[...]
As it is, it's too much of a hassle to verify authenticity.
As it is, it's too much of a hassle to verify authenticity.
Not at all.
Topic: [ANN] bitaddress.org Safe JavaScript Bitcoin address/private key - page 18. (Read 153019 times)
February 22, 2014, 11:28:54 PM
Not at all.
February 22, 2014, 11:21:40 AM
As it is, it's too much of a hassle to verify authenticity.
Depending on how much money you're storing in the paper wallets, the hassle will be worth it.
February 22, 2014, 06:19:12 AM
I used this site in the past but I want to be cautious. You do provide signed document with the version history including the hash. But I doubt anyone will go through that hassle.
The site would be much more usable if you provided browser extensions to verify the checksum. This is convenient and would require a hacker to break in your server AND whatever service you use to distribute the extension. Being it github, sourceforge, google chrome store, mozilla website or other.
Maybe a greasemonkey script, given it might be the simplest to develop. Or maybe even a bookmarklet. Now that I think about it, you could distribute the whole thing as a bookmarklet. Would be a huge bookmarklet, but it should work.
As it is, it's too much of a hassle to verify authenticity.
The site would be much more usable if you provided browser extensions to verify the checksum. This is convenient and would require a hacker to break in your server AND whatever service you use to distribute the extension. Being it github, sourceforge, google chrome store, mozilla website or other.
Maybe a greasemonkey script, given it might be the simplest to develop. Or maybe even a bookmarklet. Now that I think about it, you could distribute the whole thing as a bookmarklet. Would be a huge bookmarklet, but it should work.
As it is, it's too much of a hassle to verify authenticity.
February 21, 2014, 10:19:55 PM
Using tablet... i am unable to enter any characters into textbox. Keyboard does not appear on the screen no matter what i do.
I posted a fix for this 2 weeks ago, not sure if it's been noticed yet.
https://github.com/pointbiz/bitaddress.org/issues/68
February 21, 2014, 05:16:22 PM
I just made a paper wallet today (thanks for an awesome site btw!) and I noticed that the directions still tell users to sweep their funds into Mt. Gox.
"Spend your bitcoins by going to blockchain.info or mtgox.com and sweep the full balance of your private key into your account at their website. "
Perhaps that should be changed in light of the huge ball of suck that Gox has been lately?
"Spend your bitcoins by going to blockchain.info or mtgox.com and sweep the full balance of your private key into your account at their website. "
Perhaps that should be changed in light of the huge ball of suck that Gox has been lately?
January 29, 2014, 08:40:38 AM
I've just checked and textbox works fine on Android (despite the fact that it doesn't count letters until you press GO/Enter). However on iOS is still failing (Both Chrome and Safari)
January 28, 2014, 09:43:00 PM
Using tablet... i am unable to enter any characters into textbox. Keyboard does not appear on the screen no matter what i do.
If i use some other input form on some other webpage... keyboard appears normally.
Bug?
If i use some other input form on some other webpage... keyboard appears normally.
Bug?
Same happens to me with different iOS/Android devices. Can't do anything
Weird. Works for me on an Android phone and tablet. Maybe it's a CSS z-index browser bug? Maybe the painting of the green dot is stopping you from focusing inside the textbox? The textbox is supposed to be higher in z-index. Just a guess at this point. Or maybe the page takes too much memory and the keyboard then doesn't load? I've seen that happen on my mobile with sites that consume a lot of memory. The keyboard fights to open itself up.
I'd like to improve the textbox input to handle copy/paste input. Also, I'm considering testing out onkeydown instead of onkeypress. Seems like with Android devices onkeypress does not fire until you press Enter/Go.
Lastly, this is a natural side effect of removing the "force generate" that used to occur on bitaddress.org. If the site along with your device has some problem collecting sufficient human entropy then it's best that the site will not show you a bitcoin address. Classic security versus convenience trade off.
