Pages:
Author

Topic: [ANNOUNCE] Collate v0.4: Bring your wallets together. (Read 2698 times)

newbie
Activity: 19
Merit: 0
I've just updated this to include support for syncing settings with a remote server (locally encrypted with AES-256 before storage) as well as updated the plugins to actually work with the latest APIs of their respective websites.

It also includes support for wallets with passphrases, so the RPC plugin is now generally usable without having to worry about exposing your wallet.
newbie
Activity: 19
Merit: 0
So I've just released v0.3.10727, which adds some basic support for MtGox (basically read-only things like showing balance and open orders).

If someone is interested in writing a ticker viewer and trading operations into the plugin, get in contact with me via the forum's PM system or email.
newbie
Activity: 19
Merit: 0
Thing is, if someone has broken the Chrome sandbox between applications, they could just steal the raw data they want and then send the request off..  CAPTCHA won't do anything.  But as I mentioned before, at that point, if they can break that security barrier, you have to question whether or not they can just take control of the whole system (I'm not sure how sandboxed processes are between each other in Chrome relative to each of them to the OS, but I would assume it would be similar).

So assuming that the Chrome sandbox holds up (which it should), the only thing you have to watch out for is rogue Collate plugins (as in account types); but that's why we screen any plugins that are submitted so it doesn't happen Wink

EDIT: Also think of it like this; if they can break the security barrier between website <-> chrome extension, then they'll be able to break the security barrier between website <-> website and steal any session data or login information that you're sending to normal sites.  So at that point, I don't think it's really much of a concern (i.e. they could just steal the session data to Tradehill anyway.. why go to all the trouble of getting the information out of the extension?)
newbie
Activity: 11
Merit: 0
Tradehill went down minuets after I started to screw around with a JS API wrapper for it... Typical...

I'm having a think about writing a tradehill plugin for it. The security implications are large so I'm going to have to have a think about a secure way of storing credentials and such.

Authorising transactions could be coupled with a simple captcha could it not?

Just thinking into the reply box here... I'll sleep on it.
newbie
Activity: 19
Merit: 0
Would this make my coins "hackable/stealable" by any 0 day chrome/firefox/browser exploits?

If the app is linked to your bitcoind, and an attacker has a way to execute arbitrary code within the browser controlling the app, then quite possibly yes.

Not quite possibly yes, the answer is completely yes.  It's for this exact reason that I've deprecated the Local Server plugin in 0.2, or at least relegated it to a highly not recommended option when the Block Explorer is available (which conveniently enough only requires the public BitCoin address to show your balance, rather than having to set up RPC information).
sr. member
Activity: 322
Merit: 251
Would this make my coins "hackable/stealable" by any 0 day chrome/firefox/browser exploits?

If the app is linked to your bitcoind, and an attacker has a way to execute arbitrary code within the browser controlling the app, then quite possibly yes.
newbie
Activity: 19
Merit: 0
It seems that the Chrome Web Store version is not yet 0.2! I meant to do that previously, but it seems I forgot (I'll get it done now).  It addresses the following concern:

Would this make my coins "hackable/stealable" by any 0 day chrome/firefox/browser exploits?
Any exploit that could compromise the sandbox could also likely compromise the whole machine.

In 0.2 you can use the Block Explorer to examine your wallet without actually having to run the BitCoin client.  This means you can keep wallet.dat on an encrypted partition via TrueCrypt or w/e and you can still monitor your account balance (although to send coins you will still need to start the BitCoin client for obvious reasons).  In 0.2 the Block Explorer method of viewing a wallet supersedes the old way of connecting to the BitCoin client since the latter requires that your private key be stored in memory all the time (which is a bad idea).

UPDATE: 0.2 is uploaded to the Chrome Web Store; I think it takes up to two hours to actually update in people's browsers however.
legendary
Activity: 1204
Merit: 1015
Would this make my coins "hackable/stealable" by any 0 day chrome/firefox/browser exploits?
Any exploit that could compromise the sandbox could also likely compromise the whole machine.
newbie
Activity: 42
Merit: 0
Would this make my coins "hackable/stealable" by any 0 day chrome/firefox/browser exploits?
hero member
Activity: 772
Merit: 501
Thanks for the contribution!
newbie
Activity: 19
Merit: 0
Just to let everyone know, this project isn't dead, I've just been super busy lately with some other things.  Development should start again next week sometime.
newbie
Activity: 19
Merit: 0
I've just updated the source code in the repository (https://github.com/hach-que/Collate) to support reading a wallet via Block Explorer which means you now don't have to run the BitCoin server or leave your wallet unencrypted to do so (since it must be unencrypted for the BitCoin server to run).

So in summary, it's a much safer way of viewing your wallet from Collate since you don't have to leave your wallet unencrypted (and you shouldn't).  The main differences between the Block Explorer and the RPC-based plugin is that the former can't report or control local mining (but who does CPU mining these days?) and it also can't send coins on your behalf.

I've also merged the BTCGuild mining pool plugin from Wonderbread into the system, so that's built-in now for anyone using that mining pool.

This is the RC to the v0.2 release, however it's appreciated if people test the version in the repository so I can iron out any final bugs before packaging for the Chrome Web Store.
hero member
Activity: 588
Merit: 500
looks good
REF
hero member
Activity: 529
Merit: 500
cool project i hope someone can port it to FF i have a few coins around and this would make it a lot nicer.
newbie
Activity: 19
Merit: 0
nice. how about port FireFox 4.x and Opera 11.xx ?

I haven't written a Firefox extension for years and I've never written in Opera extension at all (nor would I have the ability to maintain those).  I'm hoping someone with the relevant experience might have a go at doing it (it's 99% standard Javascript so it should port easily).
newbie
Activity: 42
Merit: 0
nice. how about port FireFox 4.x and Opera 11.xx ?
newbie
Activity: 19
Merit: 0
I just finished the submission to the Chrome Web Store; I recommend that you install it from there as it means you'll get automatic updates when we release new plugins.
legendary
Activity: 1204
Merit: 1015
Quite impressive. I did a quick skim of the code and it looks clean enough. It's nice to have another frontend for the bitcoin client, especially since I can see my balance change as I browse!
newbie
Activity: 11
Merit: 0
Looking good mate Smiley

Subscribed.
hero member
Activity: 700
Merit: 500
I beta tested this, and i have to say, was very impressed! Could go alot further Cheesy
Pages:
Jump to: