Author

Topic: Any online wallets that you can use through Tor without Javascript? (Read 1709 times)

newbie
Activity: 12
Merit: 0
A PRACTICAL SOLUTION:
by a 45 yr Silicon Valley Software Vet w/ A.I.&Quantum Compuiting&Attack Detection patents:

A) Analyze Customer/User request for purpose, plan, logic&alternatives.

B) Be offline. HTML w/o JS is more secure. True.

C) Communicate with TOR:  the theoretical lowbar semi-reliable standard for encrypted tunneling. True w/ nominal/reduced risk.

D) Problem pops up PRE-ENCRYPTING outbound transmission/post to server, unless JS or C or ? is enabled in offline mode. HTML can't add, but can be simply edited: A HUGE risk. A device w/ a textfile of sensitive info is as easy to hack as a ziptie lock.

E) This can be solved somewhat by running a 24/7 APP FIREWALL like NOROOT for Android that works well enough and would allow the device to edit, turn off JS later and send/post an encrypted form element created by Offline JS process to a server Perl CGI.

F) The offline JS enabled form can ask for one or two+ passwords to create a 2,048 bit (or 16/32/64 etc) hash used to encrypt the User Data which can be anything: a huge vault/textbox of keys, notes&whatever; easily packed&encrypted offline IF JS or C or ? is enabled, or perhaps packed in a password Zipfile using a simple notepad.

Otherwise, preencrypting transmission isn't happening.

G) That preencrypted tcp/ip or sftp or SMS post to the server can be made with JS disabled while online using https TOR or even http or SMS text since its preencrypted. A good reliable TOR browser is also available for Android. It loads everytime on boot for one of my devices&I notice it works better on LTE than 5G. Go figure. The SERVER running Perl can/should be a dumb Get&Write encrypted record to a flatfile&return a HASH of a time stamp+PID to the User: the CLAIM TICKET to find it later. Since the User encrypted the transmission offline neither the Server Admins nor a hacker/data thief can read the server entries.

H) However, the server really only acts as a backup repository&is simply protection of encrypted User Vault/Text/Keys in case User device is lost or User deletes the device BTC data during normal use. DropBox or GoogleDrive would work, but sometimes reject Zips. The alternative is to use an offline laptop with a permanent air gap, perhaps with a USB flash drive that can be plugged into a phone to move the data to the transmission device and server repo backup. That way the user retains a copy of the vault. However, some users specifically want to remove all BTC data from all devices, eliminating risk of theft or other "lifestyle interruptions". A server repo backup has it's perks.

E) Only the claim ticket holder can find and decrypt it by grabbing it from either a screen copy/paste; no Javascript. A royal pain and subject to script and NSA realtime plain text capabilities described by Snowden, but thwarted that attack via the preencryption.

OR simply download a JS or JQuery file or txt from server opened when offline, to decrypt OR Download a password protected Zipfile. Once a server repo is deemed reliable and easy, preencrypting&opening later when offline is safe&easy in 101 ways.

You can already do all of this with the tools mentioned, no new server or software required. However, some users want a dedicated platform so just ask.
hero member
Activity: 700
Merit: 500
Quote
I don't plan on trusting anyone. What I intend to do is generate a bunch of offline wallets by (for instance) downloading the html of bitaddress.org and using it at an offline computer. I'll transfer BTC to them and keep them offline until I need them. When I do need them I want to import the private key to an online wallet and immediately send out all the BTC in to a cashout account. The odds of that site being hacked or disappearing in the 2-3 minutes it will take me to do this are fairly low.

As far as using Tor, I want to err on the side of caution. Losing the BTC in any given wallet is less important to me than compromising my anonymity. That's why I'm paranoid about not using Javascript, given what happened with Tormail. I'm don't know much about Tor other than the basics though. Do you know of a way to route an local wallet client through Tor that would provide security comparable to using Vidalia with Javascript disabled?

And getting back to my original question, does ANYONE know of an online wallet that will work without Javascript, or does one not exist?

There is no online wallet that does this.

By demanding a web wallet you do seem to be demanding to trust someone.


Honestly BTC sucks at anonymity in the absolute. Have you considered pseudonymity as a substitute?

legendary
Activity: 2128
Merit: 1002
TradeFortress? Is that you?

hahah good one.
I can ask JohnK to grab his IP addresses and see if its from Aussie side.
newbie
Activity: 7
Merit: 0
TradeFortress? Is that you?

No.

I'd like to use Tor with Javascript disabled for all my bitcoin transactions, but I can't find any online wallet out there that will both allow the import of private keys and work without Javascript? Anyone know of one? It can be a wallet, exchange, tumbler, anything really that would allow me to send BTC from an imported paper wallet.

Give up on this online wallet thing. The death of Inputs.io should have killed this being a desirable thing.

What you can do though is fire up a local client and route your computer's connection to the internet through tor when you want to fire up your Bitcoin client. As bad as online wallets have been on the clear web, tor wallets have an even worse history.

It doesn't have to be a tor wallet necessarily. It can be a clearnet wallet that will work with tor and without javascript.

The only web wallet vaguely worth trusting anymore is blockchain.info, and only because it uses javascript to ideally allow you sole access to your private keys hough it is still potentially vulnerable to malicious javascript.

Here's a bit of a primer on why you don't want a random third party having your private keys, one on what constitutes a wallet, what happened to the last web wallet that tried the secure shared wallet model, and finally some extra credit reading because reading is informative.

Any time you don't have sole access to your private keys you don't have Bitcoin. How closely what you have to Bitcoin depends on the reliability of the counterparty to which you have made a deposit. Web wallets have been unreliable. Tor web wallets have been especially unreliable.

Honestly I don't really know that using tor to send a bitcoin transaction provides especially more privacy. Saying a BTC transaction was sent by IP address X is a daunting task to prove. More so than which pool relayed a new block first and even that is a challenging problem.

I don't plan on trusting anyone. What I intend to do is generate a bunch of offline wallets by (for instance) downloading the html of bitaddress.org and using it at an offline computer. I'll transfer BTC to them and keep them offline until I need them. When I do need them I want to import the private key to an online wallet and immediately send out all the BTC in to a cashout account. The odds of that site being hacked or disappearing in the 2-3 minutes it will take me to do this are fairly low.

As far as using Tor, I want to err on the side of caution. Losing the BTC in any given wallet is less important to me than compromising my anonymity. That's why I'm paranoid about not using Javascript, given what happened with Tormail. I'm don't know much about Tor other than the basics though. Do you know of a way to route an local wallet client through Tor that would provide security comparable to using Vidalia with Javascript disabled?

And getting back to my original question, does ANYONE know of an online wallet that will work without Javascript, or does one not exist?
hero member
Activity: 700
Merit: 500
Regarding inputs.io please keep in mind that this was not a hack. It also didn't suddenly make online wallets more unsafe than they always were.

Due to properties of Bitcoin the truth of this at the moment is indeterminate, though I seem to lean in the direction you do. This is largely due to inherent properties of Bitcoin though.

Quote
People will jump into online wallets again as soon as a new one that looks reliable appears, just because it is convenient. If you are the next scammer, here is my tip for you: get a good website design and people will automatically trust in giving their coins to you. Be sure to include the phrase "really safe, verified by blahblahblah" and then a link to a site like coindesk or any clueless news place with a paid story about the site.

I don't think an anon can set up an arrangement like Inputs.io anymore. That seemed to have been that last opportunity a venture like that could have had.

Quote
Answering the original question here: how do you expect to generate private keys in a browser through some site without any javascript ? Do you know that HTML is a Markup language ?

Just use a fucking local client already.
member
Activity: 98
Merit: 10
nearly dead
Regarding inputs.io please keep in mind that this was not a hack. It also didn't suddenly make online wallets more unsafe than they always were.

People will jump into online wallets again as soon as a new one that looks reliable appears, just because it is convenient. If you are the next scammer, here is my tip for you: get a good website design and people will automatically trust in giving their coins to you. Be sure to include the phrase "really safe, verified by blahblahblah" and then a link to a site like coindesk or any clueless news place with a paid story about the site.

Answering the original question here: how do you expect to generate private keys in a browser through some site without any javascript ? Do you know that HTML is a Markup language ?
hero member
Activity: 700
Merit: 500
You can use javascript empowered wallets if you use Tails.

Atruk's advice above is better than this though.

The only web wallet vaguely worth trusting anymore is blockchain.info, and only because it uses javascript to ideally allow you sole access to your private keys hough it is still potentially vulnerable to malicious javascript.

Here's a bit of a primer on why you don't want a random third party having your private keys, one on what constitutes a wallet, what happened to the last web wallet that tried the secure shared wallet model, and finally some extra credit reading because reading is informative.

Any time you don't have sole access to your private keys you don't have Bitcoin. How closely what you have to Bitcoin depends on the reliability of the counterparty to which you have made a deposit. Web wallets have been unreliable. Tor web wallets have been especially unreliable.

Honestly I don't really know that using tor to send a bitcoin transaction provides especially more privacy. Saying a BTC transaction was sent by IP address X is a daunting task to prove. More so than which pool relayed a new block first and even that is a challenging problem.
legendary
Activity: 1974
Merit: 1029
You can use javascript empowered wallets if you use Tails.

Atruk's advice above is better than this though.
hero member
Activity: 700
Merit: 500
I'd like to use Tor with Javascript disabled for all my bitcoin transactions, but I can't find any online wallet out there that will both allow the import of private keys and work without Javascript? Anyone know of one? It can be a wallet, exchange, tumbler, anything really that would allow me to send BTC from an imported paper wallet.

Give up on this online wallet thing. The death of Inputs.io should have killed this being a desirable thing.

What you can do though is fire up a local client and route your computer's connection to the internet through tor when you want to fire up your Bitcoin client. As bad as online wallets have been on the clear web, tor wallets have an even worse history.
full member
Activity: 237
Merit: 101
TradeFortress? Is that you?
newbie
Activity: 7
Merit: 0
I'd like to use Tor with Javascript disabled for all my bitcoin transactions, but I can't find any online wallet out there that will both allow the import of private keys and work without Javascript? Anyone know of one? It can be a wallet, exchange, tumbler, anything really that would allow me to send BTC from an imported paper wallet.
Jump to: