NXT :: descendant of Bitcoin - Updated Information

[wesleyh]

Where is the list of client side javascript libraries for signing? (a bounty was offered by cfb for this)

[1714286041]

1714286041

[1714286041]

1714286041

[1714286041]

1714286041

[1714286041]

1714286041

[TwinWinNerD]

Yes but the signing happens on your server, that is the problem. With blockchain.info type wallet, NOTHING leaves the browser. Only the broadcast happens on the server there. This is a HUGE difference.

Why is it such a big difference? If an attacker has a keylogger you may lose your coins the same way in mynxt.info and blockchain.info.

What is important is that the wallet is encrypted and in order to decrypt it you need the user's password. Whether the decrypting happens on the server or on the browser, I don't think this is such a big deal. In fact, I can imagine people developing a malware that you get in your browser (since your browser holds an unencrypted version of your wallet).

The really big difference is, that the person that hosts the wallet can spend your coins if you send your password. Because if you sign serverside, your wallet has to be decrypted atleast once for a short period of time. You as the owner of the server can interfere if you chose to, or if your server is compromised and bad code is implemented coins can be stolen. That is the reason that the guy that created blockchain.info said that all wallets that don't offer browserside signing WILL be hacked/scamed.

Well, of course the guy would say that. Everyone will say their product is better.

The fact is: you need to decrypt the wallet at some point in order to spend coins. The decryption can happen on the browser or the server, and to decrypt it you will need to type your password.

Don't forget when you sign up in blockchain.info you ALSO type your password on their website. There's no guarantee that they didn't save a copy of your password somewhere.

What I am saying is that I don't see the "save in the browser" as being any safer, to me this is more marketing that actual security. If there's any security experts here please prove me wrong (and I will be happy to be proven wrong).

You get this wrong i think. You don't operate on "their website". You can actually download the java code and run it WITHOUT internet connection, then you reconnect and broadcast the transaction.

There is a BIG difference. They are NOT able to steal your password.

He isn't some random actually, but one of the most respected member of the whole bitcoin community.

I understand what you are saying. But I think you don't understand what I am saying. Tell me one scenario where an attacker would be able to steal your NXT from wallet.mynxt.info but not your Bitcoins from Blockchain.info using the same technique.

Btw, I am not questioning any individual. Blockchain.info is a company and as such you would expect it to do what companies do (earn money, spend money, do marketing, sales, plans, etc).

If one computer is hacked than ONE person loses money.

If your server is compromised, he gets access to every wallet that logs in....

If you decide to collect the passwords and go rouge ....

The argument is extremely simple...

Read this: http://bitcoin.stackexchange.com/questions/5249/how-secure-is-blockchain-info

[Come-from-Beyond]

Where is the list of client side javascript libraries for signing? (a bounty was offered by cfb for this)

I found this link - https://bitcointalk.org/index.php?topic=345619.msg4612928#msg4612928

[ChuckOne]

Abuelau, ChuckOne, you should really read this:

https://blockchain.info/wallet/technical-faq

and pay attention to TwinWinNerD. If you can't sign transactions offline (that is without transmitting private keys to anyone), you can't build a secure web wallet. Period.

The way to do this in the browser is via JS a-la blockchain.info.

It has nothing to do with TRUSTLESS as it is promoted.

As I already pointed out:

In the end, you have to trust somebody.

I know what you mean, but it is not really trustless.

[abuelau]

If one computer is hacked than ONE person loses money.

Same for mynxt.info

If your server is compromised, he gets access to every wallet that logs in....

No, not every wallet that logs in. But every wallet the sends money somewhere because that is the only time we decrypt the wallet.

Imagine if there is a malware that can steal blockchain wallets from Firefox or IE or Chrome right when these are decrypted?

If you decide to collect the passwords and go rouge ....

Same for blockchain.info. How do you know they don't store a copy of passwords?

[TwinWinNerD]

Abuelau, ChuckOne, you should really read this:

https://blockchain.info/wallet/technical-faq

and pay attention to TwinWinNerD. If you can't sign transactions offline (that is without transmitting private keys to anyone), you can't build a secure web wallet. Period.

The way to do this in the browser is via JS a-la blockchain.info.

It has nothing to do with TRUSTLESS as it is promoted.

As I already pointed out:

In the end, you have to trust somebody.

I know what you mean, but it is not really trustless.

Blockchain.info is as trustless as possible.

""""""""
Server Side

    The site currently runs on 4 dedicated servers, hosted in a locked cabinet. All servers run behind a dedicated cisco security appliance with intrusion detection. On the servers themselves various "booby traps" are set to alert the webmaster if an intrusion is detected.

    The java code deployed to the Site is deployed in a single war (zip) file. Each server monitors the checksum of this file to detect any unauthorised changes to the code. In order to make reverse engineering our encryption schemes more difficult the the java class files are obfuscated using proguard.

    A copy of every wallet is stored all our servers. Additionally the latest 50 versions of a wallet are stored on Amazon S3 and can be restored from the [Import / Export] section.

    The server side code that handles wallets is open source.

    The site is not vulnerable to CSRF requests as no login details or sensitive data is ever saved in session cookies.

    In the time the Site has been running there has been handful of XSS vulnerabilities reported. None of these were on a wallet page and could not have resulted in any direct loss of funds.
"""""""""

[opticalcarrier]

right, we do get that, but ideally, the goal is a trustless environment.  Browser/JS signing and sending/receiving data with public servers allows this, without forcing a local blockchain sync, so this is our end game goal

[TwinWinNerD]

If one computer is hacked than ONE person loses money.

Same for mynxt.info

If your server is compromised, he gets access to every wallet that logs in....

No, not every wallet that logs in. But every wallet the sends money somewhere because that is the only time we decrypt the wallet.

Imagine if there is a malware that can steal blockchain wallets from Firefox or IE or Chrome right when these are decrypted?

If you decide to collect the passwords and go rouge ....

Same for blockchain.info. How do you know they don't store a copy of passwords?

PLEASE read the technical aspects of blockchain.info

http://bitcoin.stackexchange.com/questions/5249/how-secure-is-blockchain-info

Same for blockchain.info. How do you know they don't store a copy of passwords?

If you would read that info you knew that your question is BS

[ChuckOne]

Where is the list of client side javascript libraries for signing? (a bounty was offered by cfb for this)

I found this link - https://bitcointalk.org/index.php?topic=345619.msg4612928#msg4612928

So, you get the bounty.

[kunibopl]

I have a site prepared for selling stickes, mugs, etc... and much more. Just wait few days for publishing

Great!
I seem to have missed the announcement. It's very hard to keep up with all the updates on the various sites... 

Will you also create / sell clothing for promotional purposes?

no, we are waiting for pro company to create for us branding packages, so we will have new logos etc, so any items created with old logos are a waste of time and resources I think

new logo's?

was there agreement on spending big money on professional branding? not totally sure, if we need this.
I for one am producing a useful marketing item, which also uses some Nxt logo.
when it is ready I can send it worldwide. keep it decentralized.

[coolmist]

It wouldn't be difficult at all to develop a blockchain.info version of nxt. The entire thing could be done with a few servers and PHP.

CFB has made it extraordinarily easy to use PHP commands with the API of NXT.

This basic format could be used for transactions, or anything really.
ArrayID->json_decode(file_get_contents(url));

ArrayID is the response in this case.

If I get some free time I can have something that works online, I have a meeting in a hour, if it goes well I should have the rest of the day off.

[abuelau]

Since you keep referring back to that stackexchange link, some quotes from the man himself:

As everything is done using javascript in the site is particularly vulnerable to browser exploits including malicious browser extensions. Modern web browsers are much more secure than the internet explorer 6 generation.

If our servers were compromised the attacker could theoretically alter the javascript files to intercept the users password next time they login. For this to be effective the attack would have to go unnoticed for an extended period of time.

[ChuckOne]

right, we do get that, but ideally, the goal is a trustless environment.

I agree. We finally agreed on that.

Browser/JS signing and sending/receiving data with public servers allows this, without forcing a local blockchain sync, so this is our end game goal

But it is NOT trustless in the pure sense of that word.

[igmaca]

   
Since you keep referring back to that stackexchange link, some quotes from the man himself:

Quote
As everything is done using javascript in the site is particularly vulnerable to browser exploits including malicious browser extensions. Modern web browsers are much more secure than the internet explorer 6 generation.

Quote
If our servers were compromised the attacker could theoretically alter the javascript files to intercept the users password next time they login. For this to be effective the attack would have to go unnoticed for an extended period of time.

10 Immutable Laws of Security.

Law #1: If a bad guy can persuade you to run his program on your computer, it's not solely your computer anymore.
Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore.
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
Law #4: If you allow a bad guy to run active content in your website, it's not your website any more.
Law #5: Weak passwords trump strong security.
Law #6: A computer is only as secure as the administrator is trustworthy.
Law #7: Encrypted data is only as secure as its decryption key.
Law #8: An out-of-date antimalware scanner is only marginally better than no scanner at all.
Law #9: Absolute anonymity isn't practically achievable, online or offline.
Law #10: Technology is not a panacea.

[abuelau]

This is how I see it: I use blockchain.info and I love it. But I don't store all my bitcoins there. I like to spread the bitcoins in 3 or more different baskets, the more I trust a basket the more bitcoins I put there. My offline wallet has the most.

I think it's the same with NXT. For a newbie, that just wants to start using NXT, I think the online wallet is perfect. If you own several thousand or million NXT, I would not recommend putting all of it in the same place, be it the online wallet or a single NXT NRS wallet.

But you could put some in the online wallet in case you need to use them on the go, or at work, etc.. this is how I am going to use it myself.

[TwinWinNerD]

Since you keep referring back to that stackexchange link, some quotes from the man himself:

As everything is done using javascript in the site is particularly vulnerable to browser exploits including malicious browser extensions. Modern web browsers are much more secure than the internet explorer 6 generation.

Yes, what you don't understand is: All attacks on one Computer will lead to the loss of funds. With your thing and a blockchain type thing. The big difference is, that your service has about 10 more points of attack. If the creator of blockchain goes rouge , we would know that within minutes (as many DO check the source with hashes). If you did that, we would only know AFTER you just transfered ALL balances you collected the passwords for.

If our servers were compromised the attacker could theoretically alter the javascript files to intercept the users password next time they login. For this to be effective the attack would have to go unnoticed for an extended period of time.

see above

[McDoxy]

Maybe change it to a simpler version:

Unregistered users = 3 votes per hour!

Just click 3 times on the VOTE Button for NXT - that's it!

>>>>>>>>>>>>>>> PLEASE VOTE! <<<<<<<<<<<<<<<

Much color, so many less words, yammy nxt

We should be in 1st place in a little bit.

Nxt just hit first place with 35k votes! Nice job!

But for how long does Nxt have to stay on first place? Or will the poll end at a specific time?

[TwinWinNerD]

It wouldn't be difficult at all to develop a blockchain.info version of nxt. The entire thing could be done with a few servers and PHP.

CFB has made it extraordinarily easy to use PHP commands with the API of NXT.

This basic format could be used for transactions, or anything really.
ArrayID->json_decode(file_get_contents(url));

ArrayID is the response in this case.

If I get some free time I can have something that works online, I have a meeting in a hour, if it goes well I should have the rest of the day off.

The problem is (as far as i understand) that local signing is not yet ready!

[TwinWinNerD]

This is how I see it: I use blockchain.info and I love it. But I don't store all my bitcoins there. I like to spread the bitcoins in 3 or more different baskets, the more I trust a basket the more bitcoins I put there. My offline wallet has the most.

I think it's the same with NXT. For a newbie, that just wants to start using NXT, I think the online wallet is perfect. If you own several thousand or million NXT, I would not recommend putting all of it in the same place, be it the online wallet or a single NXT NRS wallet.

But you could put some in the online wallet in case you need to use them on the go, or at work, etc.. this is how I am going to use it myself.

What i am saying is: your project is very nice, but if you altered your project to a blockchain.info type thing it would be uber-awesome.

That a coldstorage solution is needed is not even debatable!

[abuelau]

Yes, what you don't understand is: All attacks on one Computer will lead to the loss of funds. With your thing and a blockchain type thing.

Agreed.

The big difference is, that your service has about 10 more points of attack.

I don't think so.

If the creator of blockchain goes rouge , we would know that within minutes (as many DO check the source with hashes). If you did that, we would only know AFTER you just transfered ALL balances you collected the passwords for.[/b]

Maybe.