A Browser Based Cryptocurrency Client [real devs only please]

[Come-from-Beyond]

have you worked much with WebRTC?

Not much, just played a little. This tech is still too raw.

[bluemeanie1]

have you worked much with WebRTC?

Not much, just played a little. This tech is still too raw.

I was looking at this also: http://www.pjsip.org/pjnath/docs/html/

it's a Java library that uses the same set of protocols for NAT traversal as WebRTC.

[bluemeanie1]

I would double check all your assumptions here.  The problem of connecting two people behind NAT is non-trivial.  I think what this article is talking about is a simple Browser API for connecting to other people who are connected to the server.  You haven't taken the server out of the equation, although you might hide some of the complexities of this arrangement.

http://webrtchacks.com/an-intro-to-webrtcs-natfirewall-problem/

I can only hope that at some point you will realize this has nothing to do with cryptography.

Crypto is part of the problem, interacting with the p2p network is another.

Seems that the javascript crypto space is inhabited by various individuals hacking out their own ideas and not much organization or collaboration, which is strange because browser-based crypto is very commonly requested by the development community.

[moderate]

I would double check all your assumptions here.  The problem of connecting two people behind NAT is non-trivial.  I think what this article is talking about is a simple Browser API for connecting to other people who are connected to the server.  You haven't taken the server out of the equation, although you might hide some of the complexities of this arrangement.

http://webrtchacks.com/an-intro-to-webrtcs-natfirewall-problem/

I can only hope that at some point you will realize this has nothing to do with cryptography.

Seems that the javascript crypto space is inhabited by various individuals hacking out their own ideas and not much organization or collaboration, which is strange because browser-based crypto is very commonly requested by the development community.

Start reading here http://www.matasano.com/articles/javascript-cryptography/

[Come-from-Beyond]

I can only hope that at some point you will realize this has nothing to do with cryptography.

I didn't notice this.

Yes, I do know that p2p has nothing to do with cryptography. But it's essential for decentralized cryptocurrency.

[bluemeanie1]

I can only hope that at some point you will realize this has nothing to do with cryptography.

I didn't notice this.

Yes, I do know that p2p has nothing to do with cryptography. But it's essential for decentralized cryptocurrency.

he's just got some bone to pick, I would ignore him.

[moderate]

I can only hope that at some point you will realize this has nothing to do with cryptography.

I didn't notice this.

Yes, I do know that p2p has nothing to do with cryptography. But it's essential for decentralized cryptocurrency.

he's just got some bone to pick, I would ignore him.

You can ignore me as much as you please, just don't fuck the users with this broken tool you are planning. Hope you read the previous link.

[bluemeanie1]

I can only hope that at some point you will realize this has nothing to do with cryptography.

I didn't notice this.

Yes, I do know that p2p has nothing to do with cryptography. But it's essential for decentralized cryptocurrency.

he's just got some bone to pick, I would ignore him.

You can ignore me as much as you please, just don't fuck the users with this broken tool you are planning. Hope you read the previous link.

this project offers client side encryption for Gmail and it works completely in the web browser: https://chrome.google.com/webstore/detail/mymail-crypt-for-gmail/jcaobjhdnlpmopmjhijplpjhlplfkhba

a Browser based Cryptocurrency client would have similar security considerations.

keep trolling...

[moderate]

I can only hope that at some point you will realize this has nothing to do with cryptography.

I didn't notice this.

Yes, I do know that p2p has nothing to do with cryptography. But it's essential for decentralized cryptocurrency.

he's just got some bone to pick, I would ignore him.

You can ignore me as much as you please, just don't fuck the users with this broken tool you are planning. Hope you read the previous link.

a Browser based Cryptocurrency client would have similar security considerations.

Do you even understand why cryptocat moved to a plugin model ? Gosh, you are hopeless. I'm leaving you alone now.

[bluemeanie1]

I can only hope that at some point you will realize this has nothing to do with cryptography.

I didn't notice this.

Yes, I do know that p2p has nothing to do with cryptography. But it's essential for decentralized cryptocurrency.

he's just got some bone to pick, I would ignore him.

You can ignore me as much as you please, just don't fuck the users with this broken tool you are planning. Hope you read the previous link.

a Browser based Cryptocurrency client would have similar security considerations.

Do you even understand why cryptocat moved to a plugin model ? Gosh, you are hopeless. I'm leaving you alone now.

if you have such a rich background in javascript based crypto browser security, why don't you tell us who you are so we can review your past accomplishments?

[eb3full]

You could probably compile OpenSSL (or maybe entire portions of bitcoind) into javascript using emscripten. I still personally believe any browser-based wallets are flawed unless the signing is occurring on a physical device in control of the user. All of the technologies needed for a browser-based wallet (WebRTC etc.) are there though.

[bluemeanie1]

You could probably compile OpenSSL (or maybe entire portions of bitcoind) into javascript using emscripten.

that sounds pretty ambitious.  

the stanford library I posted appears to have all the basic Crypto functions you need to use Bitcoin..

http://www-cs-students.stanford.edu/~tjw/jsbn/

I still personally believe any browser-based wallets are flawed unless the signing is occurring on a physical device in control of the user. All of the technologies needed for a browser-based wallet (WebRTC etc.) are there though.

just to be clear, I am suggesting that the signing and key management happen IN THE BROWSER.  This is possible given the technologies I described in the OP.  This is not a "web wallet", instead a "browser based wallet".  There are a few extra security considerations, but you are in control of your keys and generally conforms to the same security model as the regular Bitcoin client.

[eb3full]

There are a few extra security considerations, but you are in control of your keys and generally conforms to the same security model as the regular Bitcoin client.

Other browser plugins or browser exploits would make it incredibly unsafe even if the client itself was secure. It's a step backward to hand the browser any control over authentication of transactions.

[bluemeanie1]

There are a few extra security considerations, but you are in control of your keys and generally conforms to the same security model as the regular Bitcoin client.

Other browser plugins or browser exploits would make it incredibly unsafe even if the client itself was secure. It's a step backward to hand the browser any control over authentication of transactions.

But a step forward in deployment costs.

[jago25_98]

Stating the obvious here,
 but Mandrik from the client side blockchain.info might have a comment or 2 regarding browser security. Might be worth a PM once you have some more concrete ideas

[bluemeanie1]

Stating the obvious here,
 but Mandrik from the client side blockchain.info might have a comment or 2 regarding browser security. Might be worth a PM once you have some more concrete ideas

thanks, but I think blockchain.info is a traditional web app?  Haven't used it much really.  He may have valuable advice, but the architecture I'm suggesting has few counterparts, here is one:  https://chrome.google.com/webstore/detail/mymail-crypt-for-gmail/jcaobjhdnlpmopmjhijplpjhlplfkhba

Im somewhat versed in web app security.

thanks, bm

[bluemeanie1]

here is a handy image I just made:

[Come-from-Beyond]

Why do u need to store ECC keys? Use a secret phrase asked upon login to get a master key. Other keys can be derived from the master.

PS: What that server in the picture for?

[bluemeanie1]

Why do u need to store ECC keys? Use a secret phrase asked upon login to get a master key. Other keys can be derived from the master.

PS: What that server in the picture for?

that's 'brand X', the web wallet.  Im proposing the scenario on the right.

[Come-from-Beyond]

that's 'brand X', the web wallet.  Im proposing the scenario on the right.

A secret phrase is enough to reconstruct thousands of ECC keys.