Pages:
Author

Topic: [ANN] bitaddress.org Safe JavaScript Bitcoin address/private key - page 18. (Read 153371 times)

legendary
Activity: 1358
Merit: 1001
https://gliph.me/hUF
[...]
As it is, it's too much of a hassle to verify authenticity.

Not at all.
newbie
Activity: 40
Merit: 0
As it is, it's too much of a hassle to verify authenticity.

Depending on how much money you're storing in the paper wallets, the hassle will be worth it.
full member
Activity: 194
Merit: 100
I used this site in the past but I want to be cautious. You do provide signed document with the version history including the hash. But I doubt anyone will go through that hassle.

The site would be much more usable if you provided browser extensions to verify the checksum. This is convenient and would require a hacker to break in your server AND whatever service you use to distribute the extension. Being it github, sourceforge, google chrome store, mozilla website or other.

Maybe a greasemonkey script, given it might be the simplest to develop. Or maybe even a bookmarklet. Now that I think about it, you could distribute the whole thing as a bookmarklet. Would be a huge bookmarklet, but it should work.

As it is, it's too much of a hassle to verify authenticity.
sr. member
Activity: 261
Merit: 285
Using tablet... i am unable to enter any characters into textbox. Keyboard does not appear on the screen no matter what i do.

I posted a fix for this 2 weeks ago, not sure if it's been noticed yet.

https://github.com/pointbiz/bitaddress.org/issues/68

member
Activity: 231
Merit: 10
I just made a paper wallet today (thanks for an awesome site btw!) and I noticed that the directions still tell users to sweep their funds into Mt. Gox.

"Spend your bitcoins by going to blockchain.info or mtgox.com and sweep the full balance of your private key into your account at their website. "

Perhaps that should be changed in light of the huge ball of suck that Gox has been lately?
member
Activity: 117
Merit: 10
bitarchitect
I've just checked and textbox works fine on Android (despite the fact that it doesn't count letters until you press GO/Enter). However on iOS is still failing (Both Chrome and Safari)
member
Activity: 117
Merit: 10
bitarchitect
Using tablet... i am unable to enter any characters into textbox. Keyboard does not appear on the screen no matter what i do.

If i use some other input form on some other webpage... keyboard appears normally.

Bug?


Same happens to me with different iOS/Android devices. Can't do anything

Weird. Works for me on an Android phone and tablet. Maybe it's a CSS z-index browser bug? Maybe the painting of the green dot is stopping you from focusing inside the textbox? The textbox is supposed to be higher in z-index. Just a guess at this point. Or maybe the page takes too much memory and the keyboard then doesn't load? I've seen that happen on my mobile with sites that consume a lot of memory. The keyboard fights to open itself up.

I'd like to improve the textbox input to handle copy/paste input. Also, I'm considering testing out onkeydown instead of onkeypress. Seems like with Android devices onkeypress does not fire until you press Enter/Go.

Lastly, this is a natural side effect of removing the "force generate" that used to occur on bitaddress.org. If the site along with your device has some problem collecting sufficient human entropy then it's best that the site will not show you a bitcoin address. Classic security versus convenience trade off.


Tomorrow I will try it with a Moto G with KitKat; by know I've failed with an old android, an iPhone 5s and An iPad Mini retina (so I guess its probably related to z-index on web browser, or the green paint, instead of memory issues... At least on iOS devices)
sr. member
Activity: 437
Merit: 415
1ninja
Using tablet... i am unable to enter any characters into textbox. Keyboard does not appear on the screen no matter what i do.

If i use some other input form on some other webpage... keyboard appears normally.

Bug?


Same happens to me with different iOS/Android devices. Can't do anything

Weird. Works for me on an Android phone and tablet. Maybe it's a CSS z-index browser bug? Maybe the painting of the green dot is stopping you from focusing inside the textbox? The textbox is supposed to be higher in z-index. Just a guess at this point. Or maybe the page takes too much memory and the keyboard then doesn't load? I've seen that happen on my mobile with sites that consume a lot of memory. The keyboard fights to open itself up.

I'd like to improve the textbox input to handle copy/paste input. Also, I'm considering testing out onkeydown instead of onkeypress. Seems like with Android devices onkeypress does not fire until you press Enter/Go.

Lastly, this is a natural side effect of removing the "force generate" that used to occur on bitaddress.org. If the site along with your device has some problem collecting sufficient human entropy then it's best that the site will not show you a bitcoin address. Classic security versus convenience trade off.
sr. member
Activity: 437
Merit: 415
1ninja
v2.8.0
https://www.bitaddress.org/bitaddress.org-v2.8.0-SHA1-87dcf19f02ee9fb9dd3a8c787bcf52eef944aa82.html
 - more entropy from browser fingerprinting for PRNG seed
 - user can add entropy through URL hash tag
 - seed mouse movement as 16-bit number
 - whole seed pool initially filled by window.crypto.getRandomValues
 - added textbox as an alternative input source for entropy
 - address will not generate without a minimum amount of human added entropy
   from mouse or keyboard
 - discard mouse movements less than 40ms apart
 - visualize points of entropy collection from the mouse

Is the increased (mouse) entropy used on all the tabs (like the paper wallet) or just on the first tab?

All the tabs.
member
Activity: 117
Merit: 10
bitarchitect
Using tablet... i am unable to enter any characters into textbox. Keyboard does not appear on the screen no matter what i do.

If i use some other input form on some other webpage... keyboard appears normally.

Bug?


Same happens to me with different iOS/Android devices. Can't do anything
hero member
Activity: 481
Merit: 500
v2.8.0
https://www.bitaddress.org/bitaddress.org-v2.8.0-SHA1-87dcf19f02ee9fb9dd3a8c787bcf52eef944aa82.html
 - more entropy from browser fingerprinting for PRNG seed
 - user can add entropy through URL hash tag
 - seed mouse movement as 16-bit number
 - whole seed pool initially filled by window.crypto.getRandomValues
 - added textbox as an alternative input source for entropy
 - address will not generate without a minimum amount of human added entropy
   from mouse or keyboard
 - discard mouse movements less than 40ms apart
 - visualize points of entropy collection from the mouse

Is the increased (mouse) entropy used on all the tabs (like the paper wallet) or just on the first tab?
donator
Activity: 674
Merit: 523
Using tablet... i am unable to enter any characters into textbox. Keyboard does not appear on the screen no matter what i do.

If i use some other input form on some other webpage... keyboard appears normally.

Bug?
hero member
Activity: 854
Merit: 658
rgbkey.github.io/pgp.txt
Just wanted to drop in to say thanks, I've used your site many times and I have 8 paper wallets printed from your site that I laminated and put in my room. Love it!
sr. member
Activity: 437
Merit: 415
1ninja
https://www.ssllabs.com/ssltest/analyze.html?d=bitaddress.org
Should probably fix this. Also, wouldn't it be safer to write a browser addon where the entire java client side script lived?


I read that matasano article a long time ago but from what I remember it mostly does not apply to bitaddress because no external Javascript is loaded on the page. Javascript is Turing complete and bitaddress uses the same two validation techniques as all other open source software. Detached sig and checksums.

hero member
Activity: 899
Merit: 1002
https://www.ssllabs.com/ssltest/analyze.html?d=bitaddress.org
Should probably fix this. Also, wouldn't it be safer to write a browser addon where the entire java client side script lived?


A browser addon could be a good approach. How do you propose updates and checksums are handled? Who signs the plugin?

Crypto.cat does it https://crypto.cat/  after they gave up on server provided client side due to audit failures and packaged it all in an extension.
Firefox could sign your .xpi file using xpisign.py (with a certificate from a trusted issuer, such as whatever cert you have for your site) and Mozilla will check the update for malicious code and then distro the update. Chrome same thing can sign using your site's cert and openssl except Chrome autoupdates for extensions are shady. IE I have no idea, Safari no idea. Just Cinfu VM is kind of risky for trusting to generate keys, this way with an addon server doesn't matter.  
sr. member
Activity: 437
Merit: 415
1ninja
https://www.ssllabs.com/ssltest/analyze.html?d=bitaddress.org
Should probably fix this. Also, wouldn't it be safer to write a browser addon where the entire java client side script lived?


A browser addon could be a good approach. How do you propose updates and checksums are handled? Who signs the plugin?
hero member
Activity: 899
Merit: 1002
https://www.ssllabs.com/ssltest/analyze.html?d=bitaddress.org
Should probably fix this. Also, wouldn't it be safer to write a browser addon where the entire java client side script lived?
legendary
Activity: 2912
Merit: 1060
Yes in brain wallet your password is the private key essentially. Nothing to store.

In bip38 you must store an encrypted private key.
legendary
Activity: 1358
Merit: 1001
https://gliph.me/hUF
Heya - how hard would it be to add BIP-38 for brainwallet addresses? You already have an implementation for paper wallet addresses, but adding it to brainwallets would dramatically increase security on them (imho).

I dont think that's possible as there's nothing to encrypt.

Huh? As far as I understand it, BIP-38 encrypts the private key? So confused right now, lol.

He means that with a brain wallet the private key is not saved/stored or printed anywhere. How do you encrypt something that is not there?
donator
Activity: 1274
Merit: 1060
GetMonero.org / MyMonero.com
Heya - how hard would it be to add BIP-38 for brainwallet addresses? You already have an implementation for paper wallet addresses, but adding it to brainwallets would dramatically increase security on them (imho).

I dont think that's possible as there's nothing to encrypt.

Huh? As far as I understand it, BIP-38 encrypts the private key? So confused right now, lol.
Pages:
Jump to: