nightraven
|
|
May 09, 2017, 12:07:14 AM |
|
I have looked a little closer at this new web wallet and I just wonder a little. The wallet tells us that: "We do not store any secure information, private keys. " and that "We do not transmit any sensitive data over the network."
Well, the private key is send as part of the URL whenever the wallet is used. I would call the private key very sensitive even when it is send encrypted. I don't know enough java script to figure out how secure the encoding is, but I guess there always is a risk for decryption especially if people select a weak password.
And why is the private key used as part of the URL? Is it decrypted and used server side? Or what? If a unique URL is needed the public key or a hash of it would be equally good.
|
|
|
|
xiphon
|
|
May 09, 2017, 12:58:17 AM |
|
Well, the private key is send as part of the URL whenever the wallet is used. Is it decrypted and used server side?
No, no and ... again .. NO. That is not how the Web Wallet works. We do not store any secure information, private keys.We do not transmit any sensitive data over the network.All of the encryption stuff is done right in a browser tab. User's private key (encrypted, decrypted, whatever you can imagine) is never transmitted over the network. Sorry, i do not want to teach you cryptography basics here. If you want to act as a researcher, you are welcome. Inspect the product, find the weakness, share you paper/report with the community. That would be a great deal. But for now, please, understand that we can't argue with zero-proofs posts like the one you wrote above. Of course, you can do what you want, but it is not widely accepted in the crypto community.
|
|
|
|
Dermelon
|
|
May 09, 2017, 04:24:54 AM |
|
Web wallet is cool. I tried to transfer account and send Pasl, its success. Good job dev.
|
|
|
|
theone211984
Newbie
Offline
Activity: 1
Merit: 0
|
|
May 09, 2017, 06:01:50 AM |
|
how send my acc to wallet mobile ?
i have acc in wallet windows
|
|
|
|
adaseb (OP)
Legendary
Offline
Activity: 3878
Merit: 1733
|
|
May 09, 2017, 06:50:36 AM |
|
how send my acc to wallet mobile ?
i have acc in wallet windows
You can just insert your private key into https://wallet.pascallite.com/#insert after the # OR Just send 1 account to your mobile wallet, and then send coins to that account.
|
|
|
|
ulfsaar
|
|
May 09, 2017, 09:39:38 AM |
|
Very nice But I think that all kind of wallets should be open source. Just to make sure that nothing is going on behind the scene. ... agreed. It will be open source eventually. Its up to the dev to decide. I trust the dev that there's nothing behind the scene so we have nothing to worry about. You have to remember forging is done on your browser. People are lingering to take a peek at the code itself. LOLOL
|
|
|
|
nightraven
|
|
May 09, 2017, 10:39:47 AM |
|
Well, the private key is send as part of the URL whenever the wallet is used. Is it decrypted and used server side?
No, no and ... again .. NO. That is not how the Web Wallet works. We do not store any secure information, private keys.We do not transmit any sensitive data over the network.All of the encryption stuff is done right in a browser tab. User's private key (encrypted, decrypted, whatever you can imagine) is never transmitted over the network. Sorry, i do not want to teach you cryptography basics here. If you want to act as a researcher, you are welcome. Inspect the product, find the weakness, share you paper/report with the community. That would be a great deal. But for now, please, understand that we can't argue with zero-proofs posts like the one you wrote above. Of course, you can do what you want, but it is not widely accepted in the crypto community. I would never ever write as I did without a proofs or with zero-proof as you write: If you look at this screenshot you will see, that the encrypted public key is part of the URL: Everybody can check and see this in their own web wallet. just click on Keys in the footer and see for yourself. And just one more proof from the java script itself. A search in the decompressed code gives the following snippet: }, "Bookmark or write down the current page URL. It will be used to access your wallet the next time. The link is your private key. ", g.default.createElement("br", null), g.default.createElement("br", null), g.default.createElement("small", null, "We do not store any secure information, private keys. ", g.default.createElement("br", null), "We do not transmit any sensitive data over the network."))))), I repeat: "The link is your private key." I hope this is enough proofs. So the private key is send to the server whenever someone use the web wallet. And then it is important to know why it should be send and what it is used for at the server?
|
|
|
|
ulfsaar
|
|
May 09, 2017, 11:49:26 AM |
|
Well, the private key is send as part of the URL whenever the wallet is used. Is it decrypted and used server side?
No, no and ... again .. NO. That is not how the Web Wallet works. We do not store any secure information, private keys.We do not transmit any sensitive data over the network.All of the encryption stuff is done right in a browser tab. User's private key (encrypted, decrypted, whatever you can imagine) is never transmitted over the network. Sorry, i do not want to teach you cryptography basics here. If you want to act as a researcher, you are welcome. Inspect the product, find the weakness, share you paper/report with the community. That would be a great deal. But for now, please, understand that we can't argue with zero-proofs posts like the one you wrote above. Of course, you can do what you want, but it is not widely accepted in the crypto community. I would never ever write as I did without a proofs or with zero-proof as you write: If you look at this screenshot you will see, that the encrypted public key is part of the URL: Everybody can check and see this in their own web wallet. just click on Keys in the footer and see for yourself. And just one more proof from the java script itself. A search in the decompressed code gives the following snippet: }, "Bookmark or write down the current page URL. It will be used to access your wallet the next time. The link is your private key. ", g.default.createElement("br", null), g.default.createElement("br", null), g.default.createElement("small", null, "We do not store any secure information, private keys. ", g.default.createElement("br", null), "We do not transmit any sensitive data over the network."))))), I repeat: "The link is your private key." I hope this is enough proofs. So the private key is send to the server whenever someone use the web wallet. And then it is important to know why it should be send and what it is used for at the server? Dont pay attention to this troll. Troll will be troll. But this one is a poor troll.
|
|
|
|
Q_R_V
Sr. Member
Offline
Activity: 428
Merit: 250
Inactivity: 8963
|
|
May 09, 2017, 01:22:42 PM |
|
Nah, he just want to buy cheap coins, so he is spreading fud. Remember, every business tactic is valid
|
|
|
|
nightraven
|
|
May 09, 2017, 01:31:53 PM |
|
Well, the private key is send as part of the URL whenever the wallet is used. Is it decrypted and used server side?
No, no and ... again .. NO. That is not how the Web Wallet works. We do not store any secure information, private keys.We do not transmit any sensitive data over the network.All of the encryption stuff is done right in a browser tab. User's private key (encrypted, decrypted, whatever you can imagine) is never transmitted over the network. Sorry, i do not want to teach you cryptography basics here. If you want to act as a researcher, you are welcome. Inspect the product, find the weakness, share you paper/report with the community. That would be a great deal. But for now, please, understand that we can't argue with zero-proofs posts like the one you wrote above. Of course, you can do what you want, but it is not widely accepted in the crypto community. I would never ever write as I did without a proofs or with zero-proof as you write: If you look at this screenshot you will see, that the encrypted public key is part of the URL: Everybody can check and see this in their own web wallet. just click on Keys in the footer and see for yourself. And just one more proof from the java script itself. A search in the decompressed code gives the following snippet: }, "Bookmark or write down the current page URL. It will be used to access your wallet the next time. The link is your private key. ", g.default.createElement("br", null), g.default.createElement("br", null), g.default.createElement("small", null, "We do not store any secure information, private keys. ", g.default.createElement("br", null), "We do not transmit any sensitive data over the network."))))), I repeat: "The link is your private key." I hope this is enough proofs. So the private key is send to the server whenever someone use the web wallet. And then it is important to know why it should be send and what it is used for at the server? Dont pay attention to this troll. Troll will be troll. But this one is a poor troll. I think we should have a serious and fair debate about this security problem without accusations or name calling. I'm not a troll. I don't write anything inflammatory, off-topic or untrue. I report with proofs something that seems to be insecure and unusual, because private keys normally should be kept private. That is why it is called private. I don't blame anybody. I don't shout scam or fraud. I don't know what it is. I hope it is a simple mistake. I just tell the plain facts as I see them. And it is a fact that the users public key is exposed because it is used as a link to the server. Nobody can deny that..
|
|
|
|
adaseb (OP)
Legendary
Offline
Activity: 3878
Merit: 1733
|
|
May 09, 2017, 01:46:23 PM Last edit: May 09, 2017, 02:04:26 PM by adaseb |
|
nightraven, Our mobile wallet is no different than https://blockchain.info/wallet/#/Millions of people use it. And nobody complains. You make an account and you need to save your Wallet ID and/or Seed to be able to access your account. If you forgot those or your password your account is lost forever because they don't store anything on their servers. Just because your private key shows up in the URL doesn't mean it will appear inside a Google search. For example look at http://directory.io , every bitcoin private key in existence is on that website but does that mean everyone's account is in jeopardy? No Reason why everybody is upset with your comments is because you are saying this all on conjecture. Like xiphon said before, if you can provide EVIDENCE that there is a security issue we will be more than happy to explain it to you or to fix it. EVIDENCE would be something like you running a packet sniffer and discovering that after you set your password, the private key is sent to the online server. EDIT: Apparently blockchain.info actually does store your wallet on their servers but its encrypted with your password. So ignore that comment above... Use Bitaddress.org or megadice.com instead as an example
|
|
|
|
nightraven
|
|
May 09, 2017, 03:05:19 PM Last edit: May 09, 2017, 03:17:18 PM by nightraven |
|
nightraven, Our mobile wallet is no different than https://blockchain.info/wallet/#/Millions of people use it. And nobody complains. You make an account and you need to save your Wallet ID and/or Seed to be able to access your account. If you forgot those or your password your account is lost forever because they don't store anything on their servers. Just because your private key shows up in the URL doesn't mean it will appear inside a Google search. For example look at http://directory.io , every bitcoin private key in existence is on that website but does that mean everyone's account is in jeopardy? No Reason why everybody is upset with your comments is because you are saying this all on conjecture. Like xiphon said before, if you can provide EVIDENCE that there is a security issue we will be more than happy to explain it to you or to fix it. EVIDENCE would be something like you running a packet sniffer and discovering that after you set your password, the private key is sent to the online server. EDIT: Apparently blockchain.info actually does store your wallet on their servers but its encrypted with your password. So ignore that comment above... Use Bitaddress.org or megadice.com instead as an example I admit that there is some security because the user's private key is encrypted. But there is a risk when a decrypted private key is exposed. And the risk depends on the strength of the password the user select when he encrypt the key. Take a pile of random keys and check them with a password generator and you will see a lot of weak passwords. Your web wallet does not force the user to select a strong password. It accept a simple password like "123456". I'm of course aware that the the URL doesn't appear in a Google search etc. But there is a risk when data are included in the URL. That is why most programmers prefer to use POST method instead of GET method when sensitive data are transmitted over the net. It is of course open for discussion how big the risk is. But we often see, that when there is a risk sooner or later somebody exploit the weakness. And why do the user have to run a risk and use his encrypted private key as a link? If you need a unique link for each user, then the public key or a hash of it would be equally good and risk free to use.
|
|
|
|
adaseb (OP)
Legendary
Offline
Activity: 3878
Merit: 1733
|
|
May 09, 2017, 03:16:52 PM |
|
nightraven, Our mobile wallet is no different than https://blockchain.info/wallet/#/Millions of people use it. And nobody complains. You make an account and you need to save your Wallet ID and/or Seed to be able to access your account. If you forgot those or your password your account is lost forever because they don't store anything on their servers. Just because your private key shows up in the URL doesn't mean it will appear inside a Google search. For example look at http://directory.io , every bitcoin private key in existence is on that website but does that mean everyone's account is in jeopardy? No Reason why everybody is upset with your comments is because you are saying this all on conjecture. Like xiphon said before, if you can provide EVIDENCE that there is a security issue we will be more than happy to explain it to you or to fix it. EVIDENCE would be something like you running a packet sniffer and discovering that after you set your password, the private key is sent to the online server. EDIT: Apparently blockchain.info actually does store your wallet on their servers but its encrypted with your password. So ignore that comment above... Use Bitaddress.org or megadice.com instead as an example I admit that there is some security because the user's private key is encrypted. But there is a risk when a decrypted private key is exposed. And the risk depends on the strength of the password the user select when he encrypt the key. Take a pile of random passwords and check them with a password generator and you will see a lot of weak passwords. Your web wallet does not force the user to select a strong password. It accept a simple password like "123456". I'm of course aware that the the URL doesn't appear in a Google search etc. But there is a risk when data are included in the URL. That is why most programmers prefer to use POST method instead of GET method when sensitive data are transmitted over the net. It is of course open for discussion how big the risk is. But we often see, that when there is a risk sooner or later somebody exploit the weakness. And why do the user have to run a risk and use his encrypted private key as a link? If you need a unique link for each user, then the public key or a hash of it would be equally good and risk free to use. The private key is not exposed over the internet even in encrypted form. Connection to the internet is needed to do SPV which is similar to what Electrum does so you can see your balance, accounts, and be able to send funds without being synced with the blockchain. We can do a "Cold Storage" form of the wallet, however most won't use that since its very complex for most individuals. However if there is enough interest then it will be done in the future.
|
|
|
|
dongqiang
|
|
May 09, 2017, 03:23:21 PM |
|
A clone from PASC but progress better more than PASC ,very good. even PASC don't have a mobile wallet yet !
|
|
|
|
nightraven
|
|
May 09, 2017, 05:03:26 PM |
|
The private key is not exposed over the internet even in encrypted form. Connection to the internet is needed to do SPV which is similar to what Electrum does so you can see your balance, accounts, and be able to send funds without being synced with the blockchain.
It is not true that The private key is not exposed over the internet even in encrypted form. What you see in the browsers URL or address bar at the top is exactly the request you transmit over the net from the local device to the server. And the encrypted private key is as everybody can see at the URL bar used as a link. This request is stored a lot of places where unauthorized people can get hold of it. Firstly in the users own browser cache. Secondly in the servers cache and further more a number of other places. I don't know about bitcoin but as far as I understand coins based on Pascal Coin I doubt that it is possible to make a "send to" operation without using the account owner's private key, so I guess that is why you need to get the private key included in the URL. It demands a lot of trust to send you the private key every time the mobile wallet is used because it eliminates most of the security that is built into Pascal based coins. Well, now I have warned you. And I think you should inform all users of this mobile wallet so the know what kind of risk they run.
|
|
|
|
ulfsaar
|
|
May 09, 2017, 05:53:24 PM |
|
The private key is not exposed over the internet even in encrypted form. Connection to the internet is needed to do SPV which is similar to what Electrum does so you can see your balance, accounts, and be able to send funds without being synced with the blockchain.
It is not true that The private key is not exposed over the internet even in encrypted form. What you see in the browsers URL or address bar at the top is exactly the request you transmit over the net from the local device to the server. And the encrypted private key is as everybody can see at the URL bar used as a link. This request is stored a lot of places where unauthorized people can get hold of it. Firstly in the users own browser cache. Secondly in the servers cache and further more a number of other places. I don't know about bitcoin but as far as I understand coins based on Pascal Coin I doubt that it is possible to make a "send to" operation without using the account owner's private key, so I guess that is why you need to get the private key included in the URL. It demands a lot of trust to send you the private key every time the mobile wallet is used because it eliminates most of the security that is built into Pascal based coins. Well, now I have warned you. And I think you should inform all users of this mobile wallet so the know what kind of risk they run. Do not pay attention to this troll. HE only wants to peak at the code. LOL. You sure are a dev? Try creating one that generates everything on the browser, like a paper wallet and you'll see. Stop this nonsense. IDIOT. You need to upgrade your cryptography knowledge.
|
|
|
|
loky4i4
Newbie
Offline
Activity: 55
Merit: 0
|
|
May 09, 2017, 06:06:35 PM |
|
how long pasl will be in maintenance on cryptopia
|
|
|
|
seenotaajs
Newbie
Offline
Activity: 14
Merit: 0
|
|
May 10, 2017, 07:19:43 AM |
|
hey adaseb,
i tried to mine pascal lite with claymore dual mine, but I am losing half of the ETH hashes. When I mine ETH+Decred it doesn't happen.
I know you are not responsible for claymore's miner, but wanted to get some advice - how you setup your miner or maybe you could paste your .bat file so I can make necessary adjustments to mine.
I am new to mining so kinda noob in all these questions. I am using RX 570 card and getting 23mh/s for ETH, but when mining pascal I get 13.5 and 400 for pascal.
Thanks in advance.
|
|
|
|
busara
Newbie
Offline
Activity: 35
Merit: 0
|
|
May 10, 2017, 09:40:36 AM |
|
I didn't get in until late, so I guess my question is this:
If adaseb isn't going to work on the coin anymore, isn't it not worth mining now? I think he said it did it just for fun.
Maybe scratch this one and start a different one? Just some thoughts...
Isn't the whole point to get the coin on an exchange so others can buy/sell that don't want to mine it? If dev work won't
continue, I guess I don't see the reason for relaunching.
Exactly dev is abandoning the coin why would you keep mining ? we can not copy others in our effort because we want to go at top level of progress.
|
|
|
|
ulfsaar
|
|
May 10, 2017, 09:42:01 AM |
|
I didn't get in until late, so I guess my question is this:
If adaseb isn't going to work on the coin anymore, isn't it not worth mining now? I think he said it did it just for fun.
Maybe scratch this one and start a different one? Just some thoughts...
Isn't the whole point to get the coin on an exchange so others can buy/sell that don't want to mine it? If dev work won't
continue, I guess I don't see the reason for relaunching.
Exactly dev is abandoning the coin why would you keep mining ? we can not copy others in our effort because we want to go at top level of progress. Why resurrect an ancient post?
|
|
|
|
|