Bitcoin Forum
December 11, 2024, 10:42:43 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 [2]  All
  Print  
Author Topic: UnoWallet - Instant Bitcoin Wallet  (Read 4758 times)
americandesi
Hero Member
*****
Offline Offline

Activity: 518
Merit: 500


BTC < > INR & USD


View Profile
October 28, 2013, 04:06:02 PM
 #21

Thanks to everyone for their feedback. We give below a brief description of Unowallet.

How Unowallet works?
    • When a full Unowallet url is accessed (e.g., uno-wallet.com/wallet/SomeSecretString),  the string after wallet/ is used to generate a private key in a deterministic way. The corresponding bitcoin address is then computed. Finally, the unspent outputs for that address are obtained and the balance computed. The wallet literally exists only when the url is open in the user's browser. The server never stores anything (urls/private keys/addresses) after that.

      Unowallet only allows https urls, so this string is always sent encrypted over the network. No one except your browser and our server have access to this string. Unowallet accepts any ASCII alphanumeric string of up to 50 characters. If this string is generated truly randomly, there is almost zero chance of someone guessing or bruteforcing it (see next point). [/i][/b]

    • When bare Unowallet url is visited (i.e.. uno-wallet.com/wallet or uno-wallet.com), a random 50 character string is generated automatically for the user to form a full url. Again, this string never travels over the network unencrypted. Only your browser and our server have access to this in plaintext.

      There are approximately 2298 strings of 50 alphanumeric characters. So the chance of someone guessing any url generated by our site is very low. In particular, using the birthday problem, even if we generate 2100 urls, the probability of at least one collision is only about 2-99.

      Of course, you are free to use any string after wallet/ as long as you ensure that it is hard to guess. For example, do not use a url such as uno-wallet.com/wallet/SatoshiNakamoto

    Recommended way to use unowallet:
    • Use TOR for added privacy. Our server will not know your real IP address.
    • Do not use any proxy servers to access unowallet.
    • Always access it from a secure computer (no viruses/browser extensions).
    • Always keep the url with you in a safe place. Email it to yourself if necessary.
    • Save also the private key so you are not tied to unowallet when spending funds. In fact, save the entire page, which contains all the necessary information.
    • Unowallet is designed for those people who need an instant address for receiving funds that they plan to move somewhere else soon afterwards. We do not recommend storing large amount there.

    Are my coins really safe in Unowallet?
    Although Unowallet is one of the easiest and fastest wallets to use (and its free!), it should be used only by people who have some knowledge about Bitcoin and know basic concepts of security. Several things can go wrong and cause you to lose your bitcoins.

    What can go wrong? These are some ways in which your wallet/url can be compromised:
    - Virus/trojans can capture every url you visit.
    - Browser extensions may log urls and forward to 3rd party sites (such as Google) for indexing.
    - You use an easily guessable url.
    - You use a url sent by (or shared with) someone else.
    - You use a url found from a search engine.

    We will probably not be able to help you out if you lose funds due to any of the above. Nevertheless, if such incidents happen, please do email us with details.

    How is Unowallet different from other 'instant' wallets?
    In a few ways: (1) Unowallet is entirely stateless. We do not store anything that can be used by an attacker to obtain the private key of a Unowallet address, should our site be hacked.
    (2) We also give you the private key to your address when you access a wallet (which you must save!), so you have full control of the funds in that address. (3) Unowallet transactions are 'on-chain'.

    What about passwords/2FA/etc?
    Unowallet does not support passwords or 2FA because it defeats the very purpose of url-based wallets. For those who are troubled with the "url-based-wallet" concept, we have another wallet in the beta-testing phase, called Unobase. This does authentication via OpenID using a provider such as Google/Yahoo/AOL/etc. 


    Disclaimer:
    Unowallet service is provided AS IS. This implies that we are not liable for any bitcoins you lose via Unowallet, irrespective of whether it is our fault or not.


    Am not sure if i understand correctly here when you say Unowallet only allows https urls, so this string is always sent encrypted over the network but URL's sent via HTTPS are NOT encrypted. HTTPS encrypts data that are only sent through POST request.
    In the sense, SSL encrypts only the HTTP packets and doesnot encrypt the HTTP headers (which includes URL). Hence it is called Transport Layer Security (TLS)

    URL encryption is done only during IPSEC tunneling (eg : VPN).

    The URL's are logged by user's browsers, intermediate ISP server logs and destination server logs and all the servers in between.

    Sending anything critical via the URL is a very bad idea. Part of my masters project was based on breaking the AES encryption of the users accessing secure sites within the same LAN.

    That is the reason, sites don't send user's PII (Personally Identifiable Information) using GET request (in URL).
    Don't send anything critical via the URL. Make sure you send it as POST request within the HTTP packet and not in HTTP header.

    P.S : If i have helped, then my btc address is in my signature. Tips are always welcome.
    Thanks,

    Always buying and selling btc in bulk.!
    Have I helped you out?  Send a donation! : 1ADesitf6McNmFw5wAN1y86bvyHLB5gR6P
    My Reputation Thread : https://bitcointalk.org/index.php?topic=252042.0
    Abdussamad
    Legendary
    *
    Offline Offline

    Activity: 3710
    Merit: 1586



    View Profile
    October 28, 2013, 07:49:27 PM
     #22

    but URL's sent via HTTPS are NOT encrypted. HTTPS encrypts data that are only sent through POST request.
    In the sense, SSL encrypts only the HTTP packets and doesnot encrypt the HTTP headers (which includes URL). Hence it is called Transport Layer Security (TLS)

    URL's *are* encrypted when you access a website via HTTPS. First the encrypted connection is negotiated then requests for web pages and hostnames are sent over:

    http://stackoverflow.com/questions/499591/are-https-urls-encrypted

    This is why you've traditionally been restricted to one HTTPS domain per IP address because the host name header is sent after the SSL connection has been established. That changes with SNI of course.

    URL's are logged by the user's browser and the destination server if it maintains logs. Intermediate servers can't log them because they are encrypted.
    Benson Samuel
    Legendary
    *
    Offline Offline

    Activity: 1890
    Merit: 1000


    Landscaping Bitcoin for India!


    View Profile WWW
    October 28, 2013, 09:14:18 PM
     #23

    but URL's sent via HTTPS are NOT encrypted. HTTPS encrypts data that are only sent through POST request.
    In the sense, SSL encrypts only the HTTP packets and doesnot encrypt the HTTP headers (which includes URL). Hence it is called Transport Layer Security (TLS)

    URL's *are* encrypted when you access a website via HTTPS. First the encrypted connection is negotiated then requests for web pages and hostnames are sent over:

    http://stackoverflow.com/questions/499591/are-https-urls-encrypted

    This is why you've traditionally been restricted to one HTTPS domain per IP address because the host name header is sent after the SSL connection has been established. That changes with SNI of course.

    URL's are logged by the user's browser and the destination server if it maintains logs. Intermediate servers can't log them because they are encrypted.

    The URL can be viewed/ stored by firewalls, gateways, etc... The information passed between is encrypted.

    In the case of a URL wallet without additional protection, this is as good as passing a password across in cleartext.

    If I am not wrong, your server stores all URL's accessed from the domain.

    americandesi
    Hero Member
    *****
    Offline Offline

    Activity: 518
    Merit: 500


    BTC < > INR & USD


    View Profile
    October 28, 2013, 10:25:39 PM
     #24

    but URL's sent via HTTPS are NOT encrypted. HTTPS encrypts data that are only sent through POST request.
    In the sense, SSL encrypts only the HTTP packets and doesnot encrypt the HTTP headers (which includes URL). Hence it is called Transport Layer Security (TLS)

    URL's *are* encrypted when you access a website via HTTPS. First the encrypted connection is negotiated then requests for web pages and hostnames are sent over:

    http://stackoverflow.com/questions/499591/are-https-urls-encrypted

    This is why you've traditionally been restricted to one HTTPS domain per IP address because the host name header is sent after the SSL connection has been established. That changes with SNI of course.

    URL's are logged by the user's browser and the destination server if it maintains logs. Intermediate servers can't log them because they are encrypted.

    This is definitely False. If you have access to any webserver, please go through the access logs.
    My statement still holds good. URLS ARE NOT ENCRYPTED IN SSL V3.0 / TLS 1.0 / 1.1

    If you want to test it yourlself, then use a free tool called BURP Proxy from Port Swigger.

    1) Install or RUN it on your laptop / Desktop (By default it listens on 127.0.0.1:8080)
    2) Open up Firefox or any of your browser (In network connections, configure your browser to pass through this proxy 127.0.0.1:8080)
    3) Now access gmail or any HTTPS site or for that matter unowallet.
    4) You will see for yourself. If you want clarification, come back and post the results and i can explain it in detail.

    Always buying and selling btc in bulk.!
    Have I helped you out?  Send a donation! : 1ADesitf6McNmFw5wAN1y86bvyHLB5gR6P
    My Reputation Thread : https://bitcointalk.org/index.php?topic=252042.0
    Abdussamad
    Legendary
    *
    Offline Offline

    Activity: 3710
    Merit: 1586



    View Profile
    October 28, 2013, 10:31:14 PM
     #25

    but URL's sent via HTTPS are NOT encrypted. HTTPS encrypts data that are only sent through POST request.
    In the sense, SSL encrypts only the HTTP packets and doesnot encrypt the HTTP headers (which includes URL). Hence it is called Transport Layer Security (TLS)

    URL's *are* encrypted when you access a website via HTTPS. First the encrypted connection is negotiated then requests for web pages and hostnames are sent over:

    http://stackoverflow.com/questions/499591/are-https-urls-encrypted

    This is why you've traditionally been restricted to one HTTPS domain per IP address because the host name header is sent after the SSL connection has been established. That changes with SNI of course.

    URL's are logged by the user's browser and the destination server if it maintains logs. Intermediate servers can't log them because they are encrypted.

    This is definitely False. If you have access to any webserver, please go through the access logs.
    My statement still holds good. URLS ARE NOT ENCRYPTED IN SSL V3.0 / TLS 1.0 / 1.1


    URLs are encrypted. Why do you persist in spouting nonsense? And as far as web servers go I've stated clearly above that the destination server may keep logs of the URLs. You've even quoted that without reading it.
    UnoWallet
    Newbie
    *
    Offline Offline

    Activity: 6
    Merit: 0


    View Profile
    October 30, 2013, 07:52:07 AM
    Last edit: October 30, 2013, 12:53:26 PM by UnoWallet
     #26

    Thanks to americandesi and Abdussamad for their feedback on the security of unowallet.

    Below is a summary of possible known methods of url leakage from what I understood from this:

    1. Server logs: we are in control of the logs, so I would not worry too much about it.
    2. Browser extensions, toolbars and plugins: user is in control of it and we expect the user should have basic knowledge of their own system before using unowallet.
    If you believe your wallet is compromised due to this, please "abandon" that wallet and get a new one (by visiting the unowallet bare url) and then transfer your funds to the new one.
    3. Referer headers: this is the most important issue I could get from this. Fortunately Unowallet currently does not refer to any 3rd party sites. However, every developer needs to be aware of it when storing secrets in URLs. We will not put any 3rd party links on Unowallet.

    It is a good practice to frequently change (get a new) unowallet url  (by visiting a bare url) and never using the old one again. This is akin to changing passwords frequently. Also, it is never a good practice to store any large amount in URL wallets.



    btc_enigma
    Hero Member
    *****
    Offline Offline

    Activity: 692
    Merit: 569


    View Profile
    October 30, 2013, 02:00:32 PM
     #27

    Hi guys,
    I like the idea, here are few of my concerns :

    1. Adding a "Copy" private key is not a good idea. If you have some evil flash objects and slightly stupid user , you private key is gone. http://sdqali.in/blog/2013/04/05/clipboard-javascript/ . I dont think we should encourage user to put private keys in clipboard. Downloading a wallet file is a better option
    2. Another concern/question is what entropy source are you using to automatically create the 50 chars long string ?Are you making sure there is enough entropy
    3. What algorithm are using to create private key from the 50 char string? If you are doing sha 256 like http://brainwallet.org/, it makes no sense to randomize 50 char string, you can limit yourself to 8 characters.

    Go Bitcoin!

    Pages: « 1 [2]  All
      Print  
     
    Jump to:  

    Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!