easy offline transactions - 1 BTC bounty

[Emergenz]

OK, I haven't tried it yet but where do you enter the change address? Or does it just send the change back to the original address?

Yes, change is automatically sent back to the cold storage address.

Anyone else testing this, you might want to use a service such as this:
https://coinb.in/decode-raw-transaction.html

...to validate the final transaction. (Before sending it via https://blockchain.info/pushtx )

I absolutely agree with that. Of course it's all open source from bitcoinJS, brainwallet and bitcoin-secured but there is no reason not to double-check. I have added the coinb.in link to the signtransaction.html.

[1714170026]

1714170026

[1714170026]

1714170026

[1714170026]

1714170026

[Polvos]

The first prototype of w1R903's bitcoin-secured seems to work fine. I tried to make it more straightforward to use.

Online part:
http://offlinewallet.appspot.com/

Offline part:
http://offlinewallet.appspot.com/signtransaction.zip

As promised, I sent a 1BTC transaction as a bounty reward for yor nice piece of work. I'm pleased to pay someone like you for the work done helping us, the noobies, to use Bitcoin in a safer way. Now we can send the newcomers to those directions when an offline secure transaction needs to be built. Thanks for your effort.

[Polvos]

I have a question about the offlinewallet. Where does it take the unspent outputs information from, the local stored blockchain or some online server?

[Emergenz]

It is taken from blockchain.info. Here is the relevant line from main1.js:

Code:

q = "select * from html where url='http://blockchain.info/unspent?address=" + $scope.transaction.address + "'";

All you need to use the offline wallet is a bitcoin address and its private key, you don't need any additional software.

[w1R903]

I sent w1R903 his 1 BTC as a test:
https://blockchain.info/tx/a0333dcedebe862471f427ee728c43d7368d62cf4456b4d9af9fc3cad9676855

Thanks, xDan.  I appreciate it.  Sorry for being offline for a while -- I didn't realize this was still being discussed.  I had an out-of-state family member in the ICU for a week, and then a family member's funeral about 1000 miles away.  So I've been out town for most of the past few weeks.

The reason I still hadn't announced the software was that I haven't had enough time to test it to the fullest extent.  But if people really want to use the implementation as is (early alpha), I'd recommend using this link I've put up for the online portion (if you decide not to run that locally).  It's the same as the copy posted above but it's over SSL:

https://bitcoin-secured.com

Since the link that emergenz posted is not SSL-encrypted, it could pose a big risk for these types of transactions.  Someone could easily swap out Bitcoin addresses of the non-SSL link using mitm.  The site I put up above is SSL-encryped.  If you're comfortable using alpha quality software, you can ignore the notice since this is the same implementation as emergenz posted (except he had removed my alpha software notice or used an earlier version).

Since there is interest, I'll try to test this some more and remove the alpha warning.  But please realize that this is all alpha quality software (including the copy of the program posted by emergenz), and I can make no guarantees.  Personally, I use and recommend Armory for offline signing of significant amounts at this point, although I may move to my implementation as my main offline signer after some additional work and testing.

EDIT: After thinking about it, I'd recommend that no one use any version of this software until I have some more time to look over it tonight (28 May 2013).  I'll post here tomorrow when it's ready.

[w1R903]

As promised, I sent a 1BTC transaction as a bounty reward for yor nice piece of work. I'm pleased to pay someone like you for the work done helping us, the noobies, to use Bitcoin in a safer way. Now we can send the newcomers to those directions when an offline secure transaction needs to be built. Thanks for your effort.

Thanks, Polvos.  I appreciate it.  Which address did you send it to?  I see xDan's bounty but not any others.

The online version currently takes the unspent transactions from the blockchain.info API, although I'm testing my own local database of unspent outputs so that I'm not reliant on an external site for the unspent outcomes.  The problem with the local bitcoin-qt/bitcoind is that it doesn't track arbitrary Bitcoin addresses' unspent outcomes, only the addresses in the local wallet.  So you have to build an external db of those outputs.

[w1R903]

Good news.  blockchain.info now supports CORS so I can connect directly to them while I'm finalizing my own local database of unspent ouputs for bitcoin-secured.  I'll try to push the new version out tonight.  Right now, the script relies on Yahoo to relay the request, which means that blockchain.info's API request limit is quickly reached if a lot of people use it.  This will solve that problem.

NOTICE: bitcoin-secured will be offline shortly will I update it to supports blockchain.info's CORS.  While it's down, please be aware that if you use a non-SSL link for the online version of this software, it's very vulnerable to someone swapping out your Bitcoin address for another.  Either use https://bitcoin-secured.com when it's back up or run it locally (on localhost).  Or wait for someone else to host it on an SSL-enabled URL.

[CIYAM]

Or wait for someone else to host it on an SSL-enabled URL.

If you have the source on say github then I will be happy to grab it and put it somewhere under https://ciyam.org.

[w1R903]

Or wait for someone else to host it on an SSL-enabled URL.

If you have the source on say github then I will be happy to grab it and put it somewhere under https://ciyam.org.

Thanks for the offer!  The source is on github (I'm esbullington on github, the link is somewhere above), so please feel free to do so, but I do have it on https://bitcoin-secured.com which is SSL.  It's just down for a few minutes while I'm updating it.  So I'll have it back on an SSL-enabled site real soon.

Users who use the online portion of bitcoin-secured hosted by a third-party should make sure that

1)  It's SSL-encryped
2)  It's someone you trust

The best way to run the online portion is locally, simply by going to the `bitcoin-secured/online` directory and then running: python -m SimpleHTTPServer

The site will then be available at localhost:8000

Since blockchain.info is now using CORS, this should work, but I've not yet tested it (working as fast as I can to do so).

PS: Please note that I have signed MD5 hashes of the offline code that can be downloaded at: https://bitcoin-secured.com/#/download

[CIYAM]

Okay - found the repository (https://github.com/esbullington/bitcoin-secured) - apart from Python any other dependencies?

[w1R903]

Okay - found the repository (https://github.com/esbullington/bitcoin-secured) - apart from Python any other dependencies?

Python is technically not a dependency.  It's just what I used to serve it locally.  It's all static HTML, JS, and CSS, so you can run it from wherever you usually run such scripts.

Can you hold off for a day?  Or else update it tomorrow?  I'll be making some significant changes tonight, like better error handling, etc.

And again, I'll note that I have an SSL-encrypted version at https://bitcoin-secured.com that includes signed MD5 hashes of the offline code for download.

[CIYAM]

Sure - I'll wait for the updated version (as I'm watching this thread just be sure to post in it so I remember).

[w1R903]

After thinking about it some more, may I please ask everyone to please hold off on using any version of this?  I didn't realize anyone was still interested in it until a few hours ago.  However, it's got some bugs I want to iron out before anyone uses it.  I originally said to use my hosted version at https://bitcoin-secured.com since it was better than using an unencrypted version of the online part, but after thinking about it, I'd prefer people hold off on using it at all until after I do some additional testing tonight, when I'll have time to do so (can't shirk my work duties anymore right now).  You are of course free to do anything you want with the code, since it's MIT licensed, but I'd prefer people hold off until I can do some additional testing.

I'll make an announcement here when it's ready for beta use.

[CIYAM]

Good move - will wait for that - I think this is the right way to go and appreciate the effort (I actually wrote something similar but is much less user-friendly as it requires you to find the UTXO information manually).

[w1R903]

Good move - will wait for that - I think this is the right way to go and appreciate the effort (I actually wrote something similar but is much less user-friendly as it requires you to find the UTXO information manually).

Thanks for your understanding and sorry for the inconvenience to anyone who has been waiting on this (i.e., xDan).  I'll be sure to check this thread on a regular basis now.

I'll post an announcement here tonight or tomorrow when it's ready for beta testing.

EDIT: Had to work late last night, hopefully will get to it today.

[xDan]

Hey, no worries. Good to see you may still work on it

Personally I risked using the prototype version above for my most pressing needs.

[kodo]

This is cool thank you!

[w1R903]

Hey, no worries. Good to see you may still work on it

Personally I risked using the prototype version above for my most pressing needs.

Yes, my ultimate goal is to get it where people can easily run *both* the online version and offline version locally, with no need to host the online version.  It's a little tricky because of the problems that exist making request to third-party websites from a locally-running javascript program.  Really, this is the only secure way to do it.  SSL for the online portion is nice but still requires the user trust the person serving the site.  Running both portions locally, on my online and offline computers, is the only way I'd consider using this project for a significant offline transaction.

Anyway, this third-party request issue is partially solveable using CORS headers, and blockchain.info has recently, and very kindly, implemented CORS headers for this type of use case.  Anyway, I worked on it some more last night but ran into some very serious issues with AngularJS (the JS framework I used) HTTP client implementation and CORS compatibility, so I've ended up using Jquery to call blockchain for unspent outputs and to push the signed transaction (which works fine).  Anyway, I still want to do some more work before I announce it ready, and although I won't get to anything tonight, I should be able to finish up this weekend.

[Polvos]

As promised, I sent a 1BTC transaction as a bounty reward for yor nice piece of work. I'm pleased to pay someone like you for the work done helping us, the noobies, to use Bitcoin in a safer way. Now we can send the newcomers to those directions when an offline secure transaction needs to be built. Thanks for your effort.

Thanks, Polvos.  I appreciate it.  Which address did you send it to?  I see xDan's bounty but not any others.

Sorry, Emergenz claimed my 1BTC bounty in a private message and I donated him because I thought you left.

That was the transaction:
https://blockchain.info/es/tx/5017919fbebe0712a349e473c06018b1df87cdd2732e4f93db76cc3c5c431dc8

[xDan]

Really, this is the only secure way to do it.  SSL for the online portion is nice but still requires the user trust the person serving the site.  Running both portions locally, on my online and offline computers, is the only way I'd consider using this project for a significant offline transaction.

what are the security implications exactly? Simply that the destination address could be altered, and then the user may overlook this when signing offline? or can other things be done by changing the blockchain data or other stuff?