Pages:
Author

Topic: GUIDE:Important factors to take into account while choosing a wallet (Read 561 times)

sr. member
Activity: 588
Merit: 438
Forum Only For Fun
If the wallet is open source and supports several other features, then stop there and decide that the wallet is worth using and will be the wallet that will be used for storing assets.
✂️

It is difficult for most users to verify every line of code of an open source wallet, but at least if you don't have the skill to do it, it is better you use a wallet that has been well reviewed. What i mean is, let's say Wallet A is a new open source wallet and you are to choose between it and Electrum, without verifying any line of code in any of the wallet, choosing Electrum is the most sensible thing to do because you are sure that it has been reviewed by many users in the community.

Yes, right. It takes special skills to test and verify every line of code and I'm one of those people who doesn't have the skills to do that. I mean, using a wallet that has been well reviewed by most users here [not elsewhere] is a logically acceptable choice for me.

I understand what you mean about wallet selection. For example, currently I use Unstoppable and BlueWallet. One of the wallets I mentioned can be connected to Electrum which is the Bitcoin wallet with the best recognition after I have considered it because it has received reviews from great users on the forum.
However, I will decide to create a new address instead of importing the seed phrase from the open source wallet I am currently using.
full member
Activity: 1008
Merit: 139
★Bitvest.io★ Play Plinko or Invest!
/.../
Not in this example. Remember, it's a tiny project, meaning that it's probably relatively unknown with a small team of coders, independent testers and code verifiers, and end-users. 

I totally get what you're saying. Not all open source stuff is automatically more secure.  A tiny team could mean more personalized attention, but it also sets off alarm bells around potential weaknesses and  compared to the big shots these guys likely don't have the deep pockets for extensive testing and verification. So, the community plays a big role. The bigger the community, the less chance of a security hole. At least in general...
legendary
Activity: 2730
Merit: 7065
The problem is that some people don't have the technical knowledge to read the code.
I want to change what you wrote to make things clearer. Some people (a minority) have the technical knowledge to read and understand code. The majority of everyday users don't possess that skill.

It's kind of like trying to decide between some small, homey diner in your neighborhood that everyone raves about, and some huge chain restaurant.  Even though those big places might have a ton more resources and stuff, that definitely doesn't automatically make their food better and  sometimes those little indie open-source deals are like hidden gems - theyve got these hardcore fans backing them and people working on making them better all the time.
Not in this example. Remember, it's a tiny project, meaning that it's probably relatively unknown with a small team of coders, independent testers and code verifiers, and end-users. 
hero member
Activity: 2212
Merit: 670
Signature designer - start @$10 - PM me!
To this question I personally go for the open source one most of the times.
If you can independently verify their code and ensure it is safe, then do it. Trusting tiny companies is also risky because there is little community contribution to verifying their code.
full member
Activity: 1008
Merit: 139
★Bitvest.io★ Play Plinko or Invest!

Electrum is the most recommended Open Source wallet because it has a strong community with ongoing development.

No doubt. Sparrow too. I mainly use sparrow to be honest. And yes, your point is correct.

However, the proper question to address here is: should I trust a tiny open source project or a huge closed source one?

To this question I personally go for the open source one most of the times.

I totally understand you on this one.  It's kind of like trying to decide between some small, homey diner in your neighborhood that everyone raves about, and some huge chain restaurant.  Even though those big places might have a ton more resources and stuff, that definitely doesn't automatically make their food better and  sometimes those little indie open-source deals are like hidden gems - theyve got these hardcore fans backing them and people working on making them better all the time.  How much you trust something is a personal thing for sure but it's cool to see people thinking about more than just how big and famous something is.
hero member
Activity: 560
Merit: 1060

Electrum is the most recommended Open Source wallet because it has a strong community with ongoing development.

No doubt. Sparrow too. I mainly use sparrow to be honest. And yes, your point is correct.

However, the proper question to address here is: should I trust a tiny open source project or a huge closed source one?

To this question I personally go for the open source one most of the times.
legendary
Activity: 2716
Merit: 1859
Rollbit.com | #1 Solana Casino
Yes, absolutely, but it's still better to know what you use than to be absolutely blind as far as the code is concerned. The problem is that some people don't have the technical knowledge to read the code. And that's a big issue because in this case, being open-source is not very different.
As I said earlier, Verification of the community and how many people are in the community is very important,
so that those who are completely blind about code will know with the explanation of the developers who are members of the community.

That's why it's important to choose an open-source wallet with an active community and constant updates.
Being Open Source is not much different when users don't know anything and no one is doing the development. 

Electrum is the most recommended Open Source wallet because it has a strong community with ongoing development.
hero member
Activity: 560
Merit: 1060
Open Source is just a sign that the wallet can be developed by anyone and the code can be verified by the community.
But there is no guarantee that Open Source wallets will remain secure.

Yes, absolutely, but it's still better to know what you use than to be absolutely blind as far as the code is concerned. The problem is that some people don't have the technical knowledge to read the code. And that's a big issue because in this case, being open-source is not very different.
legendary
Activity: 2716
Merit: 1859
Rollbit.com | #1 Solana Casino
It may be worth mentioning that you should not stop your research if you find out that the wallet is open source, because open source doesn't mean that the wallet is automatically secure, but it is surely a positive point to use a wallet. There are wallets that lie in their websites that they are open source and even have Github repositories that haven't been updated for a long time,
-snip-
Open Source is just a sign that the wallet can be developed by anyone and the code can be verified by the community.
But there is no guarantee that Open Source wallets will remain secure.

When the developer of an Open Source Wallet or a new wallet does not get much attention, there are no revisions or fixes for existing bugs, and no feature updates that must keep up with transaction developments.
Therefore, it is necessary to choose an Open Source wallet with a strong community so that updates can continue to be made.

I don't think it's being neglected on purpose, it's just that not many people have the skillset to do it properly or fully. I don't know how to do roofing or plumbing, so I can't bring anything useful to the table. It's the same with verifying the security of a piece of code.
-snip-
As @pmalek said, code testing is not neglected but it is not easy to improve or develop open source wallets without having expertise in wallet programming and so on.
This will be a task for developers who are already experts in the field.

We may only be able to contribute by using the wallet and reporting when some bugs appear.
legendary
Activity: 994
Merit: 1089
If the wallet is open source and supports several other features, then stop there and decide that the wallet is worth using and will be the wallet that will be used for storing assets.
It may be worth mentioning that you should not stop your research if you find out that the wallet is open source, because open source doesn't mean that the wallet is automatically secure, but it is surely a positive point to use a wallet. There are wallets that lie in their websites that they are open source and even have Github repositories that haven't been updated for a long time, like Trust wallet; some users at first glance may think they are open source, whereas they are a closed source wallet.

It is difficult for most users to verify every line of code of an open source wallet, but at least if you don't have the skill to do it, it is better you use a wallet that has been well reviewed. What i mean is, let's say Wallet A is a new open source wallet and you are to choose between it and Electrum, without verifying any line of code in any of the wallet, choosing Electrum is the most sensible thing to do because you are sure that it has been reviewed by many users in the community.
legendary
Activity: 2730
Merit: 7065
Inspection and testing of code tends to be neglected. Users only view and search for available features.
I don't think it's being neglected on purpose, it's just that not many people have the skillset to do it properly or fully. I don't know how to do roofing or plumbing, so I can't bring anything useful to the table. It's the same with verifying the security of a piece of code.

Let's look at compiling an open-source wallet from the source code. I can easily learn how to take the publicly available code and build the wallet from that. I could then follow instructions to check if my binaries match the source code. What does that tell me? It only tells me that the code the developers use in their software and that is publicly available is the same one I used to get identical build results. It doesn't bring me one step closer to understanding it or knowing what it does and how safe it is. And we are back to trusting a wider community that they have done a good job reviewing the code properly. It's always going to be better than having no code available for public scrutiny, but there is always a BUT! 
sr. member
Activity: 588
Merit: 438
Forum Only For Fun
My question is whether just looking at the availability of features such as open source before looking at other features including the Replace-by-Fee and Sign and verify a message features without paying attention to the authenticity behind the mask of open source is dangerous?
If a wallet is open-source, but you are not sure whether its secure or not, you can make a new topic in this forum and ask people about the wallet. If the code has been reviewed by many people and the no vulnerability has been reported, it's probably secure. It's possible that there's a vulnerability that hasn't been discovered yet, but if many people have reviewed the code and the wallet is well-known enough, that's unlikely.

Inspection and testing of code tends to be neglected. Users only view and search for available features. If the wallet is open source and supports several other features, then stop there and decide that the wallet is worth using and will be the wallet that will be used for storing assets.
For me, this is a phenomenon that can have a bad impact other than wallet users who really understand the science of coding and not the right answer leading to a solution.


✂️
I say when choosing a wallet there are certain red lines that you don't want the project to cross and if it does, you won't choose it. If it doesn't, then you can start thinking about maybe choosing it. In other words you eliminate the undesirables then choose the best option from what remains.
For example if a wallet is closed source, that is a red line so it is not even considered even if it has all the features in the world.

Closed source is on my boycott list even though the wallet has a lot of users because it supports all the feature requirements I want even though the wallet is a hardware device that is not close to an internet connection.

I will continue to look for answers on how to prove the authenticity behind the facade of open source displayed other than on tested wallets like Eletrum.
legendary
Activity: 3472
Merit: 10611
My question is whether just looking at the availability of features such as open source before looking at other features including the Replace-by-Fee and Sign and verify a message features without paying attention to the authenticity behind the mask of open source is dangerous?
I say when choosing a wallet there are certain red lines that you don't want the project to cross and if it does, you won't choose it. If it doesn't, then you can start thinking about maybe choosing it. In other words you eliminate the undesirables then choose the best option from what remains.
For example if a wallet is closed source, that is a red line so it is not even considered even if it has all the features in the world.
legendary
Activity: 2730
Merit: 7065
If a wallet is open-source, but you are not sure whether its secure or not, you can make a new topic in this forum and ask people about the wallet. If the code has been reviewed by many people and the no vulnerability has been reported, it's probably secure.
One might say that's not good enough if one is totally paranoid. I don't know anyone on Bitcointalk who has said they check every single line of code, which is understandable since we are talking about thousands of lines of code and more. So the trust switches from a development team to a group of people who have verified maybe 10%, maybe 20%, or 50% of the code.

Don't get me wrong, this is not a say no to open-source argument. It's just an observation that relying on people one way or the other is always dangerous.   
legendary
Activity: 2380
Merit: 5213
My question is whether just looking at the availability of features such as open source before looking at other features including the Replace-by-Fee and Sign and verify a message features without paying attention to the authenticity behind the mask of open source is dangerous?
If I want to choose a wallet, the first thing I would check is whether the code is available to the public or not and then I would go to check features like RBF, coin control, etc.

If a wallet is open-source, but you are not sure whether its secure or not, you can make a new topic in this forum and ask people about the wallet. If the code has been reviewed by many people and the no vulnerability has been reported, it's probably secure. It's possible that there's a vulnerability that hasn't been discovered yet, but if many people have reviewed the code and the wallet is well-known enough, that's unlikely.

If a wallet is close-source, I would never consider that as a safe wallet even if there are millions of people recommending that wallet.
sr. member
Activity: 588
Merit: 438
Forum Only For Fun
when it comes to the choice of wallet, always make sure that it is open source.
This part may be a little tricky specially if the "company" behind the wallet is trying to fool people. There are a couple of ways closed source wallets use to pretend they are open source.
- One way is to open up a GitHub account and put some code on there. It could be an older version of the wallet that is no longer updated or it usually is only part of the wallet code like the backend instead of the entire thing. People checking this on GitHub would think it is 100% open source when it is not true.
- Another way is to publish the entire code but the code has nothing to do with the binaries they release. For example there are some wallets specially the mobile wallets that have a published source code but the code is not updated with their releases! In other words they release a new version but when you check their code, you see no activity!

This is why having reproducible builds is important.

People tend to choose a wallet when the important features they want are available so that further testing is no longer a concern. Testing the authenticity of open source is in a way neglected due to ignorance in testing it like I still don't know about the science of code.
Another tendency for people to choose a wallet is due to the number of users and the trust score in the application.

My question is whether just looking at the availability of features such as open source before looking at other features including the Replace-by-Fee and Sign and verify a message features without paying attention to the authenticity behind the mask of open source is dangerous?
The types of wallets such as Electrum or mobile wallets that are recommended may not be included in my question because they have been proven to be good if we download not from a phishing link.
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
My biggest concern is that it's a small project that is surely not as reviewed as other bigger hardware wallets.
The only part where it is "less reviewed" than the rest is the UI part, as far as I can tell. SeedSigner relies on the libsecp256k1 which is used and maintained by Bitcoin Core. The most important Bitcoin operations are done using the miniscript embit library, which is also used by Specter desktop (which is far more tested than this). Now add that there is an active team working on it, you verify everything, and that it's airgapped.

Still, maybe it's more secure to setup an airgapped computer with software like Electrum, but I can't deny the fact that this is secure and tested as well.
legendary
Activity: 2730
Merit: 7065
You can download Electrum from the original website and use a USB to transfer the app to your PC that is not  connected to the internet and generate the seeds, or you only on your internet once to download the electrum wallet app and after that you should never connect it to the internet after you must have generated your seed.
A computer that connects to the internet is no longer considered an airgapped machine even if you do it only once. The computer shouldn't have the ability to connect to the internet, meaning you should remove the network/WiFi card. The disk should also be completely encrypted and protected by a unique and secure password.

In other words, a device that contains your master private key and transports transactions and signatures using QR codes, without connecting to your computer, such as SeedSigner.
I was very interested in getting a Seedsigner lately, but I am slowly losing interest. My biggest concern is that it's a small project that is surely not as reviewed as other bigger hardware wallets. Since I have to trust the community to inspect the code and security of the device, doing that with a small project and team like the SeedSigner seems more dangerous than with a bigger one.
hero member
Activity: 560
Merit: 1060
<~>

Sorry mate, I didn't catch that. I use Sparrow, connected to my own electrum server. What did you want to point out?
hero member
Activity: 714
Merit: 1298


Many experienced bitcoiners use bitcoin core, but I believe it's only a matter of habit.

Personally I use Sparrow and I am very happy with it.


Depending on size of stash controlled  by   the open source Sparrow the latter can be configured in multiple ways including that one which requires communication with your private Bitcoin Core node.


When we choose the wallet our brain is always biased to something. Mine is biased to following things: open-source is much better than close source, multsig with  HW co-signers is better than singlesig, private node to communicate with is better than public one.   Smiley
Pages:
Jump to: