Hach-Que (OP)
Newbie
Offline
Activity: 19
Merit: 0
|
|
June 15, 2011, 04:42:25 AM Last edit: October 28, 2012, 04:49:58 PM by Hach-Que |
|
OverviewFor the past few days I've been working on a project called Collate. The goal of the project is to allow a user to view and manage all of their BitCoin wallets in a single place, this means: - Wallets running in the desktop client.
- Wallets stored online with wallet providers.
- BitCoin balances for trading sites (such as MtGox).
- Earnings from mining pools.
Latest changes (v0.4.21029)Version 0.4 brings support for syncing configuration with a server (locally encrypted with AES-256). It also updates the plugins to work, and disables MtGox (their API is requires more infrastructure to use now). Importantly, it now supports wallets that use passphrases. DownloadsCollate is written as a Google Chrome extension, but importantly it's not restricted to being a Google Chrome extension; the Chrome-specific element is the browser action (and if you can't tell, this is an encouragement for someone to port it to Firefox ). It's designed such that it can be easily extended with new types of wallets and it's licensed under an MIT license (so it's open source). You can install the application from the Chrome Web Store at https://chrome.google.com/webstore/detail/anlcpclkmbeeoglfgbfboogijdkbohkn. You can download the source code from https://github.com/hach-que/Collate. FeaturesIn the worksAn initial plugin for MtGox had been completed; but it does not yet support trading or the MtGox ticker. If you're interested in working on this, get in contact with me. Outside of that, we're planning plugins for more mining pools and wallet providers (it depends on what they support). In addition, we're working with the developer of BitMiner to provide a plugin that will allow you to control GPU miners from the interface. Screenshots[ 1] [ 2] https://github.com/hach-que/Collate/raw/master/screenshot01.png
|
|
|
|
SomeoneWeird
|
|
June 15, 2011, 06:29:48 AM |
|
I beta tested this, and i have to say, was very impressed! Could go alot further
|
|
|
|
wonderbread
Newbie
Offline
Activity: 11
Merit: 0
|
|
June 15, 2011, 07:07:42 AM |
|
Looking good mate Subscribed.
|
|
|
|
Maged
Legendary
Offline
Activity: 1204
Merit: 1015
|
|
June 15, 2011, 07:55:28 AM |
|
Quite impressive. I did a quick skim of the code and it looks clean enough. It's nice to have another frontend for the bitcoin client, especially since I can see my balance change as I browse!
|
|
|
|
Hach-Que (OP)
Newbie
Offline
Activity: 19
Merit: 0
|
|
June 15, 2011, 11:54:57 AM |
|
I just finished the submission to the Chrome Web Store; I recommend that you install it from there as it means you'll get automatic updates when we release new plugins.
|
|
|
|
Basiley
Newbie
Offline
Activity: 42
Merit: 0
|
|
June 15, 2011, 12:44:04 PM |
|
nice. how about port FireFox 4.x and Opera 11.xx ?
|
|
|
|
Hach-Que (OP)
Newbie
Offline
Activity: 19
Merit: 0
|
|
June 15, 2011, 12:46:23 PM |
|
nice. how about port FireFox 4.x and Opera 11.xx ?
I haven't written a Firefox extension for years and I've never written in Opera extension at all (nor would I have the ability to maintain those). I'm hoping someone with the relevant experience might have a go at doing it (it's 99% standard Javascript so it should port easily).
|
|
|
|
REF
|
|
June 15, 2011, 05:02:08 PM |
|
cool project i hope someone can port it to FF i have a few coins around and this would make it a lot nicer.
|
|
|
|
carlerha
|
|
June 15, 2011, 06:03:00 PM |
|
looks good
|
|
|
|
Hach-Que (OP)
Newbie
Offline
Activity: 19
Merit: 0
|
|
June 20, 2011, 11:48:58 AM |
|
I've just updated the source code in the repository ( https://github.com/hach-que/Collate) to support reading a wallet via Block Explorer which means you now don't have to run the BitCoin server or leave your wallet unencrypted to do so (since it must be unencrypted for the BitCoin server to run). So in summary, it's a much safer way of viewing your wallet from Collate since you don't have to leave your wallet unencrypted (and you shouldn't). The main differences between the Block Explorer and the RPC-based plugin is that the former can't report or control local mining (but who does CPU mining these days?) and it also can't send coins on your behalf. I've also merged the BTCGuild mining pool plugin from Wonderbread into the system, so that's built-in now for anyone using that mining pool. This is the RC to the v0.2 release, however it's appreciated if people test the version in the repository so I can iron out any final bugs before packaging for the Chrome Web Store.
|
|
|
|
Hach-Que (OP)
Newbie
Offline
Activity: 19
Merit: 0
|
|
July 07, 2011, 02:31:10 AM |
|
Just to let everyone know, this project isn't dead, I've just been super busy lately with some other things. Development should start again next week sometime.
|
|
|
|
amincd
|
|
July 07, 2011, 04:11:19 AM |
|
Thanks for the contribution!
|
|
|
|
TeraPool
Newbie
Offline
Activity: 42
Merit: 0
|
|
July 07, 2011, 04:13:58 AM |
|
Would this make my coins "hackable/stealable" by any 0 day chrome/firefox/browser exploits?
|
|
|
|
Maged
Legendary
Offline
Activity: 1204
Merit: 1015
|
|
July 07, 2011, 04:21:11 AM |
|
Would this make my coins "hackable/stealable" by any 0 day chrome/firefox/browser exploits?
