Bitcoin Forum
November 15, 2018, 06:08:05 PM *
News: Latest Bitcoin Core release: 0.17.0 [Torrent].
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Is it my understanding or Jaxx being pants?  (Read 1099 times)
DevaVictrix
Newbie
*
Offline Offline

Activity: 17
Merit: 0


View Profile
June 17, 2017, 09:38:00 AM
 #1

I think I have questions about Jaxx because its buggy but before I migrate I thought i'd make sure it isn't me being dumb! I only started out with cryptocurrencys 5-6 days ago and have only amounted £20 so if my inexperience is going to lose me money it's best done now!

When searching for a wallet/s I quickly learned that downloading the full node for each respective currency is a sure way to fill up my 128gb harddrive. After lots and lots of googling I settled with Jaxx. I understand it as a wallet that doesn't require you to download the full node, the private keys are stored locally and that it supports multi-currencys. I am interested in BTC, ETH and ZEC.

First quick question... If the private keys are stored locally how come when I installed Jaxx on my android phone did I just have to enter the 12 word pass phrase to get access to my private keys? They must have been downloaded from somewhere which means they are stored at a location other than 'local'. Is this a vulnerability (surely, 'Yes' ?). Jaxx was reported to have been insecure earlier this week but I dont know exactly how. Some of what I have read seems to suggest the security issue comes from thieves accessing your harddrive for the 12 word pass phrase. Most of my reading was on forums, and news websites I have never heard of so I concluded I might be contaminating my mind with potentially misinformation and just swallowed that Jaxx could be insecure. I'm assuming the locally stored private keys are kept in C:\Users\%User%\AppData\Roaming\Jaxx. Does my encrypted C: help my security? Couldn't the developers just code Jaxx so that this folder can be kept on a USB stick so that the private keys are offline until you need to use them?

My frustration with Jaxx started yesterday when I tried to use Shapeshift to exchange some ZEC for ETH. The transaction debited my ZEC wallet and I knew I would have to wait a little while for it to appear in my ETH wallet. So I went to bed only to find this morning that the ZEC had been returned to my ZEC wallet and nothing credited to my ETH wallet. The transaction failed. No real loss to me other than ETH was a relatively good price given my point of entry to the cryptocurrency game. But I cant find any record of the attempted exchange or the return of the ZEC. The transaction history in Jaxx only shows the very first payment from the pool. So I reset the Jaxx cache. Still only one entry in the transaction history only now its the most recent payment from the pool, oh and the value of my ZEC coins now says £0.00. The ZEC balance is there (all of what I have mined) but no figure for £ or $. Long story short... bar a few minor differences, the same happened with the Jaxx android app too. I have typed my public address into the ZCash block explorer and it reports 6 transactions received but nothing sent. I kind of expected to 1 sent (my exchange) and 7 received (my 6 pool payments and the returned exchange).

Another thing that has me scratching my head is when I view my private keys. When I first tried mining to my wallet address. It failed, it wouldn't mine. So I clicked on 'view private keys' and there were two private keys, each with a different public key. I just selected one the of the public keys and mined to that. Its been working fine. I have read that its a good idea to change the wallet address for each transaction so expected this to change after each transaction. Sure enough this has changed but its changed to the other public key (the one I didn't use to mine to). I'm confused by this because that new wallet address is an existing public key that is derived from a different private key. I thought that your wallet has/is a private key. From this, you get a public key and from that you get a wallet address. Even if the public key changes too I expected the private key to always be the same. Is this normal?

Is Jaxx just buggy and worth steering clear of? Am I just not well enough read. Or both!? I suspect both but Jaxx really isnt helping my understanding.

Am I right to expect just one private key with a public that may, or may not, change and a wallet address that does change after each transaction.
Should I expect to see a complete list of all transactions made to and from my wallet or just the most recent since a cache reset?
Does a failed/returned transaction get logged as a transaction so that the attempt can be traced?
Where are the public and private keys actually stored? I thought on my C: so how are they now viewable on my phone after only entering the 12 word passphrase.

(The convenience of only having to remember the passphrase is great (no backing up of files, and backing up the backup etc!) but it seems to me that you can access all my crypto-wealth by forcing the discovery of the 12 word passphrase. Couldn't you just write some code to punch in 12 word combos repeatedly until you hit gold? There are only so many words in English dictionary. EDIT, well 171,476, but as time goes on there will be a lot of wallets created and thus increasing the chances of finding an active combination. EDIT again, actually, there are about 1.348x10^54 combinations! Quite a few!)



 

 
 
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1542305285
Hero Member
*
Offline Offline

Posts: 1542305285

View Profile Personal Message (Offline)

Ignore
1542305285
Reply with quote  #2

1542305285
Report to moderator
HI-TEC99
Legendary
*
Offline Offline

Activity: 1372
Merit: 1041



View Profile
June 17, 2017, 02:02:52 PM
 #2

Apparently there is a ‘vulnerability’ in Jaxx that hackers used to steal $400,000 of coins held in their wallets. I wouldn't consider using it unless that gets fixed.

