not meaning to hate, but swapping an easy-to-read jscript page for a piece of software is safer exactly... how?
You are completely missing the point.
The security model of open source software does not mean that each end user has to inspect the code they use. Most users do not have the skills to do that.
Electrum is an open source project with an active community of developers.
This means that there is an open community of people who read the code, and inspect changes made to it.
If one of the developers decided to introduce malicious code, others would detect it.
This is how open source projects work.
In contrast, Javascript code dynamically attached to a webpage does not give you that security.
A malicious server operator can modify javascript code instantly, before it goes through a reviewing process.
It can even send different code to different clients, in order to remain undetected.
you can view and d/l the bitaddress code via github and run the local copy in the private mode of your browser. clearing cookies etc etc should suffice. if you're goint all-out, boot to a linux live-distro and run the code from there (now writing on the disc possible).
Yes, you can download javascript from github, and execute it locally.
But how many people actually do that? unskilled users won't, because it is too complicated for them.
My point was that users should stay away from websites that dynamically send you javascript.
This is a very different (and much more dangerous) situation than downloading code from github.
Unfortunately, people who do not understand this distinction might interpret your answer as a refutation of what I said. Please clarify.
I'm not missing the point, I think you assume I'm attacking you, which I'm not. I was only providing a guide for a non-coder to make 99.9999% sure that he has an uncompromised brainwallet.
as to your points:
open-source is open-source - in this respect, i trust bitaddress just as much as
your open-source project AS LONG AS I run bitaddress locally (without connection to the web, with the security measures I added in the last reply). of course, your internal peer review might increase trustworthiness nominally, but that doesn't mean jacksquat to a n00b. you *could* be not one crook, but a gang of crooks, after all!
that said:
unskilled people will always have to live with a measure of insecurity. they cannot review either code. they cannot even configure a firewall, maybe.
if you want to enable an unskilled person with some measure of security, your ideas is to provide them with a piece of compiled software, labelled "trustworthy", like yours? that doesn't help a whole lot. while it might be
technically safe, the user can never
*know* that, they need to
*trust*.
they can do a LOT for their piece of mind, however, by doing the localhost://bitaddress thing (including all the measures necessary).
note: i use bitaddress here as one example there are plenty other brainwallet/paperwallet generators out there.
note2: it's an even better idea to do this from a live distro just to eliminate risk of malware, keyloggers etc etc.
note3: feel free to include bitaddress in your peer review process to find the back door.