Any exploit that could compromise the sandbox could also likely compromise the whole machine.
|
|
|
|
Hach-Que (OP)
Newbie
Offline
Activity: 19
Merit: 0
|
|
July 07, 2011, 04:27:08 AM Last edit: July 07, 2011, 04:43:34 AM by Hach-Que |
|
It seems that the Chrome Web Store version is not yet 0.2! I meant to do that previously, but it seems I forgot (I'll get it done now). It addresses the following concern: Would this make my coins "hackable/stealable" by any 0 day chrome/firefox/browser exploits?
Any exploit that could compromise the sandbox could also likely compromise the whole machine. In 0.2 you can use the Block Explorer to examine your wallet without actually having to run the BitCoin client. This means you can keep wallet.dat on an encrypted partition via TrueCrypt or w/e and you can still monitor your account balance (although to send coins you will still need to start the BitCoin client for obvious reasons). In 0.2 the Block Explorer method of viewing a wallet supersedes the old way of connecting to the BitCoin client since the latter requires that your private key be stored in memory all the time (which is a bad idea). UPDATE: 0.2 is uploaded to the Chrome Web Store; I think it takes up to two hours to actually update in people's browsers however.
|
|
|
|
nhodges
|
|
July 07, 2011, 08:31:41 AM |
|
Would this make my coins "hackable/stealable" by any 0 day chrome/firefox/browser exploits?
If the app is linked to your bitcoind, and an attacker has a way to execute arbitrary code within the browser controlling the app, then quite possibly yes.
|
|
|
|
Hach-Que (OP)
Newbie
Offline
Activity: 19
Merit: 0
|
|
July 07, 2011, 09:56:30 AM |
|
Would this make my coins "hackable/stealable" by any 0 day chrome/firefox/browser exploits?
If the app is linked to your bitcoind, and an attacker has a way to execute arbitrary code within the browser controlling the app, then quite possibly yes. Not quite possibly yes, the answer is completely yes. It's for this exact reason that I've deprecated the Local Server plugin in 0.2, or at least relegated it to a highly not recommended option when the Block Explorer is available (which conveniently enough only requires the public BitCoin address to show your balance, rather than having to set up RPC information).
|
|
|
|
wonderbread
Newbie
Offline
Activity: 11
Merit: 0
|
|
July 07, 2011, 12:13:45 PM |
|
Tradehill went down minuets after I started to screw around with a JS API wrapper for it... Typical...
I'm having a think about writing a tradehill plugin for it. The security implications are large so I'm going to have to have a think about a secure way of storing credentials and such.
Authorising transactions could be coupled with a simple captcha could it not?
Just thinking into the reply box here... I'll sleep on it.
|
|
|
|
Hach-Que (OP)
Newbie
Offline
Activity: 19
Merit: 0
|
|
July 07, 2011, 01:26:55 PM |
|
Thing is, if someone has broken the Chrome sandbox between applications, they could just steal the raw data they want and then send the request off.. CAPTCHA won't do anything. But as I mentioned before, at that point, if they can break that security barrier, you have to question whether or not they can just take control of the whole system (I'm not sure how sandboxed processes are between each other in Chrome relative to each of them to the OS, but I would assume it would be similar). So assuming that the Chrome sandbox holds up (which it should), the only thing you have to watch out for is rogue Collate plugins (as in account types); but that's why we screen any plugins that are submitted so it doesn't happen EDIT: Also think of it like this; if they can break the security barrier between website <-> chrome extension, then they'll be able to break the security barrier between website <-> website and steal any session data or login information that you're sending to normal sites. So at that point, I don't think it's really much of a concern (i.e. they could just steal the session data to Tradehill anyway.. why go to all the trouble of getting the information out of the extension?)
|
|
|
|
Hach-Que (OP)
Newbie
Offline
Activity: 19
Merit: 0
|
|
July 27, 2011, 02:39:05 AM |
|
So I've just released v0.3.10727, which adds some basic support for MtGox (basically read-only things like showing balance and open orders).
If someone is interested in writing a ticker viewer and trading operations into the plugin, get in contact with me via the forum's PM system or email.
|
|
|
|
|