Bitcoin Forum
November 09, 2024, 06:28:42 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: New wallet uses Amazon hardware security modules to eliminate seed words  (Read 148 times)
_act_ (OP)
Legendary
*
Offline Offline

Activity: 1064
Merit: 1305


Lightning network is good with small amount of BTC


View Profile
May 11, 2023, 01:31:54 PM
 #1

Is this good?

The wallet was launched by Kresus. It uses magic link to sign in users which makes the wallet not to require password login. Only on Apple Store for now.

https://cointelegraph.com/news/new-wallet-uses-amazon-hardware-security-modules-to-eliminate-seed-words

Quote
Speaking to Cointelegraph, the Kresus team said that their new wallet app attempts to fix this problem using a wallet infrastructure and software development kit (SDK) called “Magic,” which stores the user’s private key on an Amazon Web Services computer that is specifically designed to store highly sensitive information.

The AWS computer encrypts the user’s key with a Master Key that cannot leave the hardware module, much in the same way that a hardware wallet does. This eliminates the need for seed words or private keys to be stored on the device or kept as a paper backup, the team said.
Is seed phrase a problem?

Quote
Unlike a centralized exchange, Kresus does not use passwords to authenticate users, since stealing password hashes and cracking them is one of the most common techniques hackers use to get access to web accounts. Instead, it requires users to click a link from within an email each time they attempt to log in.

When it comes to sending crypto, users don’t need to cut and paste crypto addresses on Kresus. Instead, the app allows each user to register for a free .kresus domain name through Unstoppable Domains, which they can use to send crypto to others.
Which means only the people that are using the wallet can send to themselves. This is centralization.

Quote
The Kresus team stated that because of the way Magic infrastructure works, neither they nor the Magic development team are able to see the user’s private key during account creation or login, so they cannot make unauthorized transactions.
How can we know that?

I can not go beyond using open source seed phrase wallets that will give me the complete control of my coins.

What do you people think about this wallet that I can not recommend?

▄▄███████▄▄
▄██████████████▄
▄██████████████████▄
▄████▀▀▀▀███▀▀▀▀█████▄
▄█████████████▄█▀████▄
███████████▄███████████
██████████▄█▀███████████
██████████▀████████████
▀█████▄█▀█████████████▀
▀████▄▄▄▄███▄▄▄▄████▀
▀██████████████████▀
▀███████████████▀
▀▀███████▀▀
.
 MΞTAWIN  THE FIRST WEB3 CASINO   
.
.. PLAY NOW ..
Zaguru12
Hero Member
*****
Offline Offline

Activity: 868
Merit: 947



View Profile WWW
May 11, 2023, 01:55:07 PM
 #2

Quote
Unlike a centralized exchange, Kresus does not use passwords to authenticate users, since stealing password hashes and cracking them is one of the most common techniques hackers use to get access to web accounts. Instead, it requires users to click a link from within an email each time they attempt to log in.

This right doesn’t makes it a bit different from centralized exchanges. One of the easiest scam or attack by hackers is compromising one’s email address, sending a link to email address could just hand ones account over to the hackers should the email be compromised. This is something that the centralized exchanges do currently when resetting passwords that is said to be risky. So it still doesn’t changes anything. Except if one could change Email all the time which will also one way or the other be prone to hacks.

Also storing private key online, no matter how sophisticated the service might be at moment to getting hack is still not a create idea because a this service gets breached then everything on it will just get exposed

███████████████████████████
███████▄████████████▄██████
████████▄████████▄████████
███▀█████▀▄███▄▀█████▀███
█████▀█▀▄██▀▀▀██▄▀█▀█████
███████▄███████████▄███████
███████████████████████████
███████▀███████████▀███████
████▄██▄▀██▄▄▄██▀▄██▄████
████▄████▄▀███▀▄████▄████
██▄███▀▀█▀██████▀█▀███▄███
██▀█▀████████████████▀█▀███
███████████████████████████
.
.Duelbits.
..........UNLEASH..........
THE ULTIMATE
GAMING EXPERIENCE
DUELBITS
FANTASY
SPORTS
████▄▄█████▄▄
░▄████
███████████▄
▐███
███████████████▄
███
████████████████
███
████████████████▌
███
██████████████████
████████████████▀▀▀
███████████████▌
███████████████▌
████████████████
████████████████
████████████████
████▀▀███████▀▀
.
▬▬
VS
▬▬
████▄▄▄█████▄▄▄
░▄████████████████▄
▐██████████████████▄
████████████████████
████████████████████▌
█████████████████████
███████████████████
███████████████▌
███████████████▌
████████████████
████████████████
████████████████
████▀▀███████▀▀
/// PLAY FOR  FREE  ///
WIN FOR REAL
..PLAY NOW..
NeuroticFish
Legendary
*
Offline Offline

Activity: 3850
Merit: 6583


Looking for campaign manager? Contact icopress!


View Profile
May 11, 2023, 02:44:33 PM
Merited by bitmover (1)
 #3

I find this risky for various reasons:
* that company can be hacked (it will become a target an bugs can exist)
* AWS can get hacked
* some Amazon employee may try to look in there (dirrect access, correlations, sniffing)
* that company employees may take a look
* that company may get bankrupt
* mail accounts tend to be more hacked than many other online services
* and .. is this a custodian wallet? what if their hot wallet is hacked directly or they run with the coins?

Plus, yeah I don't believe in magic  Cheesy


███████████████████████
████▐██▄█████████████████
████▐██████▄▄▄███████████
████▐████▄█████▄▄████████
████▐█████▀▀▀▀▀███▄██████
████▐███▀████████████████
████▐█████████▄█████▌████
████▐██▌█████▀██████▌████
████▐██████████▀████▌████
█████▀███▄█████▄███▀█████
███████▀█████████▀███████
██████████▀███▀██████████

███████████████████████
.
BC.GAME
▄▄▀▀▀▀▀▀▀▄▄
▄▀▀░▄██▀░▀██▄░▀▀▄
▄▀░▐▀▄░▀░░▀░░▀░▄▀▌░▀▄
▄▀▄█▐░▀▄▀▀▀▀▀▄▀░▌█▄▀▄
▄▀░▀░░█░▄███████▄░█░░▀░▀▄
█░█░▀░█████████████░▀░█░█
█░██░▀█▀▀█▄▄█▀▀█▀░██░█
█░█▀██░█▀▀██▀▀█░██▀█░█
▀▄▀██░░░▀▀▄▌▐▄▀▀░░░██▀▄▀
▀▄▀██░░▄░▀▄█▄▀░▄░░██▀▄▀
▀▄░▀█░▄▄▄░▀░▄▄▄░█▀░▄▀
▀▄▄▀▀███▄███▀▀▄▄▀
██████▄▄▄▄▄▄▄██████
.
..CASINO....SPORTS....RACING..


▄▄████▄▄
▄███▀▀███▄
██████████
▀███▄░▄██▀
▄▄████▄▄░▀█▀▄██▀▄▄████▄▄
▄███▀▀▀████▄▄██▀▄███▀▀███▄
███████▄▄▀▀████▄▄▀▀███████
▀███▄▄███▀░░░▀▀████▄▄▄███▀
▀▀████▀▀████████▀▀████▀▀
bitmover
Legendary
*
Offline Offline

Activity: 2478
Merit: 6316


bitcoindata.science


View Profile WWW
May 11, 2023, 03:52:02 PM
 #4

Is this good?

The wallet was launched by Kresus. It uses magic link to sign in users which makes the wallet not to require password login. Only on Apple Store for now.

https://cointelegraph.com/news/new-wallet-uses-amazon-hardware-security-modules-to-eliminate-seed-words

There is too much trust involved, specially in Kresus team.

Seed words simple work.

They are safe to use, easy to store and easy to recover when necessary.

They are working just fine.

Doan9269
Hero Member
*****
Offline Offline

Activity: 1050
Merit: 614


DGbet.fun - Crypto Sportsbook


View Profile
May 11, 2023, 04:08:01 PM
 #5

Quote
Speaking to Cointelegraph, the Kresus team said that their new wallet app attempts to fix this problem using a wallet infrastructure and software development kit (SDK) called “Magic,” which stores the user’s private key on an Amazon Web Services computer that is specifically designed to store highly sensitive information.

The AWS computer encrypts the user’s key with a Master Key that cannot leave the hardware module, much in the same way that a hardware wallet does. This eliminates the need for seed words or private keys to be stored on the device or kept as a paper backup, the team said.

This isn't good enough for those that can understand the influence of a third party andbthe use of a central server online storage apps, they can bebas dangerous as unaware to users and not everything they gave to say you believe, why can't you device a means to secure your seeds yourself than relying on their system for the storage, what is the guarantee that they can't be bridged, track you or got attacked themselves by hackers.

Is seed phrase a problem?

It's not a problem but how you store it is what determines it's a problem or not.


Coyster
Legendary
*
Offline Offline

Activity: 2198
Merit: 1306


Playbet.io - Crypto Casino and Sportsbook


View Profile
May 11, 2023, 05:52:08 PM
 #6

Eliminating seed phrases, passwords and keys doesn't make ones crypto safer, rather it makes it more susceptible to being stolen. People erroneously think that services like this are doing them a good thing when they take away the responsibily they owe to their funds. Not your keys, not your funds, wherever they say they store it, you can't be sure of its safety, and you should always have your seed phrase to recover your funds yourself, anytime you need to. Keeping your seed phrase, passwords and keys is part of the responsibility of being your own bank, thus do it yourself.

Having said that, this wallet shouldn't even be used becaus we aren't short of better/safer alternatives, but if anyone is considering doing so, it should be for experiment and with a very inconsequential amount of money.

███████████████
█████████████████████
██████▄▄███████████████
██████▐████▄▄████████████
██████▐██▀▀▀██▄▄█████████
████████▌█████▀██▄▄██████
██████████████████▌█████
█████████████▀▄██▀▀██████
██████▐██▄▄█▌███████████
██████▐████▀█████████████
██████▀▀███████████████
█████████████████████
███████████████

.... ..Playbet.io..Casino & Sportsbook.....Grab up to  BTC + 800 Free Spins........
████████████████████████████████████████
██████████████████████████████████████████████
██████▄▄████████████████████████████████████████
██████▐████▄▄█████████████████████████████████████
██████▐██▀▀▀██▄▄██████████████████████████████████
████████▌█████▀██▄▄█████▄███▄███▄███▄█████████████
██████████████████▌████▀░░██▌██▄▄▄██████████████
█████████████▀▄██▀▀█████▄░░██▌██▄░░▄▄████▄███████
██████▐██▄▄█▌██████████▀███▀███▀███▀███▀█████████
██████▐████▀██████████████████████████████████████
██████▀▀████████████████████████████████████████
██████████████████████████████████████████████
████████████████████████████████████████
Hyphen(-)
Hero Member
*****
Offline Offline

Activity: 994
Merit: 744



View Profile WWW
May 11, 2023, 09:10:25 PM
 #7

Quote
Unlike a centralized exchange, Kresus does not use passwords to authenticate users, since stealing password hashes and cracking them is one of the most common techniques hackers use to get access to web accounts. Instead, it requires users to click a link from within an email each time they attempt to log in.

When it comes to sending crypto, users don’t need to cut and paste crypto addresses on Kresus. Instead, the app allows each user to register for a free .kresus domain name through Unstoppable Domains, which they can use to send crypto to others.
Which means only the people that are using the wallet can send to themselves. This is centralization.
Because you must register through the app domain, I can also refer to this as centralization.
What if the app is been hacked, are your Funds safe since you are not in full control over them?

Furthermore, they stated that by clicking on some links provided in the mail, what if the user's email is compromised and the hacker gains access to the wallet by clicking on the link provided in the mail?


.
.DuelbitsSPORTS.
▄▄▄███████▄▄▄
▄▄█████████████████▄▄
▄██████████████████████▄
██████████████████████████
███████████████████████████
██████████████████████████████
██████████████████████████████
█████████████████████████████
███████████████████████████
█████████████████████████
▀████████████████████████
▀▀███████████████████
██████████████████████████████
██
██
██
██

██
██
██
██

██
██
██
████████▄▄▄▄██▄▄▄██
███▄█▀▄▄▀███▄█████
█████████████▀▀▀██
██▀ ▀██████████████████
███▄███████████████████
███████████████████████
███████████████████████
███████████████████████
███████████████████████
███████████████████████
▀█████████████████████▀
▀▀███████████████▀▀
▀▀▀▀█▀▀▀▀
OFFICIAL EUROPEAN
BETTING PARTNER OF
ASTON VILLA FC
██
██
██
██

██
██
██
██

██
██
██
10%   CASHBACK  
          100%   MULTICHARGER  
BitDane
Sr. Member
****
Offline Offline

Activity: 1372
Merit: 348


View Profile WWW
May 11, 2023, 09:18:18 PM
 #8

Quote
Unlike a centralized exchange, Kresus does not use passwords to authenticate users, since stealing password hashes and cracking them is one of the most common techniques hackers use to get access to web accounts. Instead, it requires users to click a link from within an email each time they attempt to log in.

When it comes to sending crypto, users don’t need to cut and paste crypto addresses on Kresus. Instead, the app allows each user to register for a free .kresus domain name through Unstoppable Domains, which they can use to send crypto to others.[

This is more susceptible to hacking.  Just imagine if the hacker have a grasp on our email accounts, our fund in Kresus will be automatically compromised because hackers don't have to crack our password and passphrase, they just need a link to be generated and sent to our hacked email.  Then voila! Hackers have access to our funds.


Quote
Unlike a centralized exchange, Kresus does not use passwords to authenticate users, since stealing password hashes and cracking them is one of the most common techniques hackers use to get access to web accounts. Instead, it requires users to click a link from within an email each time they attempt to log in.

When it comes to sending crypto, users don’t need to cut and paste crypto addresses on Kresus. Instead, the app allows each user to register for a free .kresus domain name through Unstoppable Domains, which they can use to send crypto to others.
Which means only the people that are using the wallet can send to themselves. This is centralization.

Obviously it is centralization. 

Quote
What do you people think about this wallet that I can not recommend?

I also can't recommend the wallet due to its possible weak security.  I don't believe in magic btw.
SquirrelJulietGarden
Hero Member
*****
Offline Offline

Activity: 1498
Merit: 811



View Profile
May 12, 2023, 01:47:51 AM
Last edit: May 12, 2023, 01:57:54 AM by SquirrelJulietGarden
 #9

Kresus is centralized that is not good. Is it open source? It is close source!

It does not require wallet password but will send you a link in email. I don't like to rely on my email security to use my wallet. It is always bad to connect my wallet to other accounts especially those accounts are connected to Internet a lot like my email.

Whatever word they call the link is, like 'magic link', I consider it as horrible link.

odolvlobo
Legendary
*
Offline Offline

Activity: 4494
Merit: 3403



View Profile
May 12, 2023, 10:01:12 AM
Last edit: May 12, 2023, 10:25:16 AM by odolvlobo
Merited by NeuroticFish (1), ABCbits (1)
 #10

The article is poorly written and the headline is wrong. That is very typical of CoinTelegraph articles.

Anyway, a hardware security module (HSM) is similar to a hardware wallet. It holds private keys and will do cryptographic operations with those keys without ever revealing them.

I believe there is a misunderstanding here and I'll give you my best guess at how it works. I believe that the Kresus wallet does use a seed, but it stores only an encrypted copy of it and is unable to decrypt it directly.

To get a decrypted copy of the seed, the wallet sends the encrypted copy to the HSM, which decrypts it and returns the decrypted copy back to the wallet. Then the wallet uses the seed normally. When the app is closed, the decrypted copy is destroyed.

Join an anti-signature campaign: Click ignore on the members of signature campaigns.
PGP Fingerprint: 6B6BC26599EC24EF7E29A405EAF050539D0B2925 Signing address: 13GAVJo8YaAuenj6keiEykwxWUZ7jMoSLt
ABCbits
Legendary
*
Offline Offline

Activity: 3052
Merit: 8073


Crypto Swap Exchange


View Profile
May 12, 2023, 11:24:52 AM
Merited by NeuroticFish (1)
 #11

Is this good?

I checked their website (https://www.kresus.com/), but couldn't find much explanation how their wallet or how it works. So personally i wouldn't use this wallet.

The article is poorly written and the headline is wrong. That is very typical of CoinTelegraph articles.

Anyway, a hardware security module (HSM) is similar to a hardware wallet. It holds private keys and will do cryptographic operations with those keys without ever revealing them.

--snip--

But considering amazon unethical practice and Amazon connection with some government department, there's concern to store sensitive data (including Bitcoin private key) on Amazon product.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
Lucius
Legendary
*
Offline Offline

Activity: 3416
Merit: 6149


Crypto Swap Exchange🈺


View Profile WWW
May 12, 2023, 02:45:51 PM
 #12

The article is poorly written and the headline is wrong. That is very typical of CoinTelegraph articles.
~snip~

I completely agree with this statement, but everyone has their own choice of news sources, and the OP obviously likes them for some reason.



~snip~
But considering amazon unethical practice and Amazon connection with some government department, there's concern to store sensitive data (including Bitcoin private key) on Amazon product.

Well said, I personally would never trust them because they don't care about anything other than profit. And as for their connection with governments, I recently watched a documentary about their "contribution" to the monitoring and evaluation of public officials through various AI programs, which turned out to be a complete failure.

If we're going to be honest, I don't even trust some companies that produce HW anymore because they've proven to be incompetent in that business, let alone a company that literally does everything and just wants to expand its business a little more.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!