torusJKL
|
|
October 31, 2015, 09:27:43 PM |
|
When signing a message I'm asked to use a different computer if the current one is compromised.
Let's assume the computer is compromised. What are the possibilities of a hacker? Could he change the text and trick me in signing a different message?
Are there other things a hacker could do?
Actually there is no way I can know with certainty if my computer is compromised. Thus best practice would be to use an air gaped computer to get the 2FA pin, or is this overkill?
|
|
|
|
btchip (OP)
|
|
October 31, 2015, 09:55:16 PM |
|
Could he change the text and trick me in signing a different message?
yes, that's the idea. Nothing else but that's bad enough. Actually there is no way I can know with certainty if my computer is compromised. Thus best practice would be to use an air gaped computer to get the 2FA pin, or is this overkill?
if you're signing something critical, that's the best option. Note that you can use anything that recognizes a HID keyboard - it could be a phone or a smart TV or a Windows PC with no session open for example. The next firmware version will provide an option to verify the message content on the paired smartphone when signing.
|
|
|
|
torusJKL
|
|
November 02, 2015, 01:41:49 PM Last edit: November 02, 2015, 02:44:18 PM by torusJKL |
|
if you're signing something critical, that's the best option. Note that you can use anything that recognizes a HID keyboard - it could be a phone or a smart TV or a Windows PC with no session open for example.
Would it make sense to have this functionality in the Ledger Starter distribution?
|
|
|
|
btchip (OP)
|
|
November 02, 2015, 07:15:02 PM |
|
Would it make sense to have this functionality in the Ledger Starter distribution?
I think it does it by default - you can boot starter, plug the device when it's supposed to write something and it'll just write it where the focus is currently set.
|
|
|
|
torusJKL
|
|
November 04, 2015, 06:07:25 AM |
|
A question regarding the upgrade process. I'm asked to enter the 32 letters of my security card.
As any computer could be compromised I have to assume that this input is intercepted and thus I loose another layer of security. The pin code and the security card would be known to the attacker.
Is there a better way to upgrade? Could the Ledger Starter be enhanced with the possibility to upgrade?
|
|
|
|
btchip (OP)
|
|
November 04, 2015, 09:47:10 AM |
|
Is there a better way to upgrade? Could the Ledger Starter be enhanced with the possibility to upgrade?
I think it can already do that
|
|
|
|
torusJKL
|
|
November 04, 2015, 10:13:00 AM |
|
I think it can already do that
Could you tell me how? I did not find any menu item to initiate the upgrade. Thanks.
|
|
|
|
torusJKL
|
|
November 05, 2015, 08:03:54 AM Last edit: November 05, 2015, 08:25:09 AM by torusJKL |
|
A short list of features I would like to see in the Ledger Starter distro: - update the Nano/HW.1 OS - generate the security card (like on https://www.ledgerwallet.com/wallet/keycard) - reprogram the Nano/HW.1 with a different security card (so that I could change the security card myself every x days) Would this be possible?
|
|
|
|
btchip (OP)
|
|
November 05, 2015, 02:16:17 PM |
|
definitely doable, I'll push that and the other question to the team dealing with Starter
|
|
|
|
Morveus
Newbie
Offline
Activity: 2
Merit: 0
|
|
November 05, 2015, 02:39:40 PM |
|
A short list of features I would like to see in the Ledger Starter distro: - update the Nano/HW.1 OS - generate the security card (like on https://www.ledgerwallet.com/wallet/keycard) - reprogram the Nano/HW.1 with a different security card (so that I could change the security card myself every x days) Would this be possible? Hi! The Starter can already be upgraded very simply: by dropping a new rootfs image on the flash drive. When we'll publish a new version, you will be able to download it (+ match the file with our signature) and then overwrite the previous one. Generating the security card will be very trivial, we'll start working on it asap. The two other features are doable but will require more work. The Chrome app team has an idea about that which could be very interesting if we can make it work, so stay tuned!
|
|
|
|
japerry
|
|
November 05, 2015, 05:43:17 PM |
|
definitely doable, I'll push that and the other question to the team dealing with Starter
Wow!! Very nice! I'll be looking forward to the new starter!
|
|
|
|
torusJKL
|
|
November 05, 2015, 06:04:21 PM |
|
definitely doable, I'll push that and the other question to the team dealing with Starter
Thanks for taking my feature requests to the team. Generating the security card will be very trivial, we'll start working on it asap.
Looking forward using the next release. The two other features are doable but will require more work. The Chrome app team has an idea about that which could be very interesting if we can make it work, so stay tuned!
Hopefully you can do it. In the mean time I'll reanimate my old notebook with a CD-ROM and update the ledger with a Live-System. :-)
|
|
|
|
torusJKL
|
|
November 18, 2015, 07:39:19 AM |
|
Would it be possible to request a specific address from the Ledger API? E.g. requesting the address of the path "44'/0'/0'/0/0" and get that specific address back. I opened an issues describing the details about this on github: https://github.com/LedgerHQ/ledger-wallet-api/issues/2
|
|
|
|
|
torusJKL
|
|
November 18, 2015, 09:11:49 AM Last edit: November 18, 2015, 11:45:58 AM by torusJKL |
|
Unfortunately I can't see how that answers my question. Could you please explain more in detail how I can get a specific address from the API?
|
|
|
|
gogxmagog
Legendary
Offline
Activity: 1456
Merit: 1010
Ad maiora!
|
|
November 19, 2015, 03:42:45 AM |
|
I've been using the ledger wallet for a while and am very happy. The low cost is what convinced me at first, and it looks like the bitchip is even cheaper. The one thing I would suggest is some sort of protective casing. I am confident to carry my ledger around in my pocket if need be because it is in a little slip case. If bit chip had something similar it would be perfect
|
|
|
|
Bridgewater
|
|
January 28, 2016, 09:56:28 AM |
|
For the Ledger Chrome app to work, what IP addresses/ports do I need to open for basic functionality (sync/spend/confirm on mobile device)
|
|
|
|
btchip (OP)
|
|
January 29, 2016, 08:35:04 AM |
|
For the Ledger Chrome app to work, what IP addresses/ports do I need to open for basic functionality (sync/spend/confirm on mobile device)
You only need to open port 443 on *.ledgerwallet.com
|
|
|
|
japerry
|
|
January 30, 2016, 10:43:04 AM |
|
For the Ledger Chrome app to work, what IP addresses/ports do I need to open for basic functionality (sync/spend/confirm on mobile device)
You only need to open port 443 on *.ledgerwallet.com I looked at the traffic generated a while back. I thought chain.com was accessed by the app also?
|
|
|
|
btchip (OP)
|
|
January 30, 2016, 11:28:57 PM |
|
The application had a websocket open to Chain in the past, now we are using our own service.
|
|
|
|
|