wesleyh
|
|
February 19, 2014, 06:45:14 PM |
|
Where is the list of client side javascript libraries for signing? (a bounty was offered by cfb for this)
|
|
|
|
TwinWinNerD
Legendary
Offline
Activity: 1680
Merit: 1001
CEO Bitpanda.com
|
|
February 19, 2014, 06:45:40 PM |
|
Yes but the signing happens on your server, that is the problem. With blockchain.info type wallet, NOTHING leaves the browser. Only the broadcast happens on the server there. This is a HUGE difference.
Why is it such a big difference? If an attacker has a keylogger you may lose your coins the same way in mynxt.info and blockchain.info. What is important is that the wallet is encrypted and in order to decrypt it you need the user's password. Whether the decrypting happens on the server or on the browser, I don't think this is such a big deal. In fact, I can imagine people developing a malware that you get in your browser (since your browser holds an unencrypted version of your wallet). The really big difference is, that the person that hosts the wallet can spend your coins if you send your password. Because if you sign serverside, your wallet has to be decrypted atleast once for a short period of time. You as the owner of the server can interfere if you chose to, or if your server is compromised and bad code is implemented coins can be stolen. That is the reason that the guy that created blockchain.info said that all wallets that don't offer browserside signing WILL be hacked/scamed. Well, of course the guy would say that. Everyone will say their product is better. The fact is: you need to decrypt the wallet at some point in order to spend coins. The decryption can happen on the browser or the server, and to decrypt it you will need to type your password. Don't forget when you sign up in blockchain.info you ALSO type your password on their website. There's no guarantee that they didn't save a copy of your password somewhere. What I am saying is that I don't see the "save in the browser" as being any safer, to me this is more marketing that actual security. If there's any security experts here please prove me wrong (and I will be happy to be proven wrong). You get this wrong i think. You don't operate on "their website". You can actually download the java code and run it WITHOUT internet connection, then you reconnect and broadcast the transaction. There is a BIG difference. They are NOT able to steal your password. He isn't some random actually, but one of the most respected member of the whole bitcoin community. I understand what you are saying. But I think you don't understand what I am saying. Tell me one scenario where an attacker would be able to steal your NXT from wallet.mynxt.info but not your Bitcoins from Blockchain.info using the same technique. Btw, I am not questioning any individual. Blockchain.info is a company and as such you would expect it to do what companies do (earn money, spend money, do marketing, sales, plans, etc). If one computer is hacked than ONE person loses money. If your server is compromised, he gets access to every wallet that logs in.... If you decide to collect the passwords and go rouge .... The argument is extremely simple... Read this: http://bitcoin.stackexchange.com/questions/5249/how-secure-is-blockchain-info
|
|
|
|
|
ChuckOne
Sr. Member
Offline
Activity: 364
Merit: 250
☕ NXT-4BTE-8Y4K-CDS2-6TB82
|
|
February 19, 2014, 06:47:51 PM |
|
Abuelau, ChuckOne, you should really read this: https://blockchain.info/wallet/technical-faqand pay attention to TwinWinNerD. If you can't sign transactions offline (that is without transmitting private keys to anyone), you can't build a secure web wallet. Period. The way to do this in the browser is via JS a-la blockchain.info. It has nothing to do with TRUSTLESS as it is promoted. As I already pointed out: In the end, you have to trust somebody.I know what you mean, but it is not really trustless.
|
|
|
|
abuelau
|
|
February 19, 2014, 06:49:19 PM |
|
If one computer is hacked than ONE person loses money.
Same for mynxt.info If your server is compromised, he gets access to every wallet that logs in....
No, not every wallet that logs in. But every wallet the sends money somewhere because that is the only time we decrypt the wallet. Imagine if there is a malware that can steal blockchain wallets from Firefox or IE or Chrome right when these are decrypted? If you decide to collect the passwords and go rouge ....
Same for blockchain.info. How do you know they don't store a copy of passwords?
|
|
|
|
TwinWinNerD
Legendary
Offline
Activity: 1680
Merit: 1001
CEO Bitpanda.com
|
|
February 19, 2014, 06:49:31 PM |
|
Abuelau, ChuckOne, you should really read this: https://blockchain.info/wallet/technical-faqand pay attention to TwinWinNerD. If you can't sign transactions offline (that is without transmitting private keys to anyone), you can't build a secure web wallet. Period. The way to do this in the browser is via JS a-la blockchain.info. It has nothing to do with TRUSTLESS as it is promoted. As I already pointed out: In the end, you have to trust somebody.I know what you mean, but it is not really trustless. Blockchain.info is as trustless as possible. """""""" Server Side The site currently runs on 4 dedicated servers, hosted in a locked cabinet. All servers run behind a dedicated cisco security appliance with intrusion detection. On the servers themselves various "booby traps" are set to alert the webmaster if an intrusion is detected. The java code deployed to the Site is deployed in a single war (zip) file. Each server monitors the checksum of this file to detect any unauthorised changes to the code. In order to make reverse engineering our encryption schemes more difficult the the java class files are obfuscated using proguard. A copy of every wallet is stored all our servers. Additionally the latest 50 versions of a wallet are stored on Amazon S3 and can be restored from the [Import / Export] section. The server side code that handles wallets is open source. The site is not vulnerable to CSRF requests as no login details or sensitive data is ever saved in session cookies. In the time the Site has been running there has been handful of XSS vulnerabilities reported. None of these were on a wallet page and could not have resulted in any direct loss of funds. """""""""
|
|
|
|
opticalcarrier
|
|
February 19, 2014, 06:50:44 PM |
|
right, we do get that, but ideally, the goal is a trustless environment. Browser/JS signing and sending/receiving data with public servers allows this, without forcing a local blockchain sync, so this is our end game goal
|
|
|
|
TwinWinNerD
Legendary
Offline
Activity: 1680
Merit: 1001
CEO Bitpanda.com
|
|
February 19, 2014, 06:51:07 PM |
|
If one computer is hacked than ONE person loses money.
Same for mynxt.info If your server is compromised, he gets access to every wallet that logs in....
No, not every wallet that logs in. But every wallet the sends money somewhere because that is the only time we decrypt the wallet. Imagine if there is a malware that can steal blockchain wallets from Firefox or IE or Chrome right when these are decrypted? If you decide to collect the passwords and go rouge ....
Same for blockchain.info. How do you know they don't store a copy of passwords? PLEASE read the technical aspects of blockchain.info http://bitcoin.stackexchange.com/questions/5249/how-secure-is-blockchain-infoSame for blockchain.info. How do you know they don't store a copy of passwords? If you would read that info you knew that your question is BS
|
|
|
|
ChuckOne
Sr. Member
Offline
Activity: 364
Merit: 250
☕ NXT-4BTE-8Y4K-CDS2-6TB82
|
|
February 19, 2014, 06:51:08 PM |
|
So, you get the bounty.
|
|
|
|
kunibopl
|
|
February 19, 2014, 06:52:45 PM |
|
I have a site prepared for selling stickes, mugs, etc... and much more. Just wait few days for publishing Great! I seem to have missed the announcement. It's very hard to keep up with all the updates on the various sites... Will you also create / sell clothing for promotional purposes? no, we are waiting for pro company to create for us branding packages, so we will have new logos etc, so any items created with old logos are a waste of time and resources I think new logo's? was there agreement on spending big money on professional branding? not totally sure, if we need this. I for one am producing a useful marketing item, which also uses some Nxt logo. when it is ready I can send it worldwide. keep it decentralized.
|
NXT: 5231236538923913892
|
|
|
coolmist
Newbie
Offline
Activity: 56
Merit: 0
|
|
February 19, 2014, 06:53:04 PM |
|
It wouldn't be difficult at all to develop a blockchain.info version of nxt. The entire thing could be done with a few servers and PHP.
CFB has made it extraordinarily easy to use PHP commands with the API of NXT.
This basic format could be used for transactions, or anything really. ArrayID->json_decode(file_get_contents(url));
ArrayID is the response in this case.
If I get some free time I can have something that works online, I have a meeting in a hour, if it goes well I should have the rest of the day off.
|
|
|
|
abuelau
|
|
February 19, 2014, 06:53:40 PM |
|
Since you keep referring back to that stackexchange link, some quotes from the man himself: As everything is done using javascript in the site is particularly vulnerable to browser exploits including malicious browser extensions. Modern web browsers are much more secure than the internet explorer 6 generation.
If our servers were compromised the attacker could theoretically alter the javascript files to intercept the users password next time they login. For this to be effective the attack would have to go unnoticed for an extended period of time.
|
|
|
|
ChuckOne
Sr. Member
Offline
Activity: 364
Merit: 250
☕ NXT-4BTE-8Y4K-CDS2-6TB82
|
|
February 19, 2014, 06:54:30 PM |
|
right, we do get that, but ideally, the goal is a trustless environment.
I agree. We finally agreed on that. Browser/JS signing and sending/receiving data with public servers allows this, without forcing a local blockchain sync, so this is our end game goal
But it is NOT trustless in the pure sense of that word.
|
|
|
|
igmaca
|
|
February 19, 2014, 06:55:47 PM Last edit: February 19, 2014, 07:09:55 PM by igmaca |
|
Since you keep referring back to that stackexchange link, some quotes from the man himself:
Quote As everything is done using javascript in the site is particularly vulnerable to browser exploits including malicious browser extensions. Modern web browsers are much more secure than the internet explorer 6 generation.
Quote If our servers were compromised the attacker could theoretically alter the javascript files to intercept the users password next time they login. For this to be effective the attack would have to go unnoticed for an extended period of time.
10 Immutable Laws of Security. Law #1: If a bad guy can persuade you to run his program on your computer, it's not solely your computer anymore. Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore. Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore. Law #4: If you allow a bad guy to run active content in your website, it's not your website any more. Law #5: Weak passwords trump strong security. Law #6: A computer is only as secure as the administrator is trustworthy. Law #7: Encrypted data is only as secure as its decryption key. Law #8: An out-of-date antimalware scanner is only marginally better than no scanner at all. Law #9: Absolute anonymity isn't practically achievable, online or offline. Law #10: Technology is not a panacea.
|
|
|
|
abuelau
|
|
February 19, 2014, 06:56:35 PM |
|
This is how I see it: I use blockchain.info and I love it. But I don't store all my bitcoins there. I like to spread the bitcoins in 3 or more different baskets, the more I trust a basket the more bitcoins I put there. My offline wallet has the most.
I think it's the same with NXT. For a newbie, that just wants to start using NXT, I think the online wallet is perfect. If you own several thousand or million NXT, I would not recommend putting all of it in the same place, be it the online wallet or a single NXT NRS wallet.
But you could put some in the online wallet in case you need to use them on the go, or at work, etc.. this is how I am going to use it myself.
|
|
|
|
TwinWinNerD
Legendary
Offline
Activity: 1680
Merit: 1001
CEO Bitpanda.com
|
|
February 19, 2014, 06:57:03 PM |
|
Since you keep referring back to that stackexchange link, some quotes from the man himself: As everything is done using javascript in the site is particularly vulnerable to browser exploits including malicious browser extensions. Modern web browsers are much more secure than the internet explorer 6 generation.
Yes, what you don't understand is: All attacks on one Computer will lead to the loss of funds. With your thing and a blockchain type thing. The big difference is, that your service has about 10 more points of attack. If the creator of blockchain goes rouge , we would know that within minutes (as many DO check the source with hashes). If you did that, we would only know AFTER you just transfered ALL balances you collected the passwords for.If our servers were compromised the attacker could theoretically alter the javascript files to intercept the users password next time they login. For this to be effective the attack would have to go unnoticed for an extended period of time.
see above
|
|
|
|
McDoxy
Member
Offline
Activity: 96
Merit: 10
|
|
February 19, 2014, 06:57:20 PM |
|
Maybe change it to a simpler version: Unregistered users = 3 votes per hour!
Just click 3 times on the VOTE Button for NXT - that's it!
>>>>>>>>>>>>>>> PLEASE VOTE! <<<<<<<<<<<<<<<
Much color, so many less words, yammy nxt We should be in 1st place in a little bit. Nxt just hit first place with 35k votes! Nice job! But for how long does Nxt have to stay on first place? Or will the poll end at a specific time?
|
|
|
|
TwinWinNerD
Legendary
Offline
Activity: 1680
Merit: 1001
CEO Bitpanda.com
|
|
February 19, 2014, 06:57:59 PM |
|
It wouldn't be difficult at all to develop a blockchain.info version of nxt. The entire thing could be done with a few servers and PHP.
CFB has made it extraordinarily easy to use PHP commands with the API of NXT.
This basic format could be used for transactions, or anything really. ArrayID->json_decode(file_get_contents(url));
ArrayID is the response in this case.
If I get some free time I can have something that works online, I have a meeting in a hour, if it goes well I should have the rest of the day off.
The problem is (as far as i understand) that local signing is not yet ready!
|
|
|
|
TwinWinNerD
Legendary
Offline
Activity: 1680
Merit: 1001
CEO Bitpanda.com
|
|
February 19, 2014, 06:59:20 PM |
|
This is how I see it: I use blockchain.info and I love it. But I don't store all my bitcoins there. I like to spread the bitcoins in 3 or more different baskets, the more I trust a basket the more bitcoins I put there. My offline wallet has the most.
I think it's the same with NXT. For a newbie, that just wants to start using NXT, I think the online wallet is perfect. If you own several thousand or million NXT, I would not recommend putting all of it in the same place, be it the online wallet or a single NXT NRS wallet.
But you could put some in the online wallet in case you need to use them on the go, or at work, etc.. this is how I am going to use it myself.
What i am saying is: your project is very nice, but if you altered your project to a blockchain.info type thing it would be uber-awesome. That a coldstorage solution is needed is not even debatable!
|
|
|
|
abuelau
|
|
February 19, 2014, 07:00:10 PM |
|
Yes, what you don't understand is: All attacks on one Computer will lead to the loss of funds. With your thing and a blockchain type thing.
Agreed. The big difference is, that your service has about 10 more points of attack.
I don't think so. If the creator of blockchain goes rouge , we would know that within minutes (as many DO check the source with hashes). If you did that, we would only know AFTER you just transfered ALL balances you collected the passwords for.[/b]
Maybe.
|
|
|
|
|