Issues with bitaddress.org

[SureLockLoans]

Hi I was wondering what are the problems concerning bitaddress.org?

The beginning encodes some metadata, like a version id; so you shouldn't expect the first two characters to be very random. But if the software you're using generates keys beginning with 5 instead of L or K it is outdated and producing keys which will result in significantly more data-size in your transactions.

I would recommend avoiding any browser based key generators. Many of them have dangerous implementations which provide little to no cryptographic security at all, most of them have never been reviewed by a third party.

What does he mean by this? I've got 30 Bitcoin in a address which was generated by bitaddress.org...does this mean that it's going to cost more when I send a transaction out? how much are we talking of a fee? I just want to know the security issues I generated the address on a offline computer and know the private key works. but depending on the security risks im considering creating a bitcoin core address.


anyone give me some insight on the isses quoted above?

[Newar]

He says you should not trust the random generator mechanisms within a browser. You can however use real world entropy with bitaddress using dice (example: http://www.contravex.com/2014/03/14/on-making-high-entropy-bitcoin-paper-wallets/ or click on the bottom of the Wallet Details tab for an explanation). So depending how you did it, there shouldn't be a problem.

There are other solutions around, i.e. https://bitcointalk.org/index.php?topic=361092.0

Depending on how you use bitaddress it will produce mainly uncompressed keys (starting with 5). I wouldn't worry about "costing more" because of this though (in your case with one address and a few transactions).

[Baitty]

If you have generated it on a offline computer you are fine

[cr1776]

If you have generated it on a offline computer you are fine

Not necessarily. It probably is, but the concern is if the RNG is flawed.

[Blazr]

What gmaxwell is referring to is that private keys that begin with 5 are uncompressed private keys. These are an older type of private key. The disadvantage with these are that the transactions they make are bigger (in kb's) and as a result you'll likely need to pay slightly higher transaction fees.

But thats besides the point. The main point is you shouldn't use ANY browser based private key generator as you expose yourself to many different kind of attacks.
Such as:

-The website hosting bitaddress.org might be hacked when you access it, and the hacker has inserted a backdoor in the RNG.

-You type "bitaddress.org" into your browser. An attacker is running SSLStrip on your connection. You do not notice the missing "https". The attacker is then able to modify the page and insert a backdoored RNG.

-An attacker tricks a certificate authority into giving them an SSL cert for bitaddress.org. This has happened to bitcointalk.org before. The attacker is then able to modify the page even over https and insert a backdoored RNG.

-The developer of bitaddress.org makes a small mistake in the code, accidentally reducing the entropy of the private keys. Because it is written in Javascript, this is SO easy to do and is what happened recently with the blockchain.info/wallet hack. An attacker is able to sweep up the keys because they are weak.

If the RNG is backdoored then being offline will not save you.

[SureLockLoans]

Thanks for the clarification I downloaded the zip file from github is this safer? would using pywallet be better for generating the private key on a offline computer?

[Blazr]

Thanks for the clarification I downloaded the zip file from github is this safer? would using pywallet be better for generating the private key on a offline computer?

I would recommend that you have a second computer that has all networking/bluetooth devices removed and you run Armory or Electrum on it. Keep a watch-only copy of the wallet on your main PC and keep a backup of the offline wallet on paper in case your offline PC breaks or gets stolen.

That is the best setup IMO from both a security and convenience point.

If you are set on using paper-only wallets, I'd recommend not using something browser based to do it. But no matter what you use, I would recommend downloading it and verifying it's signature with PGP as this will ensure the file hasn't been tampered with by anyone other than the developer.

To do this with bitaddress.org on Linux, download these pages:
https://www.bitaddress.org/bitaddress.org-v2.9.8-SHA256-2c5d16dbcde600147162172090d940fd9646981b7d751d9bddfc5ef383f89308.html
https://www.bitaddress.org/bitaddress.org-v2.9.8-SHA256-2c5d16dbcde600147162172090d940fd9646981b7d751d9bddfc5ef383f89308.html.sig
https://www.bitaddress.org/ninja_bitaddress.org.txt

Open terminal, type:
gpg --recv-keys 63974F5A
gpg --verify bitaddress.org-v2.9.8-SHA256-2c5d16dbcde600147162172090d940fd9646981b7d751d9bddfc5ef383f89308.html.sig

You should get:
gpg: Good signature from "ninja <ninja@bitaddress.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 527B 5C82 B1F6 B2DB 72A0  ECBF 8749 7B91 6397 4F5A

This is still a bad idea, as like I said doing cryptography in the browser is hard to do right, it's very easy to make a mistake and when it comes to Bitcoin mistakes are always costly.

[cr1776]

Thanks for the clarification I downloaded the zip file from github is this safer? would using pywallet be better for generating the private key on a offline computer?

It should be from a MITM etc attack.  

BUT if the random number generator was bad or did not have a good source of randomness, then it *could* be unsafe.  Blazr had a good description of the *potential* issue. And if you follow his instructions for downloading it from github, that is good too. In short, you should be okay, but unless you check the code it is hard to be sure.  Bitaddress.org *seems* to be safe, but it pays to be careful or at least be aware of the potential issues, particularly for large sums and cold storage.

E.g. using the random number generator in Access or Filemaker would be a bad idea - see https://bitcointalk.org/index.php?topic=917391.0.

If this is for cold storage, bitcoin core might be a better choice.

[deepceleron]

There's a link in my sig for an offline paper wallet/cold storage address generator. It only generates compressed addresses, saving you some bitcoin transaction fees in addition to reducing the blockchain size. It gets key-pounding entropy input from the user in addition to OS-based entropy sources. The private key generated is a completely random number that has no known biases.

https://bitcointalk.org/index.php?topic=361092.0

[coinableS]

Doesn't bitaddress log 300+ cursor locations on a screen to help create the randomness? Even on a tiny 480x600 screen that's 300^288,000 possibilities.  If you use that initial address after the mouse randomness I don't see why one would worry about RNG. Where I can see a possible RNG issue is the "generate new address" button and the bulk address creator.  My cold storage addresses were created with bitaddress base6 converter and dice giving 6^99 possibilities.

[twister]

Thanks for the clarification I downloaded the zip file from github is this safer? would using pywallet be better for generating the private key on a offline computer?

I would recommend that you have a second computer that has all networking/bluetooth devices removed and you run Armory or Electrum on it. Keep a watch-only copy of the wallet on your main PC and keep a backup of the offline wallet on paper in case your offline PC breaks or gets stolen.

That is the best setup IMO from both a security and convenience point.

If you are set on using paper-only wallets, I'd recommend not using something browser based to do it. But no matter what you use, I would recommend downloading it and verifying it's signature with PGP as this will ensure the file hasn't been tampered with by anyone other than the developer.

To do this with bitaddress.org on Linux, download these pages:
https://www.bitaddress.org/bitaddress.org-v2.9.8-SHA256-2c5d16dbcde600147162172090d940fd9646981b7d751d9bddfc5ef383f89308.html
https://www.bitaddress.org/bitaddress.org-v2.9.8-SHA256-2c5d16dbcde600147162172090d940fd9646981b7d751d9bddfc5ef383f89308.html.sig
https://www.bitaddress.org/ninja_bitaddress.org.txt

Open terminal, type:
gpg --recv-keys 63974F5A
gpg --verify bitaddress.org-v2.9.8-SHA256-2c5d16dbcde600147162172090d940fd9646981b7d751d9bddfc5ef383f89308.html.sig

You should get:
gpg: Good signature from "ninja <ninja@bitaddress.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 527B 5C82 B1F6 B2DB 72A0  ECBF 8749 7B91 6397 4F5A

This is still a bad idea, as like I said doing cryptography in the browser is hard to do right, it's very easy to make a mistake and when it comes to Bitcoin mistakes are always costly.

This is just brilliant. Thank you so much for this.

[deepceleron]

Doesn't bitaddress log 300+ cursor locations on a screen to help create the randomness? Even on a tiny 480x600 screen that's 300^288,000 possibilities.  If you use that initial address after the mouse randomness I don't see why one would worry about RNG. Where I can see a possible RNG issue is the "generate new address" button and the bulk address creator.  My cold storage addresses were created with bitaddress base6 converter and dice giving 6^99 possibilities.

The mouse cursor entropy-gathering was only added after it was pointed out the problems that the site/script had in simply using the javascript random method presented to the browser and lack of entropy gathering. https://bitcointalk.org/index.php?topic=399058.msg4315842#msg4315842

Now it is an annoyance you must pass through when you want to do anything else written into the do-everything page, such as decoding a private key you already know.

[coinableS]

Doesn't bitaddress log 300+ cursor locations on a screen to help create the randomness? Even on a tiny 480x600 screen that's 300^288,000 possibilities.  If you use that initial address after the mouse randomness I don't see why one would worry about RNG. Where I can see a possible RNG issue is the "generate new address" button and the bulk address creator.  My cold storage addresses were created with bitaddress base6 converter and dice giving 6^99 possibilities.

The mouse cursor entropy-gathering was only added after it was pointed out the problems that the site/script had in simply using the javascript random method presented to the browser and lack of entropy gathering. https://bitcointalk.org/index.php?topic=399058.msg4315842#msg4315842

Now it is an annoyance you must pass through when you want to do anything else written into the do-everything page, such as decoding a private key you already know.

I did not know that was a newer feature, thanks for the info. I've only been in the BTC space 13 months. But sounds like you agree that the mouse randomness method is secure, correct? I agree the mouse thing is annoying when not generating a new address so I've altered the bitaddress code locally on my machine so I don't have to do the mouse movements when decoding priv keys.