I think malware doesn't need to know xpub for "Key OK" or "Key is not OK"
Malware can simple modify DOM structure of page and change receive address. MyTrezor.com will not know that address was changed, the Trezor will write "Key is OK" because got right address from MyTrezor and user will be deceived...
I think the Trezor should show address for sent path to him. And user should check up it with gotten address from computer.
And i think this should be mandatory procedure (not from button click "Check address") bacause many people will ignore it but after will write in forums that they lose money from the Trezor...
Topic: [ESHOP launched] Trezor: Bitcoin hardware wallet - page 157. (Read 966173 times)
I was thinking the Trezor just needed to say "key is OK" or "key is BAD" but if the malware knows the xpub it can send the correct next public key to the Trezor to get it to say OK but display the incorrect pub key on the computer so the Trezor would have to show the actual pub key and you would have to compare the two keys, right?
I could see a "verify address" button next to each address on the screen. If I press that button the displayed address is sent to the Trezor for verification and if the same address appears on the Trezor screen then the address is a good one.
I could see a "verify address" button next to each address on the screen. If I press that button the displayed address is sent to the Trezor for verification and if the same address appears on the Trezor screen then the address is a good one.
I think the mytrezor.com site has the future vulnerability
If i right understood mytrezor.com site uses my xpub* keys for generating new addresses for receiving and checking balance (other way could be as user computer generates new addresses inside by javascript and only sends new addresses to mytrezor.com for balance checking but it's very difficult scheme). If hacker will have an access to victim computer (where Trezor to be attached) he can (by trojans, middle man attack with SSL certificate changing and etc):
1) to catch xpub* keys of users and will know all addresses (current and all new generated ones) of user, can know all balances in all addresses
2) He will be able to change address for receiving to his fishing addresses (right in browser instead mytrezor's generated addresses)
If it possible here may be some workarounds:
1) I don't know how resolve it. xpub keys should be used in computer in anyway - there will be mytrezor.com site or Electrum or Armory, for example. If computer will be infected hacker will know xpub key in anyway.
2) This vulnerability can fix by checking new generated addresses in computer with showing new address in Trezor screen. For example: we ask to mytrezor.com generate new address for receiving. Site sends new address (path of BIP32) to the Trezor by HID interface, the Trezor knows private seed key, knows path of new generated address it generates same address too and shows it in screen. User checks both addresses and if ok - he uses new address for money receiving. It's ideal solution as i think. Because fishing address will differ completely (very difficult to make quickly even 1-3 prefix or sufix) i think will be enough to check 3-4 letters before (prefix) and 3-4 after (sufix) in addresses.
Now as temporaly workaround for #2 may be as: we have Android phone, install there BTCRceive program from Google market, install there xpub key from one account ( BTCReceive now supports only one xpub key from one account
) and do checking new addresses with Trezor addresses. Both systems have BIP32 wallets and new addresses will equal. I don't know fine program for common OSes with full support of BIP32. So i think it's single workaroud solution now.
P.S. If user uses not infected computer but connected through public network wifi or through hecked router he can be victim by using "middle man" attack. Attacker will decrypt traffic, change receiving address of bitcoin and sent encrypted traffic back to user. Yes, here will be other certificate signed by other secrtificate center for site mytrezor.com. But it can happens without any warnings if browser have certificate of such center in storage. It often happens in airports for example (airport of London for example). So it's not problem for implementation
If i right understood mytrezor.com site uses my xpub* keys for generating new addresses for receiving and checking balance (other way could be as user computer generates new addresses inside by javascript and only sends new addresses to mytrezor.com for balance checking but it's very difficult scheme). If hacker will have an access to victim computer (where Trezor to be attached) he can (by trojans, middle man attack with SSL certificate changing and etc):
1) to catch xpub* keys of users and will know all addresses (current and all new generated ones) of user, can know all balances in all addresses
2) He will be able to change address for receiving to his fishing addresses (right in browser instead mytrezor's generated addresses)
If it possible here may be some workarounds:
1) I don't know how resolve it. xpub keys should be used in computer in anyway - there will be mytrezor.com site or Electrum or Armory, for example. If computer will be infected hacker will know xpub key in anyway.
2) This vulnerability can fix by checking new generated addresses in computer with showing new address in Trezor screen. For example: we ask to mytrezor.com generate new address for receiving. Site sends new address (path of BIP32) to the Trezor by HID interface, the Trezor knows private seed key, knows path of new generated address it generates same address too and shows it in screen. User checks both addresses and if ok - he uses new address for money receiving. It's ideal solution as i think. Because fishing address will differ completely (very difficult to make quickly even 1-3 prefix or sufix) i think will be enough to check 3-4 letters before (prefix) and 3-4 after (sufix) in addresses.
Now as temporaly workaround for #2 may be as: we have Android phone, install there BTCRceive program from Google market, install there xpub key from one account ( BTCReceive now supports only one xpub key from one account
) and do checking new addresses with Trezor addresses. Both systems have BIP32 wallets and new addresses will equal. I don't know fine program for common OSes with full support of BIP32. So i think it's single workaroud solution now.P.S. If user uses not infected computer but connected through public network wifi or through hecked router he can be victim by using "middle man" attack. Attacker will decrypt traffic, change receiving address of bitcoin and sent encrypted traffic back to user. Yes, here will be other certificate signed by other secrtificate center for site mytrezor.com. But it can happens without any warnings if browser have certificate of such center in storage. It often happens in airports for example (airport of London for example). So it's not problem for implementation
I think I found a bug!
I redeemed one of my cold storage addresses and sent 1 output to a "3xxxxx" multisig address and the remainder to my TREZOR. Now the address of the Trezor was obviously not a multisig address. BUT! The trezor now shows it got the coins sent to a multisig address.
This is the address that is now shown in my TREZOR: 35cAcatwpoL5gbKF2Raahuh1Ts62eh3n16 (have no idea where it got it from!)
This is the transaction: https://blockchain.info/tx/257c8f37b48179668a07d1b0a25e864c3c28ea0b7dccdd96d80bd5b16ddb6cc5
The Trezor address is the 4.9999 output.
I redeemed one of my cold storage addresses and sent 1 output to a "3xxxxx" multisig address and the remainder to my TREZOR. Now the address of the Trezor was obviously not a multisig address. BUT! The trezor now shows it got the coins sent to a multisig address.
This is the address that is now shown in my TREZOR: 35cAcatwpoL5gbKF2Raahuh1Ts62eh3n16 (have no idea where it got it from!)
This is the transaction: https://blockchain.info/tx/257c8f37b48179668a07d1b0a25e864c3c28ea0b7dccdd96d80bd5b16ddb6cc5
The Trezor address is the 4.9999 output.
I had the same issue.
Just be careful and don't use "show used" to send to the same address again!
I think I found a bug!
I redeemed one of my cold storage addresses and sent 1 output to a "3xxxxx" multisig address and the remainder to my TREZOR. Now the address of the Trezor was obviously not a multisig address. BUT! The trezor now shows it got the coins sent to a multisig address.
This is the address that is now shown in my TREZOR: 35cAcatwpoL5gbKF2Raahuh1Ts62eh3n16 (have no idea where it got it from!)
This is the transaction: https://blockchain.info/tx/257c8f37b48179668a07d1b0a25e864c3c28ea0b7dccdd96d80bd5b16ddb6cc5
The Trezor address is the 4.9999 output.
I redeemed one of my cold storage addresses and sent 1 output to a "3xxxxx" multisig address and the remainder to my TREZOR. Now the address of the Trezor was obviously not a multisig address. BUT! The trezor now shows it got the coins sent to a multisig address.
This is the address that is now shown in my TREZOR: 35cAcatwpoL5gbKF2Raahuh1Ts62eh3n16 (have no idea where it got it from!)
This is the transaction: https://blockchain.info/tx/257c8f37b48179668a07d1b0a25e864c3c28ea0b7dccdd96d80bd5b16ddb6cc5
The Trezor address is the 4.9999 output.
This seems to be the issue reported here:
http://www.reddit.com/r/TREZOR/comments/2dcpx4/first_mytrezor_bug/
Im just hoping that it is computer retard proof, as that is what I am
It is... it's just not "didn't-write-down-seed-words-proof" or "forgot-passphrase-proof"
My classic First Edition hasn't arrived yet, and the tracking number is not active on auspost.
The blog post says all classics were sent "flying" out by 25th July, but the comment on my order says sent with tracking number XXXXX dated 2nd August
The blog post says all classics were sent "flying" out by 25th July, but the comment on my order says sent with tracking number XXXXX dated 2nd August
AUS customs is holding things back quite a bit usually. It's not unreasonable to assume all is well, just slow.
Got all of my plastics now. They sure took an interesting route to get to me (NY->NJ->CO->NJ->CO). From the package tracking:
Code:
Aug 11, 2014, 5:45 pm Delivered
Aug 9, 2014, 9:40 am Available for Pickup
Aug 8, 2014, 4:23 pm Departed USPS Facility DENVER, CO 80217
Aug 8, 2014, 9:39 am Arrived at USPS Facility DENVER, CO 80217
Aug 6, 2014, 10:02 pm Departed USPS Facility JERSEY CITY, NJ 07097
Aug 6, 2014, 1:09 am Arrived at USPS Facility JERSEY CITY, NJ 07097
Aug 1, 2014, 11:51 pm Departed USPS Facility DENVER, CO 80217
Jul 31, 2014, 11:41 pm Arrived at USPS Facility DENVER, CO 80217
Jul 31, 2014, 2:08 am Departed USPS Facility KEARNY, NJ 07032
Jul 30, 2014, 11:55 am Arrived at USPS Facility KEARNY, NJ 07032
Jul 30, 2014, 12:46 am Sort Facility ISC NEW YORK NY(USPS)
Aug 9, 2014, 9:40 am Available for Pickup
Aug 8, 2014, 4:23 pm Departed USPS Facility DENVER, CO 80217
Aug 8, 2014, 9:39 am Arrived at USPS Facility DENVER, CO 80217
Aug 6, 2014, 10:02 pm Departed USPS Facility JERSEY CITY, NJ 07097
Aug 6, 2014, 1:09 am Arrived at USPS Facility JERSEY CITY, NJ 07097
Aug 1, 2014, 11:51 pm Departed USPS Facility DENVER, CO 80217
Jul 31, 2014, 11:41 pm Arrived at USPS Facility DENVER, CO 80217
Jul 31, 2014, 2:08 am Departed USPS Facility KEARNY, NJ 07032
Jul 30, 2014, 11:55 am Arrived at USPS Facility KEARNY, NJ 07032
Jul 30, 2014, 12:46 am Sort Facility ISC NEW YORK NY(USPS)
The US postal service uses confused horses!
If auspost is anything like canadapost it won't show until it reaches your country. This order is taking longer than the preorder from time of delivery but at least it shows as being in my country since Friday.
My classic First Edition hasn't arrived yet, and the tracking number is not active on auspost.
The blog post says all classics were sent "flying" out by 25th July, but the comment on my order says sent with tracking number XXXXX dated 2nd August
The blog post says all classics were sent "flying" out by 25th July, but the comment on my order says sent with tracking number XXXXX dated 2nd August
I'm in the same position.
Aus post wont track it =(
Thanks. One more question. If i lose my trezor, am I able to recover my coins with the seed, without another Trezor, or would I have to buy another one to be able to access my coins?
You can recover from your seed to any compatible BIP39 wallet such as wallet32 for android
http://doc.satoshilabs.com/trezor-tech/cryptography.html
https://play.google.com/store/apps/details?id=com.bonsai.wallet32&hl=en
ok cool, thanks man. I appreciate it...
Thanks. One more question. If i lose my trezor, am I able to recover my coins with the seed, without another Trezor, or would I have to buy another one to be able to access my coins?
You can recover from your seed to any compatible BIP39 wallet such as wallet32 for android
http://doc.satoshilabs.com/trezor-tech/cryptography.html
https://play.google.com/store/apps/details?id=com.bonsai.wallet32&hl=en
I havent had the chance to open my treZor yet. So do i need to install the plug in on every laptop that i plan on using the trezor wallet?
Until Bridge is released, yes
Thanks. One more question. If i lose my trezor, am I able to recover my coins with the seed, without another Trezor, or would I have to buy another one to be able to access my coins?
Im just hoping that it is computer retard proof, as that is what I am
I think I found a bug!
I redeemed one of my cold storage addresses and sent 1 output to a "3xxxxx" multisig address and the remainder to my TREZOR. Now the address of the Trezor was obviously not a multisig address. BUT! The trezor now shows it got the coins sent to a multisig address.
This is the address that is now shown in my TREZOR: 35cAcatwpoL5gbKF2Raahuh1Ts62eh3n16 (have no idea where it got it from!)
This is the transaction: https://blockchain.info/tx/257c8f37b48179668a07d1b0a25e864c3c28ea0b7dccdd96d80bd5b16ddb6cc5
The Trezor address is the 4.9999 output.
I redeemed one of my cold storage addresses and sent 1 output to a "3xxxxx" multisig address and the remainder to my TREZOR. Now the address of the Trezor was obviously not a multisig address. BUT! The trezor now shows it got the coins sent to a multisig address.
This is the address that is now shown in my TREZOR: 35cAcatwpoL5gbKF2Raahuh1Ts62eh3n16 (have no idea where it got it from!)
This is the transaction: https://blockchain.info/tx/257c8f37b48179668a07d1b0a25e864c3c28ea0b7dccdd96d80bd5b16ddb6cc5
The Trezor address is the 4.9999 output.
Received mine today, ran it through some tests, it works great! Super Easy! I like that. I don't mind the web wallet, but it will be extra cool when it also works with armory or bitcoin core, definately a great step forward.
I havent had the chance to open my treZor yet. So do i need to install the plug in on every laptop that i plan on using the trezor wallet?
Until Bridge is released, yes
I blame the postal service. FML.
Actually (presumably because i am a early supporter) satoshilabs granted me a secret special privilege for a separate order.
Actually (presumably because i am a early supporter) satoshilabs granted me a secret special privilege for a separate order.
Postal service sucks. I am waiting on a credit card that i need for international travel. Was supposed to be here yesterday but now I have to have it reissued because they said the "package was damaged in mail"
How does a credit card get damaged??? Lol
I havent had the chance to open my treZor yet. So do i need to install the plug in on every laptop that i plan on using the trezor wallet?
I blame the postal service. FML.
Actually (presumably because i am a early supporter) satoshilabs granted me a secret special privilege for a separate order.
Actually (presumably because i am a early supporter) satoshilabs granted me a secret special privilege for a separate order.
My classic First Edition hasn't arrived yet, and the tracking number is not active on auspost.
The blog post says all classics were sent "flying" out by 25th July, but the comment on my order says sent with tracking number XXXXX dated 2nd August
The blog post says all classics were sent "flying" out by 25th July, but the comment on my order says sent with tracking number XXXXX dated 2nd August
Wow, that seems odd that you were an early supporter and you haven't received yours yet, and the 2nd edition ones are already arriving at people's homes?
Jump to: