Topic: [ESHOP launched] Trezor: Bitcoin hardware wallet - page 67. (Read 966173 times)

Did you understand it?

Did you even bother to read the article?

Until 1.3.2, a physically compromised PC could extract the private key from a Trezor, if the owner happened to had the display turned off (or perhaps even with the display was turned on).  But that is good news for Trezor owners! 

Ahem.  Anyone remembers a guy who used to post warnings here about hypothetical physical attacks, and got called retard, paranoid, fudster, shill, and some nastier things?...

Extracting the Private Key from a TREZOR... with a 70 $ Oscilloscope
http://johoe.mooo.com/trezor-power-analysis/

Nice to see people working on breaking the Trezor and making it stronger!

Conclusion

Side channel attacks are not as difficult as many people think. A simple power analysis requires only a simple oscilloscope and that can hardly be called expensive laboratory equipment. You also need basic soldering skills and deep knowledge about the code that is running. It took only a single recording of the computation of the public key, to recover the private key. On the bright side, this simple side channel attack can be mitigated by using constant-time code and as I showed this code does not have to be slow.

The new firmware 1.3.3 is immune against this attack since it (1) requires a PIN to compute the public key and (2) uses branch-free computations for deriving the public key from the private key.

There is no complete protection against all kind of attacks. If your TREZOR gets stolen and it has no passphrase protection (or if the passphrase is weak), you should transfer the coins to a different wallet. There are other attack vectors like fault injection that could still be used and may get around the PIN protection. Basically, they use the fact that the microprocessor does unexpected things if power supply or the clock signal is broken. These are much more difficult to perform, but they are probably less expensive than using an electron microscope to read the seed from the chip. Also, there may be a bug in the microprocessor that allows for circumventing the read-out protection.

We have released firmware 1.3.3 with the TREZOR Connect for passwordless login to websites and apps.
 
Read more here http://satoshilabs.com/news/2015-04-07-trezor-firmware-1-3-3-connect-api/ and don't forget to update your firmware.

Are there any privacy concerns with using the Trezor for signing into websites? Is master public key shared or info that can link bitcoin addresses with identities? Does each website use it's own private key/public key for authentication? 
-

buytrezor.com doesn't have a "sign in with trezor" option?

i too would like to see full scale Armory integration.

Any plans to support this:

https://bitcoinarmory.com/verisign-discusses-collaboration-with-armory-to-secure-payment-addresses/

It's quite new, but it sounds like a credible improvement to BIP70

We have released firmware 1.3.3 with the TREZOR Connect for passwordless login to websites and apps.
 
Read more here http://satoshilabs.com/news/2015-04-07-trezor-firmware-1-3-3-connect-api/ and don't forget to update your firmware.