Topic: can I get hacked if a Sign Message in bitcoin? (Read 317 times)
No he won't be able to because singing a message is just like providing them with a masked version of your private key which can be verified to know you own the private key but the masked version won't be able to trace the original one. More like server seed and server hash in a gambling site.
If you are dumb enough to include your private key in your sign message. Who knows? Newbies mostly dumb enough to do stupid things and sometimes
It has happend previously, although I can't remember topic but sometimes scammers use that tricks. Because when they talk with a person they know how this person will recognize. However, mathematically still not possible hack your bitcoin from sign message. So you are safe for now.
But don't sign message from your private keys if the message provided by someone else. Attacker might attack some way. I have heard similar story previously. I don't know how they did it, but there is something like this hacking possibility. So there is no other way to hack you if they don't know your private keys.
the real answer is "it depends".
when we talk about "being hacked", it is not so much about the algorithms but about either users making a mistake or the tool they are using has a bug.
for example when it comes to signing a message, ECDSA on its own has no vulnerabilities so far and to break the 256 bit keys requires millions of years of work with current computing power. so you could say it is impossible to break it.
but that is not the problem. if for example you were using a bad tool (such as an unknown wallet with buggy code, or a website) to sign a message instead of using a good one that is reviewed then you could even reveal your private key! one way would be if the tool was using a bad RNG and/or were reusing k values. in which case your private key could be calculated in a second. and you don't need any long and complicated code for that!
so just make sure you understand what you are doing and always use trusted tools. for example use trusted wallets that are old and popular so that their code was reviewed. eg. Electrum. their cryptography implementation doesn't have any flaws, so you have nothing to worry about.
when we talk about "being hacked", it is not so much about the algorithms but about either users making a mistake or the tool they are using has a bug.
for example when it comes to signing a message, ECDSA on its own has no vulnerabilities so far and to break the 256 bit keys requires millions of years of work with current computing power. so you could say it is impossible to break it.
but that is not the problem. if for example you were using a bad tool (such as an unknown wallet with buggy code, or a website) to sign a message instead of using a good one that is reviewed then you could even reveal your private key! one way would be if the tool was using a bad RNG and/or were reusing k values. in which case your private key could be calculated in a second. and you don't need any long and complicated code for that!
so just make sure you understand what you are doing and always use trusted tools. for example use trusted wallets that are old and popular so that their code was reviewed. eg. Electrum. their cryptography implementation doesn't have any flaws, so you have nothing to worry about.
Make sure the message you are signing is actually just a message, and maybe include the date as well, and the purpose of the message. Include no other details that are irrelevant.
Your message for example can be: "This is irlandescoin and I sign this message as proof I control this address for my friend (insert name here), this December 3 2019."
That way, no one else can use the message and signature to impersonate you for any other purpose.
Your message for example can be: "This is irlandescoin and I sign this message as proof I control this address for my friend (insert name here), this December 3 2019."
That way, no one else can use the message and signature to impersonate you for any other purpose.
a friend told me someone with a long string of computer code could maybe hack the wallet.
Give him this address: 1LdRcdxfbSnmCYYNdeYpUnztiYzVfBEQeCAnd this signed message: HZKZGWUXZFBA47D7Y7QXI36RLPYD7NKA
And this signature: G0HDFp3PobYt/ox0loZA/xw3M86+Lwls4xJPaNs+oTacdE3fMdeekdv0eQ86W2zbUcmlEvbE9GHfSL/ox9LvdBA=
There's 53880 Bitcoin in the address. Tell him to give it his best shot and see for himself how secure signing a message is
Weird Flex, but okay.....................
Just kidding but I want to give a serious reminder (for newbies), guys.
Yes, your bitcoin can be hacked if you sign a message.
If you are dumb enough to include your private key in your sign message. Who knows? Newbies mostly dumb enough to do stupid things and sometimes some stupid things result in serious losses.
I said this because months ago I made a recommendation to include email address (as another proof for account recovery) in a sign message. Then someone gave me a valuable warning that it is a stupid idea that is what I agreed with. I was dumb in the past, as you can see.
Emails that were used for registering accounts at least won't get deleted from the database even when the account changes hands so, it isn't necessary to sign with your email address too
So please don't include your private key in your sign message.
Yes, your bitcoin can be hacked if you sign a message.
If you are dumb enough to include your private key in your sign message. Who knows? Newbies mostly dumb enough to do stupid things and sometimes some stupid things result in serious losses.
I said this because months ago I made a recommendation to include email address (as another proof for account recovery) in a sign message. Then someone gave me a valuable warning that it is a stupid idea that is what I agreed with. I was dumb in the past, as you can see.
(3) Registered email for specific account.
People wouldn't like to display their emails to the public... Email spammers will just get excited by the thread and just come over to compile lists of emails which they can later spam with scam and phishing links.Emails that were used for registering accounts at least won't get deleted from the database even when the account changes hands so, it isn't necessary to sign with your email address too
So please don't include your private key in your sign message.
a friend told me someone with a long string of computer code could maybe hack the wallet.
Theoretically speaking, the right string of characters could hack your wallet. The right string of characters could also spell out the cure to cancer or perfectly encode a 4K video of Foxpup poledancing. Who knows.Practically speaking, signing a message is currently completely safe and poses no risk to you whatsoever provide you do it correctly and only provide him with the message and the signature, and make sure you keep the private key you are using to sign, well, private. The only scenario in which this may change is if quantum computing develops to a stage where it can break ECDSA and recover a private key from a public key, but this is going to be decades away, if ever.
a friend told me someone with a long string of computer code could maybe hack the wallet.
Give him this address: 1LdRcdxfbSnmCYYNdeYpUnztiYzVfBEQeCAnd this signed message: HZKZGWUXZFBA47D7Y7QXI36RLPYD7NKA
And this signature: G0HDFp3PobYt/ox0loZA/xw3M86+Lwls4xJPaNs+oTacdE3fMdeekdv0eQ86W2zbUcmlEvbE9GHfSL/ox9LvdBA=
There's 53880 Bitcoin in the address. Tell him to give it his best shot and see for himself how secure signing a message is
No, unless he have actual quantum computer with high qubit.
a friend told me someone with a long string of computer code could maybe hack the wallet.
anyway thanks for the answer.
guys,
a friend it is asking me to sign a message to prove i holding the bitcoin address.
my question is: can him use the signature i generated and try hack my wallet? and stole my funds?
thank you.
a friend it is asking me to sign a message to prove i holding the bitcoin address.
my question is: can him use the signature i generated and try hack my wallet? and stole my funds?
thank you.
Jump to: