mikewoods (OP)
Newbie
Offline
Activity: 50
Merit: 0
|
|
January 07, 2014, 07:20:28 PM |
|
I downloaded the chrome "web page complete" and while running it locally, it let me do the mouse movements just fine but wouldn't let me go to the next screen upon generation. Oh well.
Solved Now site supports html5 caching! This means that once you load the site, everything will work perfect even if you try reloading it when you offline, or after you restart your browser. This mechanism only stores static files, no other data like cookies or anything else is stored. Could you try it out and let me know if everything works fine for you now?
|
|
|
|
Patel
Legendary
Offline
Activity: 1320
Merit: 1007
|
|
January 07, 2014, 07:32:27 PM |
|
mike, why did you register to Bitcointalk the day before you released this? I'm a skeptic because it could be easy for this software to generate bad seeds, which lead to bad private keys.
Its hard for anyone to use this kind of software, even if it does provide excellent security as you claim. But your a new user, who suddenly releases a software to generate private keys.
I want to use it because of added security compared to bitaddress, but its a risk..
|
|
|
|
mikewoods (OP)
Newbie
Offline
Activity: 50
Merit: 0
|
|
January 07, 2014, 07:57:54 PM |
|
mike, why did you register to Bitcointalk the day before you released this? I'm a skeptic because it could be easy for this software to generate bad seeds, which lead to bad private keys.
Its hard for anyone to use this kind of software, even if it does provide excellent security as you claim. But your a new user, who suddenly releases a software to generate private keys.
I want to use it because of added security compared to bitaddress, but its a risk..
I registered to tell you all about this site. I'm not kind of person to brag about something without first having something to show. Bad seeds can't effect the security of the site because all users mouse movements are used to create exact number of bits needed for generating all the addresses - which are then XORed over pseudorandom sequence, making is unnecessary from theoretical perspective. If user shakes his mouse well, there is absolutely no benefit of using seeded number at all. In other words - even if seed is bad, total provided entropy will still be enough to generate all address with perfect (maximum theoretically possible) entropy - providing perfect security. In code, there is 'randomnessContainer' in https://github.com/mikewoods/OfflineAddress.com/blob/master/index.html which is the only thing used for providing randomness for generating addresses, and it's this.array contain the truly random data - which you can inspect using your favorite debug tool.
|
|
|
|
bitpop
Legendary
Offline
Activity: 2912
Merit: 1060
|
|
January 07, 2014, 08:04:17 PM |
|
Don't get discouraged.
It's just we have had bitaddress from the beginning almost. We've grown to trust it. You need to stick around and age as well.
Bitaddress was also around when bitcoins were worthless so it wasn't risky to test.
|
|
|
|
pointbiz
Sr. Member
Offline
Activity: 437
Merit: 415
1ninja
|
|
January 08, 2014, 05:02:04 AM |
|
... Other problems with BitAddress.org are: - You are online while generating addresses - so you can't generate "offline" addresses, and also brings up the question if your browser or operating system is infected...
I don't follow your logic here ?!? How does your software allow someone to generate offline addresses but bitaddress does not ? I've specifically packaged my software as an all-in-one HTML document that is hashed then signed by my PGP key. The hash is available on bitaddress.org and bitcointalk.org. The HTML can be downloaded from either bitaddress.org or github.com and verified that you received the document that I authored. Hi 1ninja, I'm very glad you commented on this tread. Let me first say that my site owes a lot to you marvelous work! Thank you a lot, having your site to look at helped me with my work! As for the text I've quoted: My software is notifying user if he's online, so that he can get offline and generate addresses. Your site can be used offline as well, the only difference is that I'm warning people about that. Also, I must say I'm a bit envious of that all-in-one packaging you've done by embedding all your media into the site. I'll try to do the same thing once code base growth slows down. We both have a lot to learn from each other, and I'll be happy to listen to any advice you have. If we ever meet, beers are on me. Cheers! Thank you for the offer of beer :-) The visual feedback on mouse movement collection is very nice graphically. You are waiting 40ms between collecting mouse points, correct? Do you have an article/white paper I can read on that technique? I have avoided any use of ajax calls and it appears you make two ajax calls. Canton Becker appears to have a good solution for warning the user about being online without using an ajax call: switch(window.location.protocol) { case 'http:': case 'https:': // you are online break; case 'file:': // you are offline break; default: }
I think I will implement that technique on bitaddress. Have you considered it for your site?
|
|
|
|
|
mikewoods (OP)
Newbie
Offline
Activity: 50
Merit: 0
|
|
January 08, 2014, 08:04:09 AM |
|
Thank you for the offer of beer :-) The visual feedback on mouse movement collection is very nice graphically. You are waiting 40ms between collecting mouse points, correct? Do you have an article/white paper I can read on that technique? I have avoided any use of ajax calls and it appears you make two ajax calls. Canton Becker appears to have a good solution for warning the user about being online without using an ajax call: switch(window.location.protocol) { case 'http:': case 'https:': // you are online break; case 'file:': // you are offline break; default: }
I think I will implement that technique on bitaddress. Have you considered it for your site? The 40ms was manually defined limit (after a lot of testing). Initially I was using longer interval, but I just ended up being frustrated (it takes to long to fill in for 1000 addresses ) I didn't know about that online test you pasted. Does it work in all major browser? I chose ajax test, because that way I'm also aware if user disconnects some cable or turnes off some router - user's machine will probably still think that it's online, but html requests won't go through (and request will timeout after 2sec). That initial ajax call is optional, nothing is lost if user is offline and the request doesn't goes through. However, if user is already online that call provides him with initialization of array in which mouse-provided randomness will be stored (all mouse coordinates are XORed over initialized array). That way even if users is lazy and doesn't move his mouse much - his mouse coordinates will be evenly distributed over coordinate space. (Otherwise I'd probably increase those 40ms you've mentioned, which would be frustrated for user). And by providing those from server, user's browser is protected even if it's random generator is compromised or old (basically user doesn't have to trust his machine). Cheers
|
|
|
|
mikewoods (OP)
Newbie
Offline
Activity: 50
Merit: 0
|
|
January 08, 2014, 08:15:08 AM |
|
Very nice site!
It would be nice if we could also include keystrokes into randomness.
Is there a elegant way to print or export to PDF?
I just added Print button , and it's working great. Check it out. (if fonts go wild on first 2 notes just upgrade your browser or try it on chrome - some browsers don't yet support @font-face in print mode)
|
|
|
|
|
gabridome
|
|
January 12, 2014, 07:04:36 AM |
|
If Chrome makes problems, try Firefox, it should be doable. But anyways, I'll try to implement HTML5 offline version as soon as possible - which should solve this. Yes please. This is a priority for me. I use bitaddress.org (thank you ninja for your incredible work) online ONLY for didactic purposes. I always do everything serious on a live distro that never sees the internet. bitaddress.org and brain wallet.org work perfectly offline. Awesome site BTW. Thank you!
|
|
|
|
mikewoods (OP)
Newbie
Offline
Activity: 50
Merit: 0
|
|
January 12, 2014, 09:01:46 AM |
|
If Chrome makes problems, try Firefox, it should be doable. But anyways, I'll try to implement HTML5 offline version as soon as possible - which should solve this. Yes please. This is a priority for me. I use bitaddress.org (thank you ninja for your incredible work) online ONLY for didactic purposes. I always do everything serious on a live distro that never sees the internet. bitaddress.org and brain wallet.org work perfectly offline. Awesome site BTW. Thank you! Actually I implemented offline functionality in the meantime. Check it out, it should be working without any problems. Just load the site once and your browser will keep the site stored locally, so you'll be able to use it even when you're offline.
|
|
|
|
minimalB
Donator
Hero Member
Offline
Activity: 674
Merit: 523
|
|
January 12, 2014, 09:51:15 AM |
|
I can download bitaddress file and unzip it and run it for the fist time in a freshly booted system using WinPE or Ubuntu on CD or USB.
Downloading offline all the content is one thing, but is this possible (what i described above) with your software?
|
|
|
|
hexdecode
Newbie
Offline
Activity: 5
Merit: 0
|
|
January 12, 2014, 02:23:05 PM |
|
I'd like to see this tool and bitaddress allow input of dice rolls as the entropy source for the ultra-paranoid. 100 rolls at 2.58 bits of entropy per dice makes more than the 256 maximum bits of entropy required to get the best protection. Of course users could choose to stop after say 60 rolls if they were willing to give up some protection. With multiple dice in a shoebox this doesn't have to take very long.
|
|
|
|
mikewoods (OP)
Newbie
Offline
Activity: 50
Merit: 0
|
|
January 12, 2014, 07:40:59 PM |
|
I can download bitaddress file and unzip it and run it for the fist time in a freshly booted system using WinPE or Ubuntu on CD or USB.
Downloading offline all the content is one thing, but is this possible (what i described above) with your software?
That's not yet possible with offlineaddress.com. Once all the code is packed-up as one downloadable file it's harder to continue developing it. So since I'm still adding code to this project on almost daily basis I'm postponing that feature.
|
|
|
|
fastlane7
Newbie
Offline
Activity: 24
Merit: 0
|
|
January 12, 2014, 07:46:43 PM |
|
Nice website, I like the idea.
Thanks
|
|
|
|
canton
|
|
January 12, 2014, 09:31:27 PM Last edit: January 12, 2014, 10:42:26 PM by canton |
|
If you're looking for the ultimate approach:
1. Download a live disc and compare it's checksum to original source. 2. Boot your machine from a live disc. 3. Load OfflineAddress.com. 4. Disconnect from internet (unplug all network cables, turn off WiFi and Bluetooth, and turn on airplane mode if you have it). 5. Generate addresses and print them out. 6. Restart your machine.
Hi Mike, These security instructions on your site are problematic. Nobody should generate addresses directly from HTML loaded directly from offlineaddress.com -- or any other website for that matter. * you aren't running your site over https (yet) so visitors are exposed to man-in-the-middle attacks * even if you were running this over https, this places too much reliance on the security of your website and/or your webhosting provider. an obvious vector for attack is for someone to get access to your website and edit the live site. Visitors should *assume* that sites like bitaddress.org are compromised. Your instructions should specify that the only safe way to print wallets is to download your github code and verify signatures/checksums before running the code. Github may be hacked some day, but at least it's fairly easy to verify checksums/signatures on downloaded files, unlike HTML loaded directly from a live website.
|
|
|
|
mikewoods (OP)
Newbie
Offline
Activity: 50
Merit: 0
|
|
January 13, 2014, 12:16:15 AM |
|
Hi Mike,
These security instructions on your site are problematic. Nobody should generate addresses directly from HTML loaded directly from offlineaddress.com -- or any other website for that matter.
* you aren't running your site over https (yet) so visitors are exposed to man-in-the-middle attacks
* even if you were running this over https, this places too much reliance on the security of your website and/or your webhosting provider. an obvious vector for attack is for someone to get access to your website and edit the live site. Visitors should *assume* that sites like bitaddress.org are compromised.
Your instructions should specify that the only safe way to print wallets is to download your github code and verify signatures/checksums before running the code. Github may be hacked some day, but at least it's fairly easy to verify checksums/signatures on downloaded files, unlike HTML loaded directly from a live website.
Your consideration are very correct. As for as HTTPS goes - yes, there is no reason not to implement it, and I'll add that as soon as site budget allows. As for as server security goes - I'm hosting the site from Google's hardware and software, in order to be able to resist any attack Google itself can resist. The instructions are created for broader audience than the one you're thinking about. This site was created with security in mind as well as usability, so there are some compromises that have to be made. The security experts will download GitHub code anyway, but some old lady in China probably wouldn't know how to use the site if I make it a bit more complicated. Bitcoins shouldn't be elitistic currency accessible only to those with technical education, we have to think about those that don't know what we know. That's why I've also added "Other important considerations", those things might be very obvious to us, but they aren't obvious to everyone. There is nothing we disagree about canton, it's just different users we're having in our minds. Please share any other thought you have about security issues, here or on GitHub (for example, I'm thinking about ways to implement protection from SSL strip attach beside HSTS).
|
|
|
|
pointbiz
Sr. Member
Offline
Activity: 437
Merit: 415
1ninja
|
|
January 13, 2014, 04:04:26 AM |
|
I'd like to see this tool and bitaddress allow input of dice rolls as the entropy source for the ultra-paranoid. 100 rolls at 2.58 bits of entropy per dice makes more than the 256 maximum bits of entropy required to get the best protection. Of course users could choose to stop after say 60 rolls if they were willing to give up some protection. With multiple dice in a shoebox this doesn't have to take very long.
Check out the wallet details tab on bitaddress.org there are instructions for doing this at the bottom. It's not that user friendly but it works. It looks for 99 dice rolls.
|
|
|
|
pointbiz
Sr. Member
Offline
Activity: 437
Merit: 415
1ninja
|
|
January 13, 2014, 04:07:41 AM |
|
I can download bitaddress file and unzip it and run it for the fist time in a freshly booted system using WinPE or Ubuntu on CD or USB.
Downloading offline all the content is one thing, but is this possible (what i described above) with your software?
That's not yet possible with offlineaddress.com. Once all the code is packed-up as one downloadable file it's harder to continue developing it. So since I'm still adding code to this project on almost daily basis I'm postponing that feature. I started out with one big file so I know what you mean about making it harder to develop. On the advice of others I now use nodeJS and GruntJS to automate the build process.
|
|
|
|
mikewoods (OP)
Newbie
Offline
Activity: 50
Merit: 0
|
|
January 13, 2014, 08:22:13 AM |
|
I started out with one big file so I know what you mean about making it harder to develop. On the advice of others I now use nodeJS and GruntJS to automate the build process.
Thanks for the hint
|
|
|
|
|