Tomorrow I will try it with a Moto G with KitKat; by know I've failed with an old android, an iPhone 5s and An iPad Mini retina (so I guess its probably related to z-index on web browser, or the green paint, instead of memory issues... At least on iOS devices)
January 28, 2014, 06:44:55 PM
Using tablet... i am unable to enter any characters into textbox. Keyboard does not appear on the screen no matter what i do.
If i use some other input form on some other webpage... keyboard appears normally.
Bug?
If i use some other input form on some other webpage... keyboard appears normally.
Bug?
Same happens to me with different iOS/Android devices. Can't do anything
Weird. Works for me on an Android phone and tablet. Maybe it's a CSS z-index browser bug? Maybe the painting of the green dot is stopping you from focusing inside the textbox? The textbox is supposed to be higher in z-index. Just a guess at this point. Or maybe the page takes too much memory and the keyboard then doesn't load? I've seen that happen on my mobile with sites that consume a lot of memory. The keyboard fights to open itself up.
I'd like to improve the textbox input to handle copy/paste input. Also, I'm considering testing out onkeydown instead of onkeypress. Seems like with Android devices onkeypress does not fire until you press Enter/Go.
Lastly, this is a natural side effect of removing the "force generate" that used to occur on bitaddress.org. If the site along with your device has some problem collecting sufficient human entropy then it's best that the site will not show you a bitcoin address. Classic security versus convenience trade off.
January 28, 2014, 06:35:24 PM
v2.8.0
https://www.bitaddress.org/bitaddress.org-v2.8.0-SHA1-87dcf19f02ee9fb9dd3a8c787bcf52eef944aa82.html
- more entropy from browser fingerprinting for PRNG seed
- user can add entropy through URL hash tag
- seed mouse movement as 16-bit number
- whole seed pool initially filled by window.crypto.getRandomValues
- added textbox as an alternative input source for entropy
- address will not generate without a minimum amount of human added entropy
from mouse or keyboard
- discard mouse movements less than 40ms apart
- visualize points of entropy collection from the mouse
https://www.bitaddress.org/bitaddress.org-v2.8.0-SHA1-87dcf19f02ee9fb9dd3a8c787bcf52eef944aa82.html
- more entropy from browser fingerprinting for PRNG seed
- user can add entropy through URL hash tag
- seed mouse movement as 16-bit number
- whole seed pool initially filled by window.crypto.getRandomValues
- added textbox as an alternative input source for entropy
- address will not generate without a minimum amount of human added entropy
from mouse or keyboard
- discard mouse movements less than 40ms apart
- visualize points of entropy collection from the mouse
Is the increased (mouse) entropy used on all the tabs (like the paper wallet) or just on the first tab?
All the tabs.
January 28, 2014, 01:16:48 PM
Using tablet... i am unable to enter any characters into textbox. Keyboard does not appear on the screen no matter what i do.
If i use some other input form on some other webpage... keyboard appears normally.
Bug?
If i use some other input form on some other webpage... keyboard appears normally.
Bug?
Same happens to me with different iOS/Android devices. Can't do anything
January 28, 2014, 10:50:07 AM
v2.8.0
https://www.bitaddress.org/bitaddress.org-v2.8.0-SHA1-87dcf19f02ee9fb9dd3a8c787bcf52eef944aa82.html
- more entropy from browser fingerprinting for PRNG seed
- user can add entropy through URL hash tag
- seed mouse movement as 16-bit number
- whole seed pool initially filled by window.crypto.getRandomValues
- added textbox as an alternative input source for entropy
- address will not generate without a minimum amount of human added entropy
from mouse or keyboard
- discard mouse movements less than 40ms apart
- visualize points of entropy collection from the mouse
https://www.bitaddress.org/bitaddress.org-v2.8.0-SHA1-87dcf19f02ee9fb9dd3a8c787bcf52eef944aa82.html
- more entropy from browser fingerprinting for PRNG seed
- user can add entropy through URL hash tag
- seed mouse movement as 16-bit number
- whole seed pool initially filled by window.crypto.getRandomValues
- added textbox as an alternative input source for entropy
- address will not generate without a minimum amount of human added entropy
from mouse or keyboard
- discard mouse movements less than 40ms apart
- visualize points of entropy collection from the mouse
Is the increased (mouse) entropy used on all the tabs (like the paper wallet) or just on the first tab?
January 28, 2014, 07:10:04 AM
Using tablet... i am unable to enter any characters into textbox. Keyboard does not appear on the screen no matter what i do.
If i use some other input form on some other webpage... keyboard appears normally.
Bug?
If i use some other input form on some other webpage... keyboard appears normally.
Bug?
January 23, 2014, 12:17:56 PM
Just wanted to drop in to say thanks, I've used your site many times and I have 8 paper wallets printed from your site that I laminated and put in my room. Love it!
January 23, 2014, 08:24:42 AM
https://www.ssllabs.com/ssltest/analyze.html?d=bitaddress.org
Should probably fix this. Also, wouldn't it be safer to write a browser addon where the entire java client side script lived?
Should probably fix this. Also, wouldn't it be safer to write a browser addon where the entire java client side script lived?
I read that matasano article a long time ago but from what I remember it mostly does not apply to bitaddress because no external Javascript is loaded on the page. Javascript is Turing complete and bitaddress uses the same two validation techniques as all other open source software. Detached sig and checksums.
January 23, 2014, 01:45:08 AM
https://www.ssllabs.com/ssltest/analyze.html?d=bitaddress.org
Should probably fix this. Also, wouldn't it be safer to write a browser addon where the entire java client side script lived?
Should probably fix this. Also, wouldn't it be safer to write a browser addon where the entire java client side script lived?
A browser addon could be a good approach. How do you propose updates and checksums are handled? Who signs the plugin?
Crypto.cat does it https://crypto.cat/ after they gave up on server provided client side due to audit failures and packaged it all in an extension.
Firefox could sign your .xpi file using xpisign.py (with a certificate from a trusted issuer, such as whatever cert you have for your site) and Mozilla will check the update for malicious code and then distro the update. Chrome same thing can sign using your site's cert and openssl except Chrome autoupdates for extensions are shady. IE I have no idea, Safari no idea. Just Cinfu VM is kind of risky for trusting to generate keys, this way with an addon server doesn't matter.
January 22, 2014, 10:43:12 PM
https://www.ssllabs.com/ssltest/analyze.html?d=bitaddress.org
Should probably fix this. Also, wouldn't it be safer to write a browser addon where the entire java client side script lived?
Should probably fix this. Also, wouldn't it be safer to write a browser addon where the entire java client side script lived?
A browser addon could be a good approach. How do you propose updates and checksums are handled? Who signs the plugin?
January 22, 2014, 04:12:41 PM
https://www.ssllabs.com/ssltest/analyze.html?d=bitaddress.org
Should probably fix this. Also, wouldn't it be safer to write a browser addon where the entire java client side script lived?
Should probably fix this. Also, wouldn't it be safer to write a browser addon where the entire java client side script lived?
January 22, 2014, 03:21:57 PM
Yes in brain wallet your password is the private key essentially. Nothing to store.
In bip38 you must store an encrypted private key.
In bip38 you must store an encrypted private key.
January 22, 2014, 02:10:10 PM
Heya - how hard would it be to add BIP-38 for brainwallet addresses? You already have an implementation for paper wallet addresses, but adding it to brainwallets would dramatically increase security on them (imho).
I dont think that's possible as there's nothing to encrypt.
Huh? As far as I understand it, BIP-38 encrypts the private key? So confused right now, lol.
He means that with a brain wallet the private key is not saved/stored or printed anywhere. How do you encrypt something that is not there?
January 22, 2014, 01:08:28 PM
Heya - how hard would it be to add BIP-38 for brainwallet addresses? You already have an implementation for paper wallet addresses, but adding it to brainwallets would dramatically increase security on them (imho).
I dont think that's possible as there's nothing to encrypt.
Huh? As far as I understand it, BIP-38 encrypts the private key? So confused right now, lol.
Jump to: