Emergenz
Newbie
Offline
Activity: 19
Merit: 0
|
|
May 26, 2013, 01:32:35 AM |
|
OK, I haven't tried it yet but where do you enter the change address? Or does it just send the change back to the original address?
Yes, change is automatically sent back to the cold storage address. I absolutely agree with that. Of course it's all open source from bitcoinJS, brainwallet and bitcoin-secured but there is no reason not to double-check. I have added the coinb.in link to the signtransaction.html.
|
|
|
|
Polvos
|
|
May 27, 2013, 09:20:27 AM |
|
As promised, I sent a 1BTC transaction as a bounty reward for yor nice piece of work. I'm pleased to pay someone like you for the work done helping us, the noobies, to use Bitcoin in a safer way. Now we can send the newcomers to those directions when an offline secure transaction needs to be built. Thanks for your effort.
|
|
|
|
Polvos
|
|
May 27, 2013, 06:53:11 PM |
|
I have a question about the offlinewallet. Where does it take the unspent outputs information from, the local stored blockchain or some online server?
|
|
|
|
Emergenz
Newbie
Offline
Activity: 19
Merit: 0
|
|
May 28, 2013, 02:43:46 AM Last edit: May 28, 2013, 08:13:31 AM by Emergenz |
|
It is taken from blockchain.info. Here is the relevant line from main1.js: q = "select * from html where url='http://blockchain.info/unspent?address=" + $scope.transaction.address + "'"; All you need to use the offline wallet is a bitcoin address and its private key, you don't need any additional software.
|
|
|
|
w1R903
|
|
May 28, 2013, 02:19:02 PM Last edit: May 28, 2013, 03:48:25 PM by w1R903 |
|
Thanks, xDan. I appreciate it. Sorry for being offline for a while -- I didn't realize this was still being discussed. I had an out-of-state family member in the ICU for a week, and then a family member's funeral about 1000 miles away. So I've been out town for most of the past few weeks. The reason I still hadn't announced the software was that I haven't had enough time to test it to the fullest extent. But if people really want to use the implementation as is (early alpha), I'd recommend using this link I've put up for the online portion (if you decide not to run that locally). It's the same as the copy posted above but it's over SSL: https://bitcoin-secured.comSince the link that emergenz posted is not SSL-encrypted, it could pose a big risk for these types of transactions. Someone could easily swap out Bitcoin addresses of the non-SSL link using mitm. The site I put up above is SSL-encryped. If you're comfortable using alpha quality software, you can ignore the notice since this is the same implementation as emergenz posted (except he had removed my alpha software notice or used an earlier version). Since there is interest, I'll try to test this some more and remove the alpha warning. But please realize that this is all alpha quality software (including the copy of the program posted by emergenz), and I can make no guarantees. Personally, I use and recommend Armory for offline signing of significant amounts at this point, although I may move to my implementation as my main offline signer after some additional work and testing. EDIT: After thinking about it, I'd recommend that no one use any version of this software until I have some more time to look over it tonight (28 May 2013). I'll post here tomorrow when it's ready.
|
4096R/F5EA0017
|
|
|
w1R903
|
|
May 28, 2013, 02:23:36 PM |
|
As promised, I sent a 1BTC transaction as a bounty reward for yor nice piece of work. I'm pleased to pay someone like you for the work done helping us, the noobies, to use Bitcoin in a safer way. Now we can send the newcomers to those directions when an offline secure transaction needs to be built. Thanks for your effort.
Thanks, Polvos. I appreciate it. Which address did you send it to? I see xDan's bounty but not any others. The online version currently takes the unspent transactions from the blockchain.info API, although I'm testing my own local database of unspent outputs so that I'm not reliant on an external site for the unspent outcomes. The problem with the local bitcoin-qt/bitcoind is that it doesn't track arbitrary Bitcoin addresses' unspent outcomes, only the addresses in the local wallet. So you have to build an external db of those outputs.
|
4096R/F5EA0017
|
|
|
w1R903
|
|
May 28, 2013, 02:41:18 PM Last edit: May 28, 2013, 02:53:54 PM by w1R903 |
|
Good news. blockchain.info now supports CORS so I can connect directly to them while I'm finalizing my own local database of unspent ouputs for bitcoin-secured. I'll try to push the new version out tonight. Right now, the script relies on Yahoo to relay the request, which means that blockchain.info's API request limit is quickly reached if a lot of people use it. This will solve that problem. NOTICE: bitcoin-secured will be offline shortly will I update it to supports blockchain.info's CORS. While it's down, please be aware that if you use a non-SSL link for the online version of this software, it's very vulnerable to someone swapping out your Bitcoin address for another. Either use https://bitcoin-secured.com when it's back up or run it locally (on localhost). Or wait for someone else to host it on an SSL-enabled URL.
|
4096R/F5EA0017
|
|
|
CIYAM
Legendary
Offline
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
|
|
May 28, 2013, 02:57:56 PM |
|
Or wait for someone else to host it on an SSL-enabled URL.
If you have the source on say github then I will be happy to grab it and put it somewhere under https://ciyam.org.
|
|
|
|
w1R903
|
|
May 28, 2013, 03:11:33 PM Last edit: May 28, 2013, 03:26:32 PM by w1R903 |
|
Or wait for someone else to host it on an SSL-enabled URL.
If you have the source on say github then I will be happy to grab it and put it somewhere under https://ciyam.org. Thanks for the offer! The source is on github (I'm esbullington on github, the link is somewhere above), so please feel free to do so, but I do have it on https://bitcoin-secured.com which is SSL. It's just down for a few minutes while I'm updating it. So I'll have it back on an SSL-enabled site real soon. Users who use the online portion of bitcoin-secured hosted by a third-party should make sure that 1) It's SSL-encryped 2) It's someone you trust The best way to run the online portion is locally, simply by going to the `bitcoin-secured/online` directory and then running: python -m SimpleHTTPServer The site will then be available at localhost:8000 Since blockchain.info is now using CORS, this should work, but I've not yet tested it (working as fast as I can to do so). PS: Please note that I have signed MD5 hashes of the offline code that can be downloaded at: https://bitcoin-secured.com/#/download
|
4096R/F5EA0017
|
|
|
|
w1R903
|
|
May 28, 2013, 03:32:57 PM |
|
Python is technically not a dependency. It's just what I used to serve it locally. It's all static HTML, JS, and CSS, so you can run it from wherever you usually run such scripts. Can you hold off for a day? Or else update it tomorrow? I'll be making some significant changes tonight, like better error handling, etc. And again, I'll note that I have an SSL-encrypted version at https://bitcoin-secured.com that includes signed MD5 hashes of the offline code for download.
|
4096R/F5EA0017
|
|
|
CIYAM
Legendary
Offline
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
|
|
May 28, 2013, 03:34:57 PM |
|
Sure - I'll wait for the updated version (as I'm watching this thread just be sure to post in it so I remember).
|
|
|
|
w1R903
|
|
May 28, 2013, 03:43:17 PM |
|
After thinking about it some more, may I please ask everyone to please hold off on using any version of this? I didn't realize anyone was still interested in it until a few hours ago. However, it's got some bugs I want to iron out before anyone uses it. I originally said to use my hosted version at https://bitcoin-secured.com since it was better than using an unencrypted version of the online part, but after thinking about it, I'd prefer people hold off on using it at all until after I do some additional testing tonight, when I'll have time to do so (can't shirk my work duties anymore right now). You are of course free to do anything you want with the code, since it's MIT licensed, but I'd prefer people hold off until I can do some additional testing. I'll make an announcement here when it's ready for beta use.
|
4096R/F5EA0017
|
|
|
CIYAM
Legendary
Offline
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
|
|
May 28, 2013, 03:47:09 PM |
|
Good move - will wait for that - I think this is the right way to go and appreciate the effort (I actually wrote something similar but is much less user-friendly as it requires you to find the UTXO information manually).
|
|
|
|
w1R903
|
|
May 28, 2013, 04:00:28 PM Last edit: May 29, 2013, 11:54:12 AM by w1R903 |
|
Good move - will wait for that - I think this is the right way to go and appreciate the effort (I actually wrote something similar but is much less user-friendly as it requires you to find the UTXO information manually).
Thanks for your understanding and sorry for the inconvenience to anyone who has been waiting on this (i.e., xDan). I'll be sure to check this thread on a regular basis now. I'll post an announcement here tonight or tomorrow when it's ready for beta testing. EDIT: Had to work late last night, hopefully will get to it today.
|
4096R/F5EA0017
|
|
|
xDan (OP)
|
|
May 29, 2013, 01:28:11 PM |
|
Hey, no worries. Good to see you may still work on it Personally I risked using the prototype version above for my most pressing needs.
|
HODLing for the longest time. Skippin fast right around the moon. On a rocketship straight to mars. Up, up and away with my beautiful, my beautiful Bitcoin~
|
|
|
kodo
Newbie
Offline
Activity: 42
Merit: 0
|
|
May 29, 2013, 10:15:20 PM |
|
This is cool thank you!
|
|
|
|
w1R903
|
|
May 30, 2013, 11:35:35 PM |
|
Hey, no worries. Good to see you may still work on it Personally I risked using the prototype version above for my most pressing needs. Yes, my ultimate goal is to get it where people can easily run *both* the online version and offline version locally, with no need to host the online version. It's a little tricky because of the problems that exist making request to third-party websites from a locally-running javascript program. Really, this is the only secure way to do it. SSL for the online portion is nice but still requires the user trust the person serving the site. Running both portions locally, on my online and offline computers, is the only way I'd consider using this project for a significant offline transaction. Anyway, this third-party request issue is partially solveable using CORS headers, and blockchain.info has recently, and very kindly, implemented CORS headers for this type of use case. Anyway, I worked on it some more last night but ran into some very serious issues with AngularJS (the JS framework I used) HTTP client implementation and CORS compatibility, so I've ended up using Jquery to call blockchain for unspent outputs and to push the signed transaction (which works fine). Anyway, I still want to do some more work before I announce it ready, and although I won't get to anything tonight, I should be able to finish up this weekend.
|
4096R/F5EA0017
|
|
|
Polvos
|
|
May 31, 2013, 01:19:58 PM |
|
As promised, I sent a 1BTC transaction as a bounty reward for yor nice piece of work. I'm pleased to pay someone like you for the work done helping us, the noobies, to use Bitcoin in a safer way. Now we can send the newcomers to those directions when an offline secure transaction needs to be built. Thanks for your effort.
Thanks, Polvos. I appreciate it. Which address did you send it to? I see xDan's bounty but not any others. Sorry, Emergenz claimed my 1BTC bounty in a private message and I donated him because I thought you left. That was the transaction: https://blockchain.info/es/tx/5017919fbebe0712a349e473c06018b1df87cdd2732e4f93db76cc3c5c431dc8
|
|
|
|
xDan (OP)
|
|
May 31, 2013, 06:05:47 PM |
|
Really, this is the only secure way to do it. SSL for the online portion is nice but still requires the user trust the person serving the site. Running both portions locally, on my online and offline computers, is the only way I'd consider using this project for a significant offline transaction.
what are the security implications exactly? Simply that the destination address could be altered, and then the user may overlook this when signing offline? or can other things be done by changing the blockchain data or other stuff?
|
HODLing for the longest time. Skippin fast right around the moon. On a rocketship straight to mars. Up, up and away with my beautiful, my beautiful Bitcoin~
|
|
|
|