How secure is this process to generate an address offline?

[CounterEntropy]

I am a bit concerned after reading responses in this post. First of all, let me make it clear, I am not at all concerned by address reuse, because I never do that. I am concerned about the security my cold wallets addresses, which are receive only, i.e. receive multiple Tx but never send out. Now below is the process I perform offline...

1. Create 3 different bitcoin addresses by random cursor movement using www.bitaddress.org code.

2. Use the 3 public keys of these addresses to generate multisig using www.coinb.in code.

3. 3 private keys are kept as paper wallet and only the multisig address is stored in online computer for copy-pasting to receive payments.

Now, is that insecured anyway?

p.s. I understand Bitcoin core, Armory or Electrum could be more secure. But, let's assume I do have some problem in using them. For the sake of JS based wallet's security discussion, please keep this topic specific to the process stated here.

[1714813905]

1714813905

[ranochigo]

I am a bit concerned after reading responses in this post. First of all, let me make it clear, I am not at all concerned by address reuse, because I never do that. I am concerned about the security my cold wallets addresses, which are receive only, i.e. receive multiple Tx but never send out. Now below is the process I perform offline...

1. Create 3 different bitcoin addresses by random cursor movement using www.bitaddress.org code.

2. Use the 3 public keys of these addresses to generate multisig using www.coinb.in code.

3. 3 private keys are kept as paper wallet and only the multisig address is stored in online computer for copy-pasting to receive payments.

Now, is that insecured anyway?

p.s. I understand Bitcoin core, Armory or Electrum could be more secure. But, let's assume I do have some problem in using them. For the sake of JS based wallet's security discussion, please keep this topic specific to the process stated here.

If possible, always review the code before building/running it. A malware can easily replace the code with a malicious one.

The bug concerns the Brainwallet part of Bitaddress.org which shouldn't be a problem if you're not using that. When you open the page, Bitaddress.org already used your browser[1] to generate the entropy. Next, the mouse movement will add additional entropy in case the entropy generated is not secure enough. You need to sign the transaction using your private key. It isn't a bad idea to use a clean USB thumbdrive to transfer the file from an online but clean computer to sign them.  

[1] https://github.com/pointbiz/bitaddress.org/blob/master/bitaddress.org.html#L2448

[coinableS]

The way you explain is safe assuming the machine you are using is not already compromised.
Also make sure you know how to spend from a multisig address on your own. Because if you don't, what will do you if coinb.in goes offline?

For step 3, make sure you know which order your private keys go. Creating a multisig address with M of N keys will have a different address and redeem script when put in different order.  A multisig of addresses A, B, C, will be different than addresses A, C, B. 

I do something similar except I generate my private keys with dice, then I made it into a multisig. It's probably over-kill but I sleep better knowing that my seeds are 100% random.