Reports are surfacing of a ‘vulnerability’ in Jaxx wallet leading to at least $400,000 customer funds being stolen.

A report on the insufficient wallet backup phrase storage methods this weekend has now updated to include reports that hackers are already exploiting the problem to steal cryptocurrency from users.



After you read the whole article[1], you will come up with the decision of not using this wallet again (most likely). Basically, they have no plans to alter or change the security setup of their wallet. I'd recommend everyone to either stop using this wallet or simply stop storing large amounts.

[1] https://cointelegraph.com/news/jaxx-wallet-vulnerability-users-report-400k-funds-thefts

Also Jaxx is buggy. Try reading the problem discussed in this thread.

https://bitcointalk.org/index.php?topic=1841007.0
HCP
Hero Member
*****
Offline Offline

Activity: 784
Merit: 951

<insert witty quote here>


View Profile
June 18, 2017, 04:41:59 AM
 #3

When searching for a wallet/s I quickly learned that downloading the full node for each respective currency is a sure way to fill up my 128gb harddrive.
Yeah, just the bitcoin blockchain will eat up around 120gigs on it's own Wink If you are storage space limited, you definitely want to be looking at "SPV" or "light" wallets.

Quote
First quick question... If the private keys are stored locally how come when I installed Jaxx on my android phone did I just have to enter the 12 word pass phrase to get access to my private keys? They must have been downloaded from somewhere which means they are stored at a location other than 'local'. Is this a vulnerability (surely, 'Yes' ?).
No. They are not downloaded from somewhere. Seeds work by using the 12 'random' words out of a defined list of 2048 words to calculate a (very large) random number. This is your 'seed'. All of your private keys/addresses are then calculated from this seed in a deterministic and repeatable way.

Quote
Jaxx was reported to have been insecure earlier this week but I dont know exactly how. Some of what I have read seems to suggest the security issue comes from thieves accessing your harddrive for the 12 word pass phrase. Most of my reading was on forums, and news websites I have never heard of so I concluded I might be contaminating my mind with potentially misinformation and just swallowed that Jaxx could be insecure. I'm assuming the locally stored private keys are kept in C:\Users\%User%\AppData\Roaming\Jaxx. Does my encrypted C: help my security? Couldn't the developers just code Jaxx so that this folder can be kept on a USB stick so that the private keys are offline until you need to use them?
They could just as easily implement a password/passphrase functionality into the Jaxx application that encrypts your wallet file instead of leaving your 12 word seed in plain text for hackers to come and steal... but apparently they were "happy with the way things were"... this may have changed after all the publicity and backlash from their userbase.

Essentially the vulnerability stems from the fact that your 12 word seed is very easy to retrieve from your wallet file if a hacker gains access to your system.

Quote
My frustration with Jaxx started yesterday when I tried to use Shapeshift to exchange some ZEC for ETH. The transaction debited my ZEC wallet and I knew I would have to wait a little while for it to appear in my ETH wallet. So I went to bed only to find this morning that the ZEC had been returned to my ZEC wallet and nothing credited to my ETH wallet. The transaction failed. No real loss to me other than ETH was a relatively good price given my point of entry to the cryptocurrency game. But I cant find any record of the attempted exchange or the return of the ZEC. The transaction history in Jaxx only shows the very first payment from the pool. So I reset the Jaxx cache. Still only one entry in the transaction history only now its the most recent payment from the pool, oh and the value of my ZEC coins now says £0.00. The ZEC balance is there (all of what I have mined) but no figure for £ or $. Long story short... bar a few minor differences, the same happened with the Jaxx android app too. I have typed my public address into the ZCash block explorer and it reports 6 transactions received but nothing sent. I kind of expected to 1 sent (my exchange) and 7 received (my 6 pool payments and the returned exchange).
Sounds like your transaction sending to ShapeShift never confirmed or was rejected by the network... like most blockchain related transactions, if it isn't actually recorded into the blockchain (by being confirmed in a block) then your transaction doesn't exist. This is why there is no record of it in your account... because there is no actual record of it. Why that might be, I couldn't say, you'd need to contact Jaxx and/or ShapeShift Support and see if they can explain why your transaction failed.

Quote
Another thing that has me scratching my head is when I view my private keys. When I first tried mining to my wallet address. It failed, it wouldn't mine. So I clicked on 'view private keys' and there were two private keys, each with a different public key. I just selected one the of the public keys and mined to that. Its been working fine. I have read that its a good idea to change the wallet address for each transaction so expected this to change after each transaction. Sure enough this has changed but its changed to the other public key (the one I didn't use to mine to). I'm confused by this because that new wallet address is an existing public key that is derived from a different private key. I thought that your wallet has/is a private key. From this, you get a public key and from that you get a wallet address. Even if the public key changes too I expected the private key to always be the same. Is this normal?
Your understanding of HD (Hierarchically Deterministic) wallets and private keys is a bit lacking... an HD wallet, as I explained above, uses a "seed". From this starting point... all your private keys (and matching public keys/addresses) are then calculated.

Every address has it's own matching private key... they are often referred to as a "private key/address pair".

Your wallet is really just a collection of private keys. Most of the HD wallets will automatically generate a new address, when the previous address gets "used" to try and minimise address re-use (what you read about it being a good idea to change wallet addresses etc). So what has happened, is that after the one you selected received some coin from your mining, the wallet automatically switched to the next unused address. If you were to send some coins to that address, the wallet would automatically generate a new private key/address pair and give you a 3rd public key.

So, your "seed" will always stay the same... but each public key/address has it's own private key.


Quote
Is Jaxx just buggy and worth steering clear of? Am I just not well enough read. Or both!? I suspect both but Jaxx really isnt helping my understanding.
My personal opinion is that Jaxx is not a great wallet... But that is mostly because it isn't suitable for me and my use cases. I don't really deal much with altcoins and mostly just use BTC... so my needs are different to yours.

Quote
Am I right to expect just one private key with a public that may, or may not, change and a wallet address that does change after each transaction.
No. As explained, private key -> public key/wallet address.

If the public key (aka wallet address) has changed, so has the private key. Your wallet is just a collection of private keys.

Quote
Should I expect to see a complete list of all transactions made to and from my wallet or just the most recent since a cache reset?
Does a failed/returned transaction get logged as a transaction so that the attempt can be traced?
You should expect to see all transactions that are recorded in the blockchain for your private keys/addresses. If the transaction failed and nothing got confirmed into the blockchain, the transaction effectively "never existed".

Quote
(The convenience of only having to remember the passphrase is great (no backing up of files, and backing up the backup etc!) but it seems to me that you can access all my crypto-wealth by forcing the discovery of the 12 word passphrase. Couldn't you just write some code to punch in 12 word combos repeatedly until you hit gold? There are only so many words in English dictionary. EDIT, well 171,476, but as time goes on there will be a lot of wallets created and thus increasing the chances of finding an active combination. EDIT again, actually, there are about 1.348x10^54 combinations! Quite a few!)
It isn't quite that high... it should be more like: 2048 * 2047 * 2046 * 2045 * 2044 * 2043 * 2042 * 2041 * 2040 * 2039 * 2037 * 2038 = 5.27x1039

Most wallets don't repeat words in seeds as far as I know... but there isn't anything stopping that... so Danny's maths here: https://bitcointalk.org/index.php?topic=1623339.msg16320050#msg16320050 would probably be more accurate.

DevaVictrix
Newbie
*
Offline Offline

Activity: 17
Merit: 0


View Profile
June 18, 2017, 10:16:28 AM
 #4

Thank you for spending the time to reply to my ranty OP!

I think from what I have read here, and elsewhere, I need to ditch Jaxx. I like the interface and features but it has gotten even buggier for me (It wont even show the exchange rates for ShapeShift now). Now I understand how a 'seed' works it begs belief you can't password protect it. I guess I was wooed by being able to have ETH, BTC and ZEC in one place that could synch between my phone and desktop and enable quick and easy use of ShapeShift. I'm going to have to buy some drives and download the blockchains, at least until its worth me transferring to a paper wallet and hiding it under the bed!

Your understanding of HD (Hierarchically Deterministic) wallets and private keys is a bit lacking... an HD wallet, as I explained above, uses a "seed". From this starting point... all your private keys (and matching public keys/addresses) are then calculated.

Every address has it's own matching private key... they are often referred to as a "private key/address pair".

Your wallet is really just a collection of private keys. Most of the HD wallets will automatically generate a new address, when the previous address gets "used" to try and minimise address re-use (what you read about it being a good idea to change wallet addresses etc). So what has happened, is that after the one you selected received some coin from your mining, the wallet automatically switched to the next unused address. If you were to send some coins to that address, the wallet would automatically generate a new private key/address pair and give you a 3rd public key.

So, your "seed" will always stay the same... but each public key/address has it's own private key.

Thank you, these few sentences have made things so much clearer!

Quote
It isn't quite that high... it should be more like: 2048 * 2047 * 2046 * 2045 * 2044 * 2043 * 2042 * 2041 * 2040 * 2039 * 2037 * 2038 = 5.27x1039

Most wallets don't repeat words in seeds as far as I know... but there isn't anything stopping that... so Danny's maths here: https://bitcointalk.org/index.php?topic=1623339.msg16320050#msg16320050 would probably be more accurate.

I didn't consider the re-use of words. 1x1054 is big.... astronomical you could say, but so is 1039!

There's some great info here that has helped me a lot. I hope it can help others too.

Thank you.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!