Bitcoin Forum
June 20, 2019, 08:37:44 PM *
News: Latest Bitcoin Core release: 0.18.0 [Torrent] (New!)
 
   Home   Help Search Login Register More  
Pages: « 1 [2]  All
  Print  
Author Topic: Newbie question about cold storage electrum wallet: how secure my method is?  (Read 237 times)
ranochigo
Legendary
*
Offline Offline

Activity: 1694
Merit: 1141

Somewhat inactive.


View Profile WWW
March 28, 2018, 03:26:50 PM
 #21

This is new to me. If I understand this concept correctly, it should eliminate the need to trust an abstract website and its security setup. Rather, I could trust a real person that I know, or even better several individuals to verify that I have, e.g., an authentic electrum wallet. Has this concept been accepted to date? I mean, do you people use it when installing sensitive software from the internet?
You're correct. Websites should not be trusted and users can't trust anything on the internet when they are validating things. It's simply unrealistic to go around passing your PGP keys but meeting someone face to face to authenticate their PGP keys is certainly the most secure method, you can't go wrong.

I haven't really heard about bitkey before. Is there a widespread use of it? Again I ask this question because of trust. For electrum, I can be pretty sure that (due to its widespread use) its source code has been thoroughly vetted before. So I just have to trust the signature. Sure, as you indicated, there's the source code of bitkey, but how many people have gone through the code to check it?

On the other hand,  bitkey seems to be similar to tails, which I have been considering to use as a form of more secure linux. How different bitkey is with respect to tails?
I would recommend for you to just use a more established distribution to use Electrum with. OS like raspbian and ubuntu has been vetted hundreds of times and it is unlikely that they are intentionally including any malicious code. Even if they are, the airgapped setup would pretty much eliminate most of the threats. AFAIK, Bitkey doesn't route data through Tor.

NEW GAME FORMAT
JACKPOT UP TO $50000+
Guess The Symbols Of a Real Ethereum Hash
PLAY NOW
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1561063064
Hero Member
*
Offline Offline

Posts: 1561063064

View Profile Personal Message (Offline)

Ignore
1561063064
Reply with quote  #2

1561063064
Report to moderator
pooya87
Legendary
*
Offline Offline

Activity: 1680
Merit: 1702



View Profile
March 28, 2018, 04:29:38 PM
 #22

i agree with @ranochigo, i just want to add a little thing about Web of Trust [1]. the way using PGP should really be like is that you build a WOT of your own. for example you start from somewhere, lets say you know me personally so you meet me face to face and get my PGP pubkey and then go home and add it to your trusted signatures. then some day you want to install Electrum and since i have been around a long time and i know for a fact what the right pubkey of Electrum dev is, you ask me to confirm it. then what i do is that i sign 0x2BD5824B7F9470E6 with my PGP private key and give you the signature to verify with my public key that you already had. now your WOT is grown a little more.
[1] https://en.wikipedia.org/wiki/Web_of_trust
This is new to me. If I understand this concept correctly, it should eliminate the need to trust an abstract website and its security setup. Rather, I could trust a real person that I know, or even better several individuals to verify that I have, e.g., an authentic electrum wallet. Has this concept been accepted to date? I mean, do you people use it when installing sensitive software from the internet?

i don't think that many people are doing it this way. most of them don't even verify the signatures and even if they do, they just download everything and get all the links from the same place (the website) and the best they are going to do is to double check if they are on the right website (eg. electrum.org)

of course the chances are low and if a hack actually takes place it will be known fast enough and you can find out about it on the social media.

tublo
Member
**
Offline Offline

Activity: 84
Merit: 12


View Profile
March 28, 2018, 06:27:49 PM
 #23


I haven't really heard about bitkey before. Is there a widespread use of it? Again I ask this question because of trust. For electrum, I can be pretty sure that (due to its widespread use) its source code has been thoroughly vetted before. So I just have to trust the signature. Sure, as you indicated, there's the source code of bitkey, but how many people have gone through the code to check it?

On the other hand,  bitkey seems to be similar to tails, which I have been considering to use as a form of more secure linux. How different bitkey is with respect to tails?


Bitkey is a very limited system and is not supposed to be the installed in hard drive. You'll only boot from a DVD or flash drive and sign the transaction in offline mode.
This way, you are do not have to trust anyone. If there is something wrong, you would know, as you can check if the transaction is correct before broadcasting it using computer B.
Pages: « 1 [2]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!