Bitcoin Forum
November 11, 2024, 11:22:22 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 [43] 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 ... 265 »
  Print  
Author Topic: [ESHOP launched] Trezor: Bitcoin hardware wallet  (Read 966172 times)
drazvan
Full Member
***
Offline Offline

Activity: 191
Merit: 100



View Profile WWW
October 30, 2013, 12:51:44 PM
 #841

What I've described is not a matter of CAs, it's a matter of backwards compatibility. Since merchants are not forced to use the protocol, some of them will not use it (at least at first). So the Trezor must be able to deal with these situations and allow you to sign transactions even if the merchant did not use the payment protocol. But this also means that malware running on your computer could simply replace the Bitcoin address and claim the merchant does not run the protocol, effectively making you pay someone else entirely. Of course, if you know the merchant and you know they do implement the payment protocol, you'll notice if they appear to have suddenly stopped using it for your transaction.
rampalija
Full Member
***
Offline Offline

Activity: 154
Merit: 100



View Profile
October 30, 2013, 03:05:15 PM
 #842

What I've described is not a matter of CAs, it's a matter of backwards compatibility. Since merchants are not forced to use the protocol, some of them will not use it (at least at first). So the Trezor must be able to deal with these situations and allow you to sign transactions even if the merchant did not use the payment protocol. But this also means that malware running on your computer could simply replace the Bitcoin address and claim the merchant does not run the protocol, effectively making you pay someone else entirely. Of course, if you know the merchant and you know they do implement the payment protocol, you'll notice if they appear to have suddenly stopped using it for your transaction.


I agree with all you said

Carlton Banks
Legendary
*
Offline Offline

Activity: 3430
Merit: 3080



View Profile
October 30, 2013, 04:45:55 PM
 #843

Not to worry, the a new way of verifying the identities of websites over SSL can be established in conjunction with the proposed Identity Protocol. Payments Protocol could be secured from MITM compromised certificate style attacks with an extension to the current Identity Protocol specification.

Vires in numeris
drazvan
Full Member
***
Offline Offline

Activity: 191
Merit: 100



View Profile WWW
October 30, 2013, 05:11:21 PM
 #844

Unless everyone suddenly implements the protocol (any of the protocols described here), the Trezor must still account for merchants that don't. If the user has paid before at that merchant, he will notice if the connection is no longer authenticated/secure/etc, but if it's their first time there they might simply assume that the merchant does not implement it yet and go right ahead and pay. The Trezor should probably display a message saying "We could not confirm that the address you are paying to belongs to the merchant, proceed at your own risk" and leave it to the user to determine if the address is correct.

Maybe the Trezor should also indicate that the user should contact the merchant offline (phone call?) and ask if they use the Payment Protocol and if they don't, suggest that they implement it in order to securely receive payments.

I really don't see a way to have both backwards compatibility and full security against malware - but I'd love to be proven wrong.
cor
Full Member
***
Offline Offline

Activity: 121
Merit: 100



View Profile WWW
October 31, 2013, 02:50:11 AM
 #845

This might have been answered before (if it has, I couldn't find it): can the Trezor help in the case of malware that simply modifies the destination Bitcoin address (for instance when you browse to an online shop, it silently changes the Bitcoin address that you're supposed to send funds to to one that it generates). The user then visually checks that the address displayed by the Trezor is the one that he sees on the website but he has no idea that the address belongs to the attacker.

I understand how the Trezor protects against malware trying to modify the address you're paying to by displaying it on the Trezor itself before signing, but I don't see how it can protect against the malware simply modifying the address shown on the web page. Also, given that receiving addresses are supposed to be one-shot, they will change on each payment so the user has no chance of whitelisting or visually recognizing the correct one.

A rogue Chrome extension for instance could just do a quick find/replace on the page (Bitcoin addresses are easily identifiable, not many words start with 1 and are 27-34 characters long Smiley ) and change all Bitcoin addresses to the ones of the attacker. If anyone is interested, I could probably write one as a proof of concept.

Any ideas?

TREZOR is payment protocol ready (BIP70) which adresses exactly this issue.

cor
Full Member
***
Offline Offline

Activity: 121
Merit: 100



View Profile WWW
October 31, 2013, 02:59:01 AM
 #846



Celebrate the Day of Bitcoin with TREZOR and get 2 for 1
http://www.bitcointrezor.com/news/celebrate-day-of-bitcoin-trezor

dillpicklechips
Hero Member
*****
Offline Offline

Activity: 994
Merit: 507


View Profile
October 31, 2013, 03:55:15 AM
 #847



Celebrate the Day of Bitcoin with TREZOR and get 2 for 1
http://www.bitcointrezor.com/news/celebrate-day-of-bitcoin-trezor
Sweet! And to your question at the bottom of the page: it's both! Wink
TheButterZone
Legendary
*
Offline Offline

Activity: 3066
Merit: 1032


RIP Mommy


View Profile WWW
October 31, 2013, 05:32:02 AM
 #848



Celebrate the Day of Bitcoin with TREZOR and get 2 for 1
http://www.bitcointrezor.com/news/celebrate-day-of-bitcoin-trezor

Appears to be the metal version. Is that the only one in the 2 for 1 (3 BTC for 2), or is the plastic 2 for 1 BTC too?

Saying that you don't trust someone because of their behavior is completely valid.
molecular
Donator
Legendary
*
Offline Offline

Activity: 2772
Merit: 1019



View Profile
October 31, 2013, 07:02:53 AM
 #849



Celebrate the Day of Bitcoin with TREZOR and get 2 for 1
http://www.bitcointrezor.com/news/celebrate-day-of-bitcoin-trezor

Can't help but to feel a bit punished for ordering early.

PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0  3F39 FC49 2362 F9B7 0769
marci003
Newbie
*
Offline Offline

Activity: 13
Merit: 0


View Profile
October 31, 2013, 07:36:25 AM
 #850


Can't help but to feel a bit punished for ordering early.

Same here..
But I'm actually thinking about ordering two more devices, so if this applies to plastic versions, I will probably live with that
marci003
Newbie
*
Offline Offline

Activity: 13
Merit: 0


View Profile
October 31, 2013, 07:45:01 AM
 #851

I'm wondering..

Does Trezor provides also protection from malicious client code (modified source code of electrum or any other bitcoin client)? So, technically, as I see it, there is no way for someone to hack into github and modify electrum source code and steal someone's bitcoins as long as you have 'watching-only' wallet and you have to sign every transaction with Trezor (and be able to check a destination address on the screen of the device). Is that correct?

This would add a whole new level of security as you don't even have to trust source code of a client.
lemonte
Hero Member
*****
Offline Offline

Activity: 624
Merit: 502


View Profile
October 31, 2013, 08:56:14 AM
 #852

If the 2 for 1 applies to the plastic version, does anyone fancy going halves with me? Preferably someone in the UK, incase we cant split the order for shipping.

xeroc
Sr. Member
****
Offline Offline

Activity: 345
Merit: 250



View Profile
October 31, 2013, 10:08:59 AM
 #853



Celebrate the Day of Bitcoin with TREZOR and get 2 for 1
http://www.bitcointrezor.com/news/celebrate-day-of-bitcoin-trezor

Can't help but to feel a bit punished for ordering early.

Same here... As I preordered a Steal Case for 3BTC .. a second one would be very nice ...


any chance to get a free plastic one as I pre-ordered (and paid) the steal one?!?
drazvan
Full Member
***
Offline Offline

Activity: 191
Merit: 100



View Profile WWW
October 31, 2013, 10:12:44 AM
 #854

TREZOR is payment protocol ready (BIP70) which adresses exactly this issue.

I understand that, and that is fine as long as the user expects the merchant to use the protocol. As far as I understand, the Payment Protocol starts by having a Pay Now button/link with the URL bitcoin:merchantaddress?request=url_of_request . The wallet opens that, sees the "request" parameter and goes there to fetch the payment request.

Malware running on the computer could simply rewrite all bitcoin:merchantaddress?request=url_of_request URLs to bitcoin:hackeraddress in the browser (that is rewrite the destination and disable the Payment Request protocol). The user will then pay the attacker instead of the merchant.

Of course, when everyone starts using the protocol, the user will be wary of sites that do not implement it (just like a shop that doesn't use HTTPS nowadays will not get much business).
timewaster
Newbie
*
Offline Offline

Activity: 42
Merit: 0


View Profile
October 31, 2013, 11:05:25 AM
 #855


Can't help but to feel a bit punished for ordering early.

I don't know how the exchange rate was when you ordered, but bitcoin is worth more about twice as many dollars now compared to when I ordered. If the price was set in USD, this price would be standard - not just a special offer.
stick
Sr. Member
****
Offline Offline

Activity: 441
Merit: 268



View Profile
October 31, 2013, 12:36:57 PM
 #856

Appears to be the metal version. Is that the only one in the 2 for 1 (3 BTC for 2), or is the plastic 2 for 1 BTC too?

It's both plastic and metallic version.

hephaist0s
Hero Member
*****
Offline Offline

Activity: 711
Merit: 532



View Profile
October 31, 2013, 01:52:25 PM
 #857



Celebrate the Day of Bitcoin with TREZOR and get 2 for 1
http://www.bitcointrezor.com/news/celebrate-day-of-bitcoin-trezor

Can't help but to feel a bit punished for ordering early.

Yeah. I ordered early to show support... but now I just feel like I'm missing out.

Tips graciously accepted on my behalf by Mr. Pig. | object2212.com | BTC:1H78y8FVeQrWY6KnxA6WLFQGUoajCuiMAu | ETH:0x3c1bC39EC7F3f6b26ACb6eeeEFe7dE2f486a72E9
chrisrico
Hero Member
*****
Offline Offline

Activity: 496
Merit: 500


View Profile
October 31, 2013, 03:03:14 PM
Last edit: October 31, 2013, 04:18:56 PM by chrisrico
 #858

Stick and Slush, why did you take a page from the BFL playbook?

At the very last minute, with no warning, you say there will be a three month delay. Then, you offer new customers a better deal than your original supporters?

I guess our community needs a PR agency that accepts bitcoin, so you can be told "No, don't do that! It's stupid and you'll alienate your customers."
molecular
Donator
Legendary
*
Offline Offline

Activity: 2772
Merit: 1019



View Profile
October 31, 2013, 03:06:06 PM
 #859

Stick and Slush, why did you take a page from the BFL playbook?

At the very last minute, with no warning, you say there will be a three month delay. Then, you offer new customers a better deal than you're original supporters?

Actually, compared to having bought your first on Jun 16th like me (when Bitcoin was around $110) it's not a better deal.

PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0  3F39 FC49 2362 F9B7 0769
chrisrico
Hero Member
*****
Offline Offline

Activity: 496
Merit: 500


View Profile
October 31, 2013, 04:19:15 PM
 #860

Actually, compared to having bought your first on Jun 16th like me (when Bitcoin was around $110) it's not a better deal.

If you're pricing in dollars, which they are not. I paid 1 bitcoin for a Trezor, when if I had ordered today, I could have paid 1 bitcoin for 2 Trezors. I assumed being an early supporter would offer greater benefit than being a late supporter. I was wrong. I thought Stick and Slush would be different than BFL. I was wrong. I'm done pre-ordering anything related to bitcoin.
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 [43] 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 ... 265 »
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!