Thanks to everyone for their feedback. We give below a brief description of Unowallet.
How Unowallet works?- When a full Unowallet url is accessed (e.g., uno-wallet.com/wallet/SomeSecretString), the string after wallet/ is used to generate a private key in a deterministic way. The corresponding bitcoin address is then computed. Finally, the unspent outputs for that address are obtained and the balance computed. The wallet literally exists only when the url is open in the user's browser. The server never stores anything (urls/private keys/addresses) after that.
Unowallet only allows https urls, so this string is always sent encrypted over the network. No one except your browser and our server have access to this string. Unowallet accepts any ASCII alphanumeric string of up to 50 characters. If this string is generated truly randomly, there is almost zero chance of someone guessing or bruteforcing it (see next point). [/i][/b]
- When bare Unowallet url is visited (i.e.. uno-wallet.com/wallet or uno-wallet.com), a random 50 character string is generated automatically for the user to form a full url. Again, this string never travels over the network unencrypted. Only your browser and our server have access to this in plaintext.
There are approximately 2298 strings of 50 alphanumeric characters. So the chance of someone guessing any url generated by our site is very low. In particular, using the birthday problem, even if we generate 2100 urls, the probability of at least one collision is only about 2-99.
Of course, you are free to use any string after wallet/ as long as you ensure that it is hard to guess. For example, do not use a url such as uno-wallet.com/wallet/SatoshiNakamoto
Recommended way to use unowallet:- Use TOR for added privacy. Our server will not know your real IP address.
- Do not use any proxy servers to access unowallet.
- Always access it from a secure computer (no viruses/browser extensions).
- Always keep the url with you in a safe place. Email it to yourself if necessary.
- Save also the private key so you are not tied to unowallet when spending funds. In fact, save the entire page, which contains all the necessary information.
- Unowallet is designed for those people who need an instant address for receiving funds that they plan to move somewhere else soon afterwards. We do not recommend storing large amount there.
Are my coins really safe in Unowallet?Although Unowallet is one of the easiest and fastest wallets to use (and its free!), it should be used only by people who have some knowledge about Bitcoin and know basic concepts of security. Several things can go wrong and cause you to lose your bitcoins.
What can go wrong? These are some ways in which your wallet/url can be compromised:
- Virus/trojans can capture every url you visit.
- Browser extensions may log urls and forward to 3rd party sites (such as Google) for indexing.
- You use an easily guessable url.
- You use a url sent by (or shared with) someone else.
- You use a url found from a search engine.
We will probably not be able to help you out if you lose funds due to any of the above. Nevertheless, if such incidents happen, please do email us with details.
How is Unowallet different from other 'instant' wallets? In a few ways: (1) Unowallet is entirely stateless. We do not store anything that can be used by an attacker to obtain the private key of a Unowallet address, should our site be hacked.
(2) We also give you the private key to your address when you access a wallet (which you must save!), so you have full control of the funds in that address. (3) Unowallet transactions are 'on-chain'.
What about passwords/2FA/etc? Unowallet does not support passwords or 2FA because it defeats the very purpose of url-based wallets. For those who are troubled with the "url-based-wallet" concept, we have another wallet in the beta-testing phase, called
Unobase. This does authentication via OpenID using a provider such as Google/Yahoo/AOL/etc.
Disclaimer: Unowallet service is provided
AS IS. This implies that we are not liable for any bitcoins you lose via Unowallet, irrespective of whether it is our fault or not.
Am not sure if i understand correctly here when you say
Unowallet only allows https urls, so this string is always sent encrypted over the network but URL's sent via HTTPS are NOT encrypted. HTTPS encrypts data that are only sent through POST request.
In the sense, SSL encrypts only the HTTP packets and doesnot encrypt the HTTP headers (which includes URL). Hence it is called Transport Layer Security (TLS)
URL encryption is done only during IPSEC tunneling (eg : VPN).
The URL's are logged by user's browsers, intermediate ISP server logs and destination server logs and all the servers in between.
Sending anything critical via the URL is a very bad idea. Part of my masters project was based on breaking the AES encryption of the users accessing secure sites within the same LAN.
That is the reason, sites don't send user's PII (Personally Identifiable Information) using GET request (in URL).
Don't send anything critical via the URL. Make sure you send it as POST request within the HTTP packet and not in HTTP header.
P.S : If i have helped, then my btc address is in my signature. Tips are always welcome.
Thanks,
