Pages:
Author

Topic: A Browser Based Cryptocurrency Client [real devs only please] - page 2. (Read 2636 times)

legendary
Activity: 2142
Merit: 1010
Newbie
Why do u need to store ECC keys? Use a secret phrase asked upon login to get a master key. Other keys can be derived from the master.

PS: What that server in the picture for?
sr. member
Activity: 280
Merit: 257
bluemeanie
here is a handy image I just made:

sr. member
Activity: 280
Merit: 257
bluemeanie
Stating the obvious here,
 but Mandrik from the client side blockchain.info might have a comment or 2 regarding browser security. Might be worth a PM once you have some more concrete ideas

thanks, but I think blockchain.info is a traditional web app?  Haven't used it much really.  He may have valuable advice, but the architecture I'm suggesting has few counterparts, here is one:  https://chrome.google.com/webstore/detail/mymail-crypt-for-gmail/jcaobjhdnlpmopmjhijplpjhlplfkhba

Im somewhat versed in web app security.

thanks, bm


hero member
Activity: 900
Merit: 1000
Crypto Geek
Stating the obvious here,
 but Mandrik from the client side blockchain.info might have a comment or 2 regarding browser security. Might be worth a PM once you have some more concrete ideas
sr. member
Activity: 280
Merit: 257
bluemeanie
There are a few extra security considerations, but you are in control of your keys and generally conforms to the same security model as the regular Bitcoin client.

Other browser plugins or browser exploits would make it incredibly unsafe even if the client itself was secure. It's a step backward to hand the browser any control over authentication of transactions.

But a step forward in deployment costs.
vip
Activity: 198
Merit: 101
There are a few extra security considerations, but you are in control of your keys and generally conforms to the same security model as the regular Bitcoin client.

Other browser plugins or browser exploits would make it incredibly unsafe even if the client itself was secure. It's a step backward to hand the browser any control over authentication of transactions.
sr. member
Activity: 280
Merit: 257
bluemeanie
You could probably compile OpenSSL (or maybe entire portions of bitcoind) into javascript using emscripten.

that sounds pretty ambitious.  

the stanford library I posted appears to have all the basic Crypto functions you need to use Bitcoin..

http://www-cs-students.stanford.edu/~tjw/jsbn/

I still personally believe any browser-based wallets are flawed unless the signing is occurring on a physical device in control of the user. All of the technologies needed for a browser-based wallet (WebRTC etc.) are there though.

just to be clear, I am suggesting that the signing and key management happen IN THE BROWSER.  This is possible given the technologies I described in the OP.  This is not a "web wallet", instead a "browser based wallet".  There are a few extra security considerations, but you are in control of your keys and generally conforms to the same security model as the regular Bitcoin client.

vip
Activity: 198
Merit: 101
You could probably compile OpenSSL (or maybe entire portions of bitcoind) into javascript using emscripten. I still personally believe any browser-based wallets are flawed unless the signing is occurring on a physical device in control of the user. All of the technologies needed for a browser-based wallet (WebRTC etc.) are there though.
sr. member
Activity: 280
Merit: 257
bluemeanie
I can only hope that at some point you will realize this has nothing to do with cryptography.

I didn't notice this.

Yes, I do know that p2p has nothing to do with cryptography. But it's essential for decentralized cryptocurrency.

he's just got some bone to pick, I would ignore him.

You can ignore me as much as you please, just don't fuck the users with this broken tool you are planning. Hope you read the previous link.

a Browser based Cryptocurrency client would have similar security considerations.

Do you even understand why cryptocat moved to a plugin model ? Gosh, you are hopeless. I'm leaving you alone now.

if you have such a rich background in javascript based crypto browser security, why don't you tell us who you are so we can review your past accomplishments?
member
Activity: 98
Merit: 10
nearly dead
I can only hope that at some point you will realize this has nothing to do with cryptography.

I didn't notice this.

Yes, I do know that p2p has nothing to do with cryptography. But it's essential for decentralized cryptocurrency.

he's just got some bone to pick, I would ignore him.

You can ignore me as much as you please, just don't fuck the users with this broken tool you are planning. Hope you read the previous link.

a Browser based Cryptocurrency client would have similar security considerations.

Do you even understand why cryptocat moved to a plugin model ? Gosh, you are hopeless. I'm leaving you alone now.
sr. member
Activity: 280
Merit: 257
bluemeanie
I can only hope that at some point you will realize this has nothing to do with cryptography.

I didn't notice this.

Yes, I do know that p2p has nothing to do with cryptography. But it's essential for decentralized cryptocurrency.

he's just got some bone to pick, I would ignore him.

You can ignore me as much as you please, just don't fuck the users with this broken tool you are planning. Hope you read the previous link.

this project offers client side encryption for Gmail and it works completely in the web browser: https://chrome.google.com/webstore/detail/mymail-crypt-for-gmail/jcaobjhdnlpmopmjhijplpjhlplfkhba

a Browser based Cryptocurrency client would have similar security considerations.

keep trolling...
member
Activity: 98
Merit: 10
nearly dead
I can only hope that at some point you will realize this has nothing to do with cryptography.

I didn't notice this.

Yes, I do know that p2p has nothing to do with cryptography. But it's essential for decentralized cryptocurrency.

he's just got some bone to pick, I would ignore him.

You can ignore me as much as you please, just don't fuck the users with this broken tool you are planning. Hope you read the previous link.
sr. member
Activity: 280
Merit: 257
bluemeanie
I can only hope that at some point you will realize this has nothing to do with cryptography.

I didn't notice this.

Yes, I do know that p2p has nothing to do with cryptography. But it's essential for decentralized cryptocurrency.

he's just got some bone to pick, I would ignore him.
legendary
Activity: 2142
Merit: 1010
Newbie
I can only hope that at some point you will realize this has nothing to do with cryptography.

I didn't notice this.

Yes, I do know that p2p has nothing to do with cryptography. But it's essential for decentralized cryptocurrency.
member
Activity: 98
Merit: 10
nearly dead
I would double check all your assumptions here.  The problem of connecting two people behind NAT is non-trivial.  I think what this article is talking about is a simple Browser API for connecting to other people who are connected to the server.  You haven't taken the server out of the equation, although you might hide some of the complexities of this arrangement.

http://webrtchacks.com/an-intro-to-webrtcs-natfirewall-problem/

I can only hope that at some point you will realize this has nothing to do with cryptography.

Seems that the javascript crypto space is inhabited by various individuals hacking out their own ideas and not much organization or collaboration, which is strange because browser-based crypto is very commonly requested by the development community.

Start reading here http://www.matasano.com/articles/javascript-cryptography/
sr. member
Activity: 280
Merit: 257
bluemeanie
I would double check all your assumptions here.  The problem of connecting two people behind NAT is non-trivial.  I think what this article is talking about is a simple Browser API for connecting to other people who are connected to the server.  You haven't taken the server out of the equation, although you might hide some of the complexities of this arrangement.

http://webrtchacks.com/an-intro-to-webrtcs-natfirewall-problem/

I can only hope that at some point you will realize this has nothing to do with cryptography.



Crypto is part of the problem, interacting with the p2p network is another.

Seems that the javascript crypto space is inhabited by various individuals hacking out their own ideas and not much organization or collaboration, which is strange because browser-based crypto is very commonly requested by the development community.
sr. member
Activity: 280
Merit: 257
bluemeanie
have you worked much with WebRTC?

Not much, just played a little. This tech is still too raw.

I was looking at this also: http://www.pjsip.org/pjnath/docs/html/

it's a Java library that uses the same set of protocols for NAT traversal as WebRTC.
legendary
Activity: 2142
Merit: 1010
Newbie
have you worked much with WebRTC?

Not much, just played a little. This tech is still too raw.
sr. member
Activity: 280
Merit: 257
bluemeanie
I would double check all your assumptions here.  The problem of connecting two people behind NAT is non-trivial.  I think what this article is talking about is a simple Browser API for connecting to other people who are connected to the server.  You haven't taken the server out of the equation, although you might hide some of the complexities of this arrangement.

http://webrtchacks.com/an-intro-to-webrtcs-natfirewall-problem/


that is very interesting, thanks.  I might actually use this in my project.

have you worked much with WebRTC?
member
Activity: 98
Merit: 10
nearly dead
I would double check all your assumptions here.  The problem of connecting two people behind NAT is non-trivial.  I think what this article is talking about is a simple Browser API for connecting to other people who are connected to the server.  You haven't taken the server out of the equation, although you might hide some of the complexities of this arrangement.

http://webrtchacks.com/an-intro-to-webrtcs-natfirewall-problem/

I can only hope that at some point you will realize this has nothing to do with cryptography.
Pages:
Jump to: