r (Transaction id: 5658009271669858297) 1000 - MyZhre (Transaction id: 8826881503135433086) 3000 - Damelon (Transaction id: 17094914052077797717) 1000 - DrearyUrbanite (Transaction id: 5539495976647418930) 1000 - brooklynbtc (Transaction id: ) 0500 - rdanneskjoldr (Transaction id: 91193539943795488) 5000 - msin (Transaction id: ) This is an opportunity to support an online game that leverages many of Nxt's advanced features, one of the highlights being a user-driven crafting economy. Donations can be sent to 13776816462073143763; please include tx id so I can include it when updating this post and making it easier for James to keep track of incoming transactions. We're also considering implementing a kickstarter-style tier system for bounty donators. These would be cosmetic rewards that wouldn't be available after game launch. Something like: 10 NXT - badge 100 NXT - cap 1000 NXT - cape 10000 NXT - beta access (?) Depending on how we handle character death/respawning, these items may be also confer a quicker resurrection. How about an ingame auction house like WOW, but the ingame(atleaset in the auction house) currency is milli NXT or something? I think you will get banned for that in many MMOS ![Cheesy](https://bitcointalk.org/Smileys/default/cheesy.gif) ... real cash to items is banable in most of games expetialy in Blizzard games. Yes, but now WE CAN do that. No one here to swing the banhammer ![Wink](https://bitcointalk.org/Smileys/default/wink.gif) Better anyway is using ebay and buy whole accounts. There you have reputation for traders some kind of safety is there,anyway world of MMORPGs is full of scammers. ![Cheesy](https://bitcointalk.org/Smileys/default/cheesy.gif) We can build a trustless decentraliced exchange!
|
|
|
Just a quick update for those not following the other thread: Nxtopia bounty has broken the 20,000 NXT mark after receiving our latest donation from msin. -- Nxtopia -- MMORPG built on-top of the NXT networkcurrent bounty: 20,500 NXT5000 - jl777 1000 - swartzfeger (Transaction id: 12550164158045962834) 3000 - chanc3r (Transaction id: 5658009271669858297) 1000 - MyZhre (Transaction id: 8826881503135433086) 3000 - Damelon (Transaction id: 17094914052077797717) 1000 - DrearyUrbanite (Transaction id: 5539495976647418930) 1000 - brooklynbtc (Transaction id: ) 0500 - rdanneskjoldr (Transaction id: 91193539943795488) 5000 - msin (Transaction id: ) This is an opportunity to support an online game that leverages many of Nxt's advanced features, one of the highlights being a user-driven crafting economy. Donations can be sent to 13776816462073143763; please include tx id so I can include it when updating this post and making it easier for James to keep track of incoming transactions. We're also considering implementing a kickstarter-style tier system for bounty donators. These would be cosmetic rewards that wouldn't be available after game launch. Something like: 10 NXT - badge 100 NXT - cap 1000 NXT - cape 10000 NXT - beta access (?) Depending on how we handle character death/respawning, these items may be also confer a quicker resurrection. How about an ingame auction house like WOW, but the ingame(atleaset in the auction house) currency is milli NXT or something? I think you will get banned for that in many MMOS ![Cheesy](https://bitcointalk.org/Smileys/default/cheesy.gif) ... real cash to items is banable in most of games expetialy in Blizzard games. Yes, but now WE CAN do that. No one here to swing the banhammer ![Wink](https://bitcointalk.org/Smileys/default/wink.gif)
|
|
|
QUICK UPDATEAtomic-Trade will be adding Nxt. I'm paying for integration with my own funds since AT agreed to add USD/Nxt trade abilities. This will allow any users to buy Nxt with USD directly. Currently AT only offers USD/BTC trading, so we will have an advantage over other alts on the exchange. Also, when I get home this evening, expect Nxt to lead the voting in Mintpal ![Wink](https://bitcointalk.org/Smileys/default/wink.gif) I just sent 0.2btc to the nxt mintpal vote address and the vote count hasn't budged. it should have went up 4000 votes... this is laggy, wait for some time, if nothing changes, just contact the support. We should even be at 20.0000!
|
|
|
Question:
How much do you think would a java based blockchain.info-like wallet for NXT cost to program? Do you think it would be worth to start a bounty for that?
Which part? Do you mean the iPhone mobile app? Or the website? The part where blockchain.info works within you browser and no information leaves your browers, only the encrypted backup on your server. As i understand, we can now sign transactions without the client? We basically need an online wallet WITHOUT trust.
|
|
|
Hey guys i need some help!The reddit-tip-bot went opensource now and i need someone to check the code before i release the Bounty to the dev. Can someone please do this? Please please ![Smiley](https://bitcointalk.org/Smileys/default/smiley.gif) The source code resides in https://github.com/nxtip/nxtip and is GPLv2 licensed! The bot is based on ALTCoinTip, with some extra files that emulate the bitcoind daemon behavior as far as ALTCoinTip is concerned, plus handle the deposits. See the src/ctb/nxtip* files. Please contact me, there is a bounty for the code checking! Again PUSH
|
|
|
Question:
How much do you think would a java based blockchain.info-like wallet for NXT cost to program? Do you think it would be worth to start a bounty for that?
|
|
|
Just a quick update for those not following the other thread: Nxtopia bounty has broken the 20,000 NXT mark after receiving our latest donation from msin. -- Nxtopia -- MMORPG built on-top of the NXT networkcurrent bounty: 20,500 NXT5000 - jl777 1000 - swartzfeger (Transaction id: 12550164158045962834) 3000 - chanc3r (Transaction id: 5658009271669858297) 1000 - MyZhre (Transaction id: 8826881503135433086) 3000 - Damelon (Transaction id: 17094914052077797717) 1000 - DrearyUrbanite (Transaction id: 5539495976647418930) 1000 - brooklynbtc (Transaction id: ) 0500 - rdanneskjoldr (Transaction id: 91193539943795488) 5000 - msin (Transaction id: ) This is an opportunity to support an online game that leverages many of Nxt's advanced features, one of the highlights being a user-driven crafting economy. Donations can be sent to 13776816462073143763; please include tx id so I can include it when updating this post and making it easier for James to keep track of incoming transactions. We're also considering implementing a kickstarter-style tier system for bounty donators. These would be cosmetic rewards that wouldn't be available after game launch. Something like: 10 NXT - badge 100 NXT - cap 1000 NXT - cape 10000 NXT - beta access (?) Depending on how we handle character death/respawning, these items may be also confer a quicker resurrection. How about an ingame auction house like WOW, but the ingame(atleaset in the auction house) currency is milli NXT or something?
|
|
|
I'm going to get my cute ass into bed here in Europeland, but before i go: Reposted from promotion thread: https://bitcointalk.org/index.php?topic=412243.new#newHere's my productivity for the day: some sweet shiny stickers: ![](https://ip.bitcointalk.org/?u=http%3A%2F%2Fi60.tinypic.com%2F35d8gnt.jpg&t=663&c=bbjfBS8Yx-cNog) Aren't they pretty ? I now have no idea what to do with them......like to distribute them to the NXT posse, but not sure how. Any one want some, let me know.....I've only got a 100 so far, so it'll probably only be 5 or 10 stickers per person. They are 140mm x 40 mm, btw. Kodtycoon...don't sweat the price right now. Its good to see a stable sell-off like this. NXT is slowly rolling up and being sold off at the same time, which is a hard trick to do. I expect we will see a massive price surge when the whales stop/slow the sell-off, but when that will be.... How much are they per piece? I'd love some of them ![Smiley](https://bitcointalk.org/Smileys/default/smiley.gif)
|
|
|
|