leeroyspenken (OP)
Newbie
 Offline
Activity: 9
Merit: 0
|
 |
February 21, 2018, 01:52:44 PM |
|
Hi everyone, electrum newbie here wondering about how safe it is to sign transactions. My actual cold storage wallet was created on bootable USB with tails absolutely no internet. In the scenario where I would need to send coins I go on separate online computer on watch-only address, put the unsigned transaction on my USB and put it on the computer running Tails to sign it offline.
The concern I have is what if I had some kind of malware on the online computer, could it potentially attach to the unsigned transaction file and try to steal my private key when I put the USB in my cold storage device to sign the transaction offline? The malware could potentially take my key/seed and put it on the signed transaction file then, then when I go to broadcast the payment on the online computer I could be compromised.
I make sure to enter my seed in Electrum on the offline computer before I put the USB with the unsigned transaction file in it, but even then I'm not sure if there is malware capable of grabbing my private key even after I entered the key/seed and am in the wallet. From what I have seen of people having Electrum wallet hacked it usually happens when they download from a false source, I would assume the phony electrum just keylogs the persons seed and then sends it off to the attacker but is there other attacks I have to worry about other than a keylog? Hopefully this question makes sense, i probably sound super paranoid but I don't want to take any chances.
|
|
|
|
|
|
|
|
Even if you use Bitcoin through Tor, the way transactions are handled by the network makes anonymity difficult to achieve. Do not expect your transactions to be anonymous unless you really know what you're doing.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
|
|
|
|
aplistir
|
|
February 21, 2018, 04:01:36 PM |
|
First off. Yes there are viruses that are capable of doing as you described. Infecting the USB-stick and stealing your private key from your offline computer.
However. It is quite unlikely you would have one of those.
The best solution is transferring the unsigned (and signed) transaction with a webcam. This can be easily done with the help of QR-codes. for example in linux there is a handy program called qrencode, that can create qr-codes from any text...
|
My Address: 121f7zb2U4g9iM4MiJTDhEzqeZGHzq5wLh
|
|
|
hatshepsut93
Legendary
Offline
Activity: 2954
Merit: 2145
|
|
February 21, 2018, 04:15:50 PM
Last edit: February 21, 2018, 06:37:05 PM by hatshepsut93 |
|
Hi everyone, electrum newbie here wondering about how safe it is to sign transactions. My actual cold storage wallet was created on bootable USB with tails absolutely no internet. In the scenario where I would need to send coins I go on separate online computer on watch-only address, put the unsigned transaction on my USB and put it on the computer running Tails to sign it offline.
The concern I have is what if I had some kind of malware on the online computer, could it potentially attach to the unsigned transaction file and try to steal my private key when I put the USB in my cold storage device to sign the transaction offline? The malware could potentially take my key/seed and put it on the signed transaction file then, then when I go to broadcast the payment on the online computer I could be compromised.
I make sure to enter my seed in Electrum on the offline computer before I put the USB with the unsigned transaction file in it, but even then I'm not sure if there is malware capable of grabbing my private key even after I entered the key/seed and am in the wallet. From what I have seen of people having Electrum wallet hacked it usually happens when they download from a false source, I would assume the phony electrum just keylogs the persons seed and then sends it off to the attacker but is there other attacks I have to worry about other than a keylog? Hopefully this question makes sense, i probably sound super paranoid but I don't want to take any chances.
This scenario is very unlikely, since most malware writers are focusing on popular platforms and not some rare cases. But you can also reduce the risk of such malware by following this protocol: 1. Boot your Tails, insert USB with unsigned transaction, open tx file, copy it to cliboard. 2. Format your USB and unplug it. 3. Now plug another USB that has encrypted wallet files on it, launch Electrum, paste raw transaction from clipboard and sign it. 4. Scan QR code of signed transaction with your phone and broadcast it with official android Electrum wallet. |
|
|
|
leeroyspenken (OP)
Newbie
Offline
Activity: 9
Merit: 0
|
|
February 22, 2018, 04:56:18 PM |
|
Hi everyone, electrum newbie here wondering about how safe it is to sign transactions. My actual cold storage wallet was created on bootable USB with tails absolutely no internet. In the scenario where I would need to send coins I go on separate online computer on watch-only address, put the unsigned transaction on my USB and put it on the computer running Tails to sign it offline.
The concern I have is what if I had some kind of malware on the online computer, could it potentially attach to the unsigned transaction file and try to steal my private key when I put the USB in my cold storage device to sign the transaction offline? The malware could potentially take my key/seed and put it on the signed transaction file then, then when I go to broadcast the payment on the online computer I could be compromised.
I make sure to enter my seed in Electrum on the offline computer before I put the USB with the unsigned transaction file in it, but even then I'm not sure if there is malware capable of grabbing my private key even after I entered the key/seed and am in the wallet. From what I have seen of people having Electrum wallet hacked it usually happens when they download from a false source, I would assume the phony electrum just keylogs the persons seed and then sends it off to the attacker but is there other attacks I have to worry about other than a keylog? Hopefully this question makes sense, i probably sound super paranoid but I don't want to take any chances.
This scenario is very unlikely, since most malware writers are focusing on popular platforms and not some rare cases. But you can also reduce the risk of such malware by following this protocol: 1. Boot your Tails, insert USB with unsigned transaction, open tx file, copy it to cliboard. 2. Format your USB and unplug it. 3. Now plug another USB that has encrypted wallet files on it, launch Electrum, paste raw transaction from clipboard and sign it. 4. Scan QR code of signed transaction with your phone and broadcast it with official android Electrum wallet. Good idea but i think im just gonna manually type the tx file on the offline computer to avoid having to put a 2nd USB in.... also I dont have android so is there an official apple electrum wallet or do i have to use an emulator? |
|
|
|
|
hatshepsut93
Legendary
Offline
Activity: 2954
Merit: 2145
|
|
February 22, 2018, 07:21:20 PM |
|
Good idea but i think im just gonna manually type the tx file on the offline computer to avoid having to put a 2nd USB in.... also I dont have android so is there an official apple electrum wallet or do i have to use an emulator?
I'd say manually typing raw hex data can be a bit risky, because there's some chance that you will make a mistake that will still result in valid transactions that can be broadcasted. The method suggested by aplistir - using dedicated digital camera for transferring QR codes to offline machine is considered the safest solution by many users who researched this topic. |
|
|
|
pooya87
Legendary
Offline
Activity: 3430
Merit: 10504
|
|
February 23, 2018, 04:29:01 AM |
|
~
Good idea but i think im just gonna manually type the tx file on the offline computer to avoid having to put a 2nd USB in.... also I dont have android so is there an official apple electrum wallet or do i have to use an emulator?
usually bitcoin transactions are about 226 bytes but it can be a lot bigger if you have multiple inputs. that is 452 hexadecimal characters! it is very tough to type that manually. if you are handling large amount of bitcoin, setting up a Webcam (buy one if you don't have it already) and reading QR codes is the best option for your cold storage. and you don't need Electrum on your phone, you just have to transfer a "picture" which is the QR code of the raw unsigned transaction. in any case unfortunately there is no Electrum for Apple. i remember they promised to add it but it was last year! |
.
.BLACKJACK ♠ FUN. | | | ███▄██████
██████████████▀
████████████
█████████████████
████████████████▄▄
░█████████████▀░▀▀
██████████████████
░██████████████
█████████████████▄
░██████████████▀
████████████
███████████████░██
██████████ | | CRYPTO CASINO &
SPORTS BETTING | | │ | | │ | ▄▄███████▄▄
▄███████████████▄
███████████████████
█████████████████████
███████████████████████
█████████████████████████
█████████████████████████
█████████████████████████
███████████████████████
█████████████████████
███████████████████
▀███████████████▀
███████████████████ | | .
|
|
|
|
bob123
Legendary
Offline
Activity: 1624
Merit: 2481
|
|
February 24, 2018, 05:09:02 PM |
|
The concern I have is what if I had some kind of malware on the online computer, could it potentially attach to the unsigned transaction file and try to steal my private key when I put the USB in my cold storage device to sign the transaction offline? The malware could potentially take my key/seed and put it on the signed transaction file then, then when I go to broadcast the payment on the online computer I could be compromised.
I make sure to enter my seed in Electrum on the offline computer before I put the USB with the unsigned transaction file in it, but even then I'm not sure if there is malware capable of grabbing my private key even after I entered the key/seed and am in the wallet.
This is indeed possible. This won't be some random malware you will grab accidentally. Something like this would be used in an directed attack if the potential gain is incentive enough. I don't like using USB sticks for cold storage. Way too much space for malware. Theoretically you would just need some data storage which is only just big enough to store the (unsigned) transaction. If you think a bit less conservative, why not a punched card (~80 byte capacity per card). The signed transaction can be easily shown as a QR code on screen and then scanned with a mobile or webcam of an online PC to broadcast it. |
|
|
|
Love and Freedom
Newbie
Offline
Activity: 6
Merit: 0
|
|
February 25, 2018, 04:09:21 PM |
|
I'm signing my transactions offline, doing cold storage.
But I'm wondering how malware on an online computer could steel private keys from an Electrum hot wallet that is encrypted and password protected.
|
|
|
|
|
TryNinja
Legendary
Offline
Activity: 2814
Merit: 6971
|
|
February 25, 2018, 04:41:28 PM |
|
I'm signing my transactions offline, doing cold storage.
But I'm wondering how malware on an online computer could steel private keys from an Electrum hot wallet that is encrypted and password protected.
There are many possible ways. 1. Get your wallet file and password (with a keylogger). 2. Install a fake Electrum in your computer. 3. Change the address you have in your clipboard to his own. So if you don't pay attention, you can end up sending the coins to the hacker's address. etc... |
.
.HUGE. | | | | | | █▀▀▀▀
█
█
█
█
█
█
█
█
█
█
█
█▄▄▄▄ | ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
.
CASINO & SPORTSBOOK
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ | ▀▀▀▀█
█
█
█
█
█
█
█
█
█
█
█
▄▄▄▄█ | | |
|
|
|
Love and Freedom
Newbie
Offline
Activity: 6
Merit: 0
|
|
February 27, 2018, 08:42:25 AM |
|
Thanks TryNinja.
It seems to me that 1) (the keylogger) is the only threat from your list that is specific to a hot wallet.
A fake Electrum could also steel my private keys from an offline computer (as it is installed there and interchanges data with the online Electrum).
The clipboard virus is not specific to a hot wallet either as it doesn't matter if I sign a transaction with a hacker's recipient address online or offline.
So if I'm always using the Windows "On-Screen Keyboard" instead of using the keys on the keyboard then my encrypted, password protected hot wallet is as safe (or unsafe) as cold storage? Or are there any other threats specific to hot wallets?
|
|
|
|
|
|
|
bob123
Legendary
Offline
Activity: 1624
Merit: 2481
|
|
February 28, 2018, 05:23:40 PM |
|
So if I'm always using the Windows "On-Screen Keyboard" instead of using the keys on the keyboard then my encrypted, password protected hot wallet is as safe (or unsafe) as cold storage?
Or are there any other threats specific to hot wallets?
No. Thats far away from being as secured as cold storage. There are many threats when using a hot wallet compared to cold wallets. You can't protect yourself from all of these. 2 examples: - If there will be an electrum bug discovered (and exploited) your funds will be gone. Bugs occur. So do new vulnerabilities. - Your OS (in your case: windows..) can be exploited through a variety of vulnerabilities if you aren't updating regularly. Even if you are, chances are high infecting your system is still possible. The next time you would open/use electrum your private keys get compromised. Those are just two examples of why you can't keep a hot wallet as secured as a cold wallet. There are way more attack vectors. Don't put more money into your hot (desktop/mobile-) wallet as you would carry with you in your purse. Use a hardware wallet or paper wallets for safe storage. |
|
|
|
|
