Topic: [ESHOP launched] Trezor: Bitcoin hardware wallet - page 226. (Read 966173 times)

great work slush...cheers up..

It's getting toward the end of October, is the plan still to begin shipping Trezors this month?

Should only sign a hash of that message otherwise the seemingly random message could be the hash of a transaction and your signature could be pasted into to make it valid.

You must have missed all the discussion about identities. If this device can store thousands safely, it can store an identity safely.
To have a device where my online identity can't be stolen or faked is a huge non-bitcoin killer app. I think one day people will buy a Trezor even though they don't have BTC! (Once it gets a little bit cheaper)

I Trezor my identity a lot!

how are multi-recipient bitcoin transactions displayed on the device screen?

Will

Lol

if you dont have BTC, you dont need one

Oh - I hadn't picked that up (must have missed some posts) - must admit now it is looking a lot better than I had thought being used as a general authentication device.

That is sweet! Man, I wish I had a BTC to buy one!

The pin is typed that way:

Client displays:
OOO
OOO
OOO

trezor display (changes every time):
954
128
367

So no chance for keyloggers.

Aha - so it does use a PIN although I am guessing that the PIN is being typed in on the PC (so is vulnerable to key logging).

I think if the PIN were to be entered into the device directly (i.e. no chance of key logging) then it would be a much better (although requiring at least a numeric keypad - a more expensive) solution.

From the FAQ:

If somebody steals my Trezor, they'll just empty out my wallet before I have the chance to restore anyway. Right?

Not at all. All operations on TREZOR require the user to enter a PIN and a one-time password (OTP) . The attacker would have to guess your PIN which is very difficult because the one-time password makes brute-force attack almost impossible.


So it appears secure even if I lose it! I just have to get another Trezor, restore the seed I wrote down to the new Trezor, empty it, and then reset the Trezor with a new seed and fund the Trezor.

Yes, which is why I think the Trezor will be very popular, especially with exchanges!

Can Trezor potentially be used like this?:

• User registers with a Bitcoin address(or a public key) with a service. That service then needs to require a unique random message to be signed with the corresponding private key for each login attempt. The private key is stored on Trezor. The site provides the message, the users signs it through a client by getting authorization via Trezor, and then sends the signed random message to the service in order to gain access. The service then also provides the option to have each critical request be confirmed with the exact same procedure but with different public key to protect against session hijacking.

Thanks for all the replies. I'm still learning about this device from all the little snippits of details. I can't wait to see the complete setup with some reviews by security professionals!

Keep up the good work guys! You guys are providing a vastly needed device for Bitcoin!

Just saw the video, your accent is indeed funny, but I guess mine is too! ^^ Love trezor, would be great if you could team up with the bitcoin atm guys and maybe implement the system in the atms in the near future! That would make things sooo super sweeet!

For signing using TREZOR you'd need to provide passphrase/pincode as well. So it is 2FA.

Ummm.. yes. That's the problem, exactly.


... that's basically advocating a return to 1-factor verification (using a Trezor instead of a password). There may be a lot of great uses for a Trezor but that's not going to be one of them!

Don't get me wrong - the Trezor is a great innovation for bitcoin, with many other potential applications, but hardware signing has been tested, used and mostly abandoned for online banking over the past two decades (crypto-boxes, smartcards, etc.). Just saving you some time.

A Yubikey has a unique, singular identity too (one key can be used on any number of sites) The real distinction being only that Yubico (sweden) is the central "identity verification server", whereas with Trezor it could verify against the blockchain, which may have a few advantages. (The 'off-label' use of the blockchain for verifying ID etc isn't really that new).

The problem is that if someone steals your Trezor (or YubiKey) then it's really a distinction without a difference. Back in the early days of web based banking (very early, like "Netscape" early) banks provided hardware crypto boxes with a keypad and LCD, conceptually not unlike a Trezor, except USB wasn't invented yet. They used a challenge-response model, where the box signed a numerical "message" that was provided, and you typed the result back into your browser. Same thing there. Just too cumbersome and it was soon abandoned with the advent of SSL, etc. 2-factor verification has only relatively recently made a comeback for widespread use.

It's surprising that people still believe SSL provides any privacy at all considering recent revelations by Ladar Levison (Lavabit founder), Mr. Snowden etc.
ALL SSL communication should be considered a 3-way conversation (as in you, me and the [insert 3-letter agency of your choice]). It may be "secure" but it's certainly not private.

And that is the problem - there is a reason why hardware devices are the 2nd factor - they can be lost or stolen.

Although I like the idea of a single non-password method of logging in I don't know how you are going to actually stop it from just being used by someone else without resorting back to a PIN or password again (and adding some sort of bio-scanning to the Trezor would probably not be a very financially viable option).