Author

Topic: New wallet uses Amazon hardware security modules to eliminate seed words (Read 150 times)

legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
The article is poorly written and the headline is wrong. That is very typical of CoinTelegraph articles.
~snip~

I completely agree with this statement, but everyone has their own choice of news sources, and the OP obviously likes them for some reason.



~snip~
But considering amazon unethical practice and Amazon connection with some government department, there's concern to store sensitive data (including Bitcoin private key) on Amazon product.

Well said, I personally would never trust them because they don't care about anything other than profit. And as for their connection with governments, I recently watched a documentary about their "contribution" to the monitoring and evaluation of public officials through various AI programs, which turned out to be a complete failure.

If we're going to be honest, I don't even trust some companies that produce HW anymore because they've proven to be incompetent in that business, let alone a company that literally does everything and just wants to expand its business a little more.
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
Is this good?

I checked their website (https://www.kresus.com/), but couldn't find much explanation how their wallet or how it works. So personally i wouldn't use this wallet.

The article is poorly written and the headline is wrong. That is very typical of CoinTelegraph articles.

Anyway, a hardware security module (HSM) is similar to a hardware wallet. It holds private keys and will do cryptographic operations with those keys without ever revealing them.

--snip--

But considering amazon unethical practice and Amazon connection with some government department, there's concern to store sensitive data (including Bitcoin private key) on Amazon product.
legendary
Activity: 4466
Merit: 3391
The article is poorly written and the headline is wrong. That is very typical of CoinTelegraph articles.

Anyway, a hardware security module (HSM) is similar to a hardware wallet. It holds private keys and will do cryptographic operations with those keys without ever revealing them.

I believe there is a misunderstanding here and I'll give you my best guess at how it works. I believe that the Kresus wallet does use a seed, but it stores only an encrypted copy of it and is unable to decrypt it directly.

To get a decrypted copy of the seed, the wallet sends the encrypted copy to the HSM, which decrypts it and returns the decrypted copy back to the wallet. Then the wallet uses the seed normally. When the app is closed, the decrypted copy is destroyed.
hero member
Activity: 1442
Merit: 775
Kresus is centralized that is not good. Is it open source? It is close source!

It does not require wallet password but will send you a link in email. I don't like to rely on my email security to use my wallet. It is always bad to connect my wallet to other accounts especially those accounts are connected to Internet a lot like my email.

Whatever word they call the link is, like 'magic link', I consider it as horrible link.
sr. member
Activity: 1372
Merit: 348
Quote
Unlike a centralized exchange, Kresus does not use passwords to authenticate users, since stealing password hashes and cracking them is one of the most common techniques hackers use to get access to web accounts. Instead, it requires users to click a link from within an email each time they attempt to log in.

When it comes to sending crypto, users don’t need to cut and paste crypto addresses on Kresus. Instead, the app allows each user to register for a free .kresus domain name through Unstoppable Domains, which they can use to send crypto to others.
Which means only the people that are using the wallet can send to themselves. This is centralization.

Obviously it is centralization. 

Quote
What do you people think about this wallet that I can not recommend?

I also can't recommend the wallet due to its possible weak security.  I don't believe in magic btw.
hero member
Activity: 994
Merit: 744
Quote
Unlike a centralized exchange, Kresus does not use passwords to authenticate users, since stealing password hashes and cracking them is one of the most common techniques hackers use to get access to web accounts. Instead, it requires users to click a link from within an email each time they attempt to log in.

When it comes to sending crypto, users don’t need to cut and paste crypto addresses on Kresus. Instead, the app allows each user to register for a free .kresus domain name through Unstoppable Domains, which they can use to send crypto to others.
Which means only the people that are using the wallet can send to themselves. This is centralization.
Because you must register through the app domain, I can also refer to this as centralization.
What if the app is been hacked, are your Funds safe since you are not in full control over them?

Furthermore, they stated that by clicking on some links provided in the mail, what if the user's email is compromised and the hacker gains access to the wallet by clicking on the link provided in the mail?

legendary
Activity: 2184
Merit: 1302
Eliminating seed phrases, passwords and keys doesn't make ones crypto safer, rather it makes it more susceptible to being stolen. People erroneously think that services like this are doing them a good thing when they take away the responsibily they owe to their funds. Not your keys, not your funds, wherever they say they store it, you can't be sure of its safety, and you should always have your seed phrase to recover your funds yourself, anytime you need to. Keeping your seed phrase, passwords and keys is part of the responsibility of being your own bank, thus do it yourself.

Having said that, this wallet shouldn't even be used becaus we aren't short of better/safer alternatives, but if anyone is considering doing so, it should be for experiment and with a very inconsequential amount of money.
hero member
Activity: 812
Merit: 560
Quote
Speaking to Cointelegraph, the Kresus team said that their new wallet app attempts to fix this problem using a wallet infrastructure and software development kit (SDK) called “Magic,” which stores the user’s private key on an Amazon Web Services computer that is specifically designed to store highly sensitive information.

The AWS computer encrypts the user’s key with a Master Key that cannot leave the hardware module, much in the same way that a hardware wallet does. This eliminates the need for seed words or private keys to be stored on the device or kept as a paper backup, the team said.

This isn't good enough for those that can understand the influence of a third party andbthe use of a central server online storage apps, they can bebas dangerous as unaware to users and not everything they gave to say you believe, why can't you device a means to secure your seeds yourself than relying on their system for the storage, what is the guarantee that they can't be bridged, track you or got attacked themselves by hackers.

Is seed phrase a problem?

It's not a problem but how you store it is what determines it's a problem or not.

legendary
Activity: 2352
Merit: 6089
bitcoindata.science
Is this good?

The wallet was launched by Kresus. It uses magic link to sign in users which makes the wallet not to require password login. Only on Apple Store for now.

https://cointelegraph.com/news/new-wallet-uses-amazon-hardware-security-modules-to-eliminate-seed-words

There is too much trust involved, specially in Kresus team.

Seed words simple work.

They are safe to use, easy to store and easy to recover when necessary.

They are working just fine.
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
I find this risky for various reasons:
* that company can be hacked (it will become a target an bugs can exist)
* AWS can get hacked
* some Amazon employee may try to look in there (dirrect access, correlations, sniffing)
* that company employees may take a look
* that company may get bankrupt
* mail accounts tend to be more hacked than many other online services
* and .. is this a custodian wallet? what if their hot wallet is hacked directly or they run with the coins?

Plus, yeah I don't believe in magic  Cheesy

hero member
Activity: 868
Merit: 952
Quote
Unlike a centralized exchange, Kresus does not use passwords to authenticate users, since stealing password hashes and cracking them is one of the most common techniques hackers use to get access to web accounts. Instead, it requires users to click a link from within an email each time they attempt to log in.

This right doesn’t makes it a bit different from centralized exchanges. One of the easiest scam or attack by hackers is compromising one’s email address, sending a link to email address could just hand ones account over to the hackers should the email be compromised. This is something that the centralized exchanges do currently when resetting passwords that is said to be risky. So it still doesn’t changes anything. Except if one could change Email all the time which will also one way or the other be prone to hacks.

Also storing private key online, no matter how sophisticated the service might be at moment to getting hack is still not a create idea because a this service gets breached then everything on it will just get exposed
legendary
Activity: 1064
Merit: 1298
Lightning network is good with small amount of BTC
Is this good?

The wallet was launched by Kresus. It uses magic link to sign in users which makes the wallet not to require password login. Only on Apple Store for now.

https://cointelegraph.com/news/new-wallet-uses-amazon-hardware-security-modules-to-eliminate-seed-words

Quote
Speaking to Cointelegraph, the Kresus team said that their new wallet app attempts to fix this problem using a wallet infrastructure and software development kit (SDK) called “Magic,” which stores the user’s private key on an Amazon Web Services computer that is specifically designed to store highly sensitive information.

The AWS computer encrypts the user’s key with a Master Key that cannot leave the hardware module, much in the same way that a hardware wallet does. This eliminates the need for seed words or private keys to be stored on the device or kept as a paper backup, the team said.
Is seed phrase a problem?

Quote
Unlike a centralized exchange, Kresus does not use passwords to authenticate users, since stealing password hashes and cracking them is one of the most common techniques hackers use to get access to web accounts. Instead, it requires users to click a link from within an email each time they attempt to log in.

When it comes to sending crypto, users don’t need to cut and paste crypto addresses on Kresus. Instead, the app allows each user to register for a free .kresus domain name through Unstoppable Domains, which they can use to send crypto to others.
Which means only the people that are using the wallet can send to themselves. This is centralization.

Quote
The Kresus team stated that because of the way Magic infrastructure works, neither they nor the Magic development team are able to see the user’s private key during account creation or login, so they cannot make unauthorized transactions.
How can we know that?

I can not go beyond using open source seed phrase wallets that will give me the complete control of my coins.

What do you people think about this wallet that I can not recommend?
Jump to: