 Show Posts
|
|
Pages: [1]
|
For testing on a real example, please visit and register on http://forum.novacisko.cz. There is a fresh phpBB forum installed for testing. After registration, you will be able to link your phone with a phpbb account. Note that phpbb cannot link more then one device with the account. This is not QRlogin issue. |
|
|
|
Site https://qrlogin.novacisko.cz updated (if you see old version, try Shift+Reload, or Ctrl+R) Visible changes are on auth page. You can now print key as QR code. Go to manage keys, choose backup key. After backup is ready, a pop-up will appear where you can choose print or save the key. |
|
|
|
I have a question, how if someone lost his phone? Is there any other way to restore the QR Login for reuse.
Recently "backup" feature has been introduced (in v1.1). https://youtu.be/x3AOj-iXQzY (backup) https://youtu.be/UdKR2dzhbRw (restore) You can turn on subtitles for translation of the labels. The current version already has labels translated. In the development branch, there is already prepared a feature "print key" that will allow you to print your key as QR code (like a paper wallet) using the printer connected to your personal computer (no cable needed, just internet, browser and QR scanner). The key is always transferred in encrypted form using 8000 cycles of HMAC-SHA256 of your password and AES. You don't need to remember the password, it can be written at the paper with the printed QR code (by hand) and the paper hidden in a safe place. Encryption is added to protect the key during the transfer. The print key feature is targeted to next release (v1.2) - it will be release very soon. |
|
|
|
This is not criticism, I would rather ask some questions to get clarity on the whole concept.
1. What stops other people to use your QR Code? { Or is this randomly created everytime you login? }
2. Do you retrieve a single QR Code from a central online server to enable you to login. {External site?}
3. Is this for login into web sites on the internet, or for a alternative authentication for your notebook etc...
4. How is this protected? {Malware / Trojan Horse} The QR code send, could be intercepted by a hacker. {spoofed}
It's a viable option for lazy people, if it can be secured, but I would not trust a external 3rd party to have access to all my QR codes for every site I access.
Or is this a App running on each site, that generate a QR code as a alternative to the conventional username and password?
1. QR codes are random for every login. QR code contains "challenge". There is an private key in your device (a smartphone) stored. The private key is generated (randomly) at the first time you use the QR Login for particular site. Every site has different key. 2. The QR code (challenge) is generated by javascript using secure random number generator 3. It is for login into the web sites, similar service as OpenID, Facebook login, Google login, etc. 4. There is a private key and the corresponding public key. The private key is stored in your device and should never leave it (unless you explicitly want). The application (downloaded from the qrlogin site as html+js) uses the private key to sign challenge. Then the signature is transfered to the "auth" site an then through the redirect to the service provider. The service provider can calculate the public key from the signature or it can use standard OAuth 2.0 token exchange to retrieve the public key (Public key is then transformed to the bitcoin address, which can be used as an unique user's ID). The service provider can use both ways to receive the public key to ensure, that signer posses the correct private key. You can object, that qrlogin site is in my possession, so I can modify it to track and store all private keys for evil purposes. But you still have the option to run own site, because source code of qrlogin is open source under the MIT licence hosted on the GitHub. See the link above (in OP). |
|
|
|
 QRlogin: The brand new way to identify the user. The user have to simply scan QR code by his smart-phone and after a few seconds he is identified. This system can replace traditional username+password identification. It is also more secure, than password. Very fast for tablets or devices without a physical keyword (tablet+phone) https://qrlogin.novacisko.czMain features * Secure way to identify the user * Built on Bitcoin cryptographic libraries. The identity is actually a bitcoin address * The private key is stored in the handheld device, never leaves the device unless the user requests. * Each site have separate identity and the private key * Easy to use: The user just scan the QR code using the ordinary QR scanner * No special application needed: Just QR scanner and standard browser * It should work on all platforms (Android+iOS+Win) * It uses OAuth 2.0 protocol. It should be easy to integrate QRlogin to any internet site that already integrates Google/Facebook login * Project is complete open-source hosted on github: https://github.com/ondra-novak/qrlogin * Because there is no extra application needed, every site can have its own server built from the sources. Users still using their QR scanner regardless on where is (on which URL) is authorization service located. Keys of each service are isolated from others inside of the handheld device (it is generic feature of localstorage of the browser) * The user can backup and restore his keys. Keys can be also transfered from one device to another without participation of the server (scanning the QR code) Please leave any criticism or ideas below. |
|
|
|
|
This question I trying to find reply for long time. Often I can hear, that there are security issues but nobody know where.
Download from top to bottom can make processing simplier.
C: Give me latest block
S: there is it ...
C: Ok, thank you, so now, I can see, that there is previous block unknown to me. Give me the block XXX
S: there is it ...
C: Great, another previous block unknown to me, Give me the block XXY
S: there is it ...
... and so on.
I only heard, that opposite client (server) can give you complete different blockchain and you are unable to check it until you download whole blockchain to match first genesis block. On other side, you don't need to download all orphaned blocks.
|
|
|
|
The first of all sorry for typos in my English language, I am not native speaker. Request for discussion: Abstract: Extend Bitcoin URI scheme with specification of an escrow address to support payment directly between escrows or between accounts maintained by the same escrow provider. Motivation:Bitcoin URI is also used to accept payments using QR codes. The URI is standardized in the BIP0021. Unfortunately receiver cannot use this URI when his wallet software is directly connected with escrow that holds his bitcoins. In the situation when oposite party uses the same escrow service, he cannot benefit from fast money transfer inside of the escrow. Bitcoins still must be transferred through blockchain with waiting for required count confirmations. Adding extra information can help paying party to identify, that opposite party uses the same escrow service, and transfer money faster. Specification:Bitcoin URI introduces a new field "account" (I suggest to abbreviate as single "acc"). This field has following format: &acc=<escrow-ID>/<account-ID> whole example: bitcoin:1ARTP2yGiJenJZECbUnN34LGfsbro3zWSw?amount=0.1&acc=example.com/123456789 Wallet software of the paying party can read this request by following ways: 1. Wallet software is not familiar with this BIP, it ignores extra field and sends money to the specified address 2. Wallet software which is able to recognize the new field and is able to handle direct transfer to the specified escrow, carries the payment directly to the escrow with all benefits emerging from it (for example, cheaper or no fees, faster transfer) 3. Wallet software which is able to recognize the new field but is not able to send money directly to the escrow, ignores this field and sends money to the address as it is usual. This BIP doesn't specify, how money transfer will be achieved. It only specifies how paying party receives information that oposite party uses the same escrow service. Paying protocol must be defined by the maintainer of the escrow service. This BIP also recommends that "escrow-ID" SHOULD match domain name of the escrow service (for example: "abitcointrezor.com"). Account-ID can contain anything, however it SHOULD use only characters that are allowed in URI scheme (without necessary escaping) Rationale:Payments made between accounts of the single escrow service are not stored in the blockchain. This can help to reduce speed of the blockchain growing and reduce transaction fees. It also can help users, because they don't need to look into details of the transaction, they don't need to check whether other parties are using same escrow service and they still can benefit from faster and cheaper transfer if available. Backward compatibilityAccording to BIP0021, this field will be ignored by an old wallet software, so there is no backward compatibility issue. Again sorry for typos in my English language, I am not native speaker. |
|
|
|
There is no reason to delete addresses, this could be very dangerous if you gave that address to someone and later on they paid or accidentally sent coins, they be lost forever. Not good.
One of my address leaked (private key is no longer private). How to remove this address from the list? |
|
|
|
Application is still able to wait until you mistakenly switch to online. It can store all values in local storage and send them later.
At which point you're using the application online again. If you're trying to say "well we don't know if the application is secretly still running in the background", welllllll.. sure. But then there's a whole world of increasingly unlikely but certainly possible scenarios to explore  In each of them, you're using it online, knowingly or otherwise  When you paying? Bitcoin has one big issue, which may make it unusable in the future. You cannot have easy-to-use true offline wallet. Because if you want to pay - spend funds - you need to go online, download all unspend outputs, then create transaction and sign it at offline, and then switch back to online and broadcast it. Every time you are going to online, there is a chance, that unwanted piece of software running in your offline wallet will get chance to leak your private key. Alternatively you can use online computer and offline wallet and carry the request through no-internet medium, such a QR code, but it still need device with camera and display and it is not easy-to-use. Bitcoin protocol need an improvement, which should allow to create partial transaction signed by the private key that allows to 3rd party spend your coins up to specified amount. 3rd party can be merchant. 3rd party can take any of your unspend outputs and create transaction to any address that he chooses, but only up to specified (and signed) amount (transaction should send rest of coins back to source address). Result transaction is finally signed by another private key... so you will need two private keys to create such a transaction, but second private key is used only to protect transaction against unwanted change. Second private key can be supplied by the 3rd party. This can help to not only create true offline wallet, but to simplify money transfer between customer and merchant, Customer only needs HW wallet with display able to show QR code and keyboard to type amount and pin. Merchant will need online application to sign transaction and broadcast it. |
|
|
|
Only protection is pull out the ethernet cable.
... isn't that what 'offline' means? Or are you familiar with some manner of HTTP GET request that bypasses the browser's offline setting / disabling the network interface on the OS, etc? Application is still able to wait until you mistakenly switch to online. It can store all values in local storage and send them later. |
|
|
|
U are right, but.... U should not generate vanity even by ur self, how do u know that vanity generator software don't have back door? Because even if it did - how would anybody access it if the computer it's on is offline? That's the same reason e.g. bitaddress.org suggests that you save the page and use it offline to remove all doubt. This doesn't help. The attack was made through GET request to an picture outside of the site (big security issue of web browsers) . The attack will work even if you open that page from disk. Only protection is pull out the ethernet cable. |
|
|
|
Really guys? You trust a stranger with your private keys.. All you would have to do is search the forums to see you could easily do it yourself. This is worse then trusting a stranger with your wallet and bank account. This had red flag written all over it. No sympathy here.
And what about your wallet software. Are you sure, that there is no back-door, which logs your private key to an hidden server every time your wallet software generates one? To have source code of that software is no win. Hack has been written in javascript, everybody was able to see that hack directly on the web page. And nobody did during three long months. |
|
|
|
|
Seriously? Are you laughing to my face? THERE IS NO HACKER. YOU OWNER DID STOLE ALL BITCOINS! SCAM, FCKNG SCAM!
|
|
|
|
|
How do you know, when site has been hacked? Which way hacker used to modify code on the web? I bet that hacker is guy who latest updated the content on the web, or the admin of webhosting site. I want to know which steps you will do to find who hacked the site! You cannot simple say "sorry, it was hacker". Despite on what happened, you are responsible ,you should return all the money, first.
|
|
|
|
|
This is whole scam. I don't trust them. Sorry. They should close their business and return all stollen coins.
|
|
|
|
|
