Why do u need to store ECC keys? Use a secret phrase asked upon login to get a master key. Other keys can be derived from the master.
PS: What that server in the picture for?
Topic: A Browser Based Cryptocurrency Client [real devs only please] - page 2. (Read 2628 times)
November 15, 2013, 02:36:43 PM
November 15, 2013, 02:28:28 PM
here is a handy image I just made:
November 15, 2013, 02:17:30 PM
Stating the obvious here,
but Mandrik from the client side blockchain.info might have a comment or 2 regarding browser security. Might be worth a PM once you have some more concrete ideas
but Mandrik from the client side blockchain.info might have a comment or 2 regarding browser security. Might be worth a PM once you have some more concrete ideas
thanks, but I think blockchain.info is a traditional web app? Haven't used it much really. He may have valuable advice, but the architecture I'm suggesting has few counterparts, here is one: https://chrome.google.com/webstore/detail/mymail-crypt-for-gmail/jcaobjhdnlpmopmjhijplpjhlplfkhba
Im somewhat versed in web app security.
thanks, bm
November 15, 2013, 08:00:54 AM
Stating the obvious here,
but Mandrik from the client side blockchain.info might have a comment or 2 regarding browser security. Might be worth a PM once you have some more concrete ideas
but Mandrik from the client side blockchain.info might have a comment or 2 regarding browser security. Might be worth a PM once you have some more concrete ideas
November 15, 2013, 12:12:39 AM
There are a few extra security considerations, but you are in control of your keys and generally conforms to the same security model as the regular Bitcoin client.
Other browser plugins or browser exploits would make it incredibly unsafe even if the client itself was secure. It's a step backward to hand the browser any control over authentication of transactions.
But a step forward in deployment costs.
November 15, 2013, 12:10:44 AM
There are a few extra security considerations, but you are in control of your keys and generally conforms to the same security model as the regular Bitcoin client.
Other browser plugins or browser exploits would make it incredibly unsafe even if the client itself was secure. It's a step backward to hand the browser any control over authentication of transactions.
November 14, 2013, 06:47:34 PM
You could probably compile OpenSSL (or maybe entire portions of bitcoind) into javascript using emscripten.
that sounds pretty ambitious.
the stanford library I posted appears to have all the basic Crypto functions you need to use Bitcoin..
http://www-cs-students.stanford.edu/~tjw/jsbn/
I still personally believe any browser-based wallets are flawed unless the signing is occurring on a physical device in control of the user. All of the technologies needed for a browser-based wallet (WebRTC etc.) are there though.
just to be clear, I am suggesting that the signing and key management happen IN THE BROWSER. This is possible given the technologies I described in the OP. This is not a "web wallet", instead a "browser based wallet". There are a few extra security considerations, but you are in control of your keys and generally conforms to the same security model as the regular Bitcoin client.
November 14, 2013, 06:19:29 PM
You could probably compile OpenSSL (or maybe entire portions of bitcoind) into javascript using emscripten. I still personally believe any browser-based wallets are flawed unless the signing is occurring on a physical device in control of the user. All of the technologies needed for a browser-based wallet (WebRTC etc.) are there though.
November 14, 2013, 05:16:59 PM
I can only hope that at some point you will realize this has nothing to do with cryptography.
I didn't notice this.
Yes, I do know that p2p has nothing to do with cryptography. But it's essential for decentralized cryptocurrency.
he's just got some bone to pick, I would ignore him.
You can ignore me as much as you please, just don't fuck the users with this broken tool you are planning. Hope you read the previous link.
a Browser based Cryptocurrency client would have similar security considerations.
Do you even understand why cryptocat moved to a plugin model ? Gosh, you are hopeless. I'm leaving you alone now.
if you have such a rich background in javascript based crypto browser security, why don't you tell us who you are so we can review your past accomplishments?
November 14, 2013, 05:12:35 PM
I can only hope that at some point you will realize this has nothing to do with cryptography.
I didn't notice this.
Yes, I do know that p2p has nothing to do with cryptography. But it's essential for decentralized cryptocurrency.
he's just got some bone to pick, I would ignore him.
You can ignore me as much as you please, just don't fuck the users with this broken tool you are planning. Hope you read the previous link.
a Browser based Cryptocurrency client would have similar security considerations.
Do you even understand why cryptocat moved to a plugin model ? Gosh, you are hopeless. I'm leaving you alone now.
November 14, 2013, 05:10:25 PM
I can only hope that at some point you will realize this has nothing to do with cryptography.
I didn't notice this.
Yes, I do know that p2p has nothing to do with cryptography. But it's essential for decentralized cryptocurrency.
he's just got some bone to pick, I would ignore him.
You can ignore me as much as you please, just don't fuck the users with this broken tool you are planning. Hope you read the previous link.
this project offers client side encryption for Gmail and it works completely in the web browser: https://chrome.google.com/webstore/detail/mymail-crypt-for-gmail/jcaobjhdnlpmopmjhijplpjhlplfkhba
a Browser based Cryptocurrency client would have similar security considerations.
keep trolling...
November 14, 2013, 04:56:52 PM
I can only hope that at some point you will realize this has nothing to do with cryptography.
I didn't notice this.
Yes, I do know that p2p has nothing to do with cryptography. But it's essential for decentralized cryptocurrency.
he's just got some bone to pick, I would ignore him.
You can ignore me as much as you please, just don't fuck the users with this broken tool you are planning. Hope you read the previous link.
November 14, 2013, 04:52:25 PM
I can only hope that at some point you will realize this has nothing to do with cryptography.
I didn't notice this.
Yes, I do know that p2p has nothing to do with cryptography. But it's essential for decentralized cryptocurrency.
he's just got some bone to pick, I would ignore him.
November 14, 2013, 04:50:18 PM
I can only hope that at some point you will realize this has nothing to do with cryptography.
I didn't notice this.
Yes, I do know that p2p has nothing to do with cryptography. But it's essential for decentralized cryptocurrency.
November 14, 2013, 04:40:17 PM
I would double check all your assumptions here. The problem of connecting two people behind NAT is non-trivial. I think what this article is talking about is a simple Browser API for connecting to other people who are connected to the server. You haven't taken the server out of the equation, although you might hide some of the complexities of this arrangement.
http://webrtchacks.com/an-intro-to-webrtcs-natfirewall-problem/
I can only hope that at some point you will realize this has nothing to do with cryptography.
Seems that the javascript crypto space is inhabited by various individuals hacking out their own ideas and not much organization or collaboration, which is strange because browser-based crypto is very commonly requested by the development community.
Start reading here http://www.matasano.com/articles/javascript-cryptography/
November 14, 2013, 04:34:55 PM
I would double check all your assumptions here. The problem of connecting two people behind NAT is non-trivial. I think what this article is talking about is a simple Browser API for connecting to other people who are connected to the server. You haven't taken the server out of the equation, although you might hide some of the complexities of this arrangement.
http://webrtchacks.com/an-intro-to-webrtcs-natfirewall-problem/
I can only hope that at some point you will realize this has nothing to do with cryptography.
Crypto is part of the problem, interacting with the p2p network is another.
Seems that the javascript crypto space is inhabited by various individuals hacking out their own ideas and not much organization or collaboration, which is strange because browser-based crypto is very commonly requested by the development community.
November 14, 2013, 04:31:06 PM
have you worked much with WebRTC?
Not much, just played a little. This tech is still too raw.
I was looking at this also: http://www.pjsip.org/pjnath/docs/html/
it's a Java library that uses the same set of protocols for NAT traversal as WebRTC.
November 14, 2013, 04:28:29 PM
have you worked much with WebRTC?
Not much, just played a little. This tech is still too raw.
November 14, 2013, 04:22:25 PM
I would double check all your assumptions here. The problem of connecting two people behind NAT is non-trivial. I think what this article is talking about is a simple Browser API for connecting to other people who are connected to the server. You haven't taken the server out of the equation, although you might hide some of the complexities of this arrangement.
http://webrtchacks.com/an-intro-to-webrtcs-natfirewall-problem/
that is very interesting, thanks. I might actually use this in my project.
have you worked much with WebRTC?
November 14, 2013, 04:21:40 PM
I would double check all your assumptions here. The problem of connecting two people behind NAT is non-trivial. I think what this article is talking about is a simple Browser API for connecting to other people who are connected to the server. You haven't taken the server out of the equation, although you might hide some of the complexities of this arrangement.
http://webrtchacks.com/an-intro-to-webrtcs-natfirewall-problem/
I can only hope that at some point you will realize this has nothing to do with cryptography.
Jump to: