Topic: NXT :: descendant of Bitcoin - Updated Information - page 784. (Read 2761655 times)
right, we do get that, but ideally, the goal is a trustless environment. Browser/JS signing and sending/receiving data with public servers allows this, without forcing a local blockchain sync, so this is our end game goal
Abuelau, ChuckOne, you should really read this:
https://blockchain.info/wallet/technical-faq
and pay attention to TwinWinNerD. If you can't sign transactions offline (that is without transmitting private keys to anyone), you can't build a secure web wallet. Period.
The way to do this in the browser is via JS a-la blockchain.info.
https://blockchain.info/wallet/technical-faq
and pay attention to TwinWinNerD. If you can't sign transactions offline (that is without transmitting private keys to anyone), you can't build a secure web wallet. Period.
The way to do this in the browser is via JS a-la blockchain.info.
It has nothing to do with TRUSTLESS as it is promoted.
As I already pointed out:
In the end, you have to trust somebody.
I know what you mean, but it is not really trustless.
Blockchain.info is as trustless as possible.
""""""""
Server Side
The site currently runs on 4 dedicated servers, hosted in a locked cabinet. All servers run behind a dedicated cisco security appliance with intrusion detection. On the servers themselves various "booby traps" are set to alert the webmaster if an intrusion is detected.
The java code deployed to the Site is deployed in a single war (zip) file. Each server monitors the checksum of this file to detect any unauthorised changes to the code. In order to make reverse engineering our encryption schemes more difficult the the java class files are obfuscated using proguard.
A copy of every wallet is stored all our servers. Additionally the latest 50 versions of a wallet are stored on Amazon S3 and can be restored from the [Import / Export] section.
The server side code that handles wallets is open source.
The site is not vulnerable to CSRF requests as no login details or sensitive data is ever saved in session cookies.
In the time the Site has been running there has been handful of XSS vulnerabilities reported. None of these were on a wallet page and could not have resulted in any direct loss of funds.
"""""""""
Quote
If one computer is hacked than ONE person loses money.
Same for mynxt.info
Quote
If your server is compromised, he gets access to every wallet that logs in....
No, not every wallet that logs in. But every wallet the sends money somewhere because that is the only time we decrypt the wallet.
Imagine if there is a malware that can steal blockchain wallets from Firefox or IE or Chrome right when these are decrypted?
Quote
If you decide to collect the passwords and go rouge ....
Same for blockchain.info. How do you know they don't store a copy of passwords?
Abuelau, ChuckOne, you should really read this:
https://blockchain.info/wallet/technical-faq
and pay attention to TwinWinNerD. If you can't sign transactions offline (that is without transmitting private keys to anyone), you can't build a secure web wallet. Period.
The way to do this in the browser is via JS a-la blockchain.info.
https://blockchain.info/wallet/technical-faq
and pay attention to TwinWinNerD. If you can't sign transactions offline (that is without transmitting private keys to anyone), you can't build a secure web wallet. Period.
The way to do this in the browser is via JS a-la blockchain.info.
It has nothing to do with TRUSTLESS as it is promoted.
As I already pointed out:
In the end, you have to trust somebody.
I know what you mean, but it is not really trustless.
Where is the list of client side javascript libraries for signing? (a bounty was offered by cfb for this)
I found this link - https://bitcointalksearch.org/topic/m.4612928
Yes but the signing happens on your server, that is the problem. With blockchain.info type wallet, NOTHING leaves the browser. Only the broadcast happens on the server there. This is a HUGE difference.
Why is it such a big difference? If an attacker has a keylogger you may lose your coins the same way in mynxt.info and blockchain.info.
What is important is that the wallet is encrypted and in order to decrypt it you need the user's password. Whether the decrypting happens on the server or on the browser, I don't think this is such a big deal. In fact, I can imagine people developing a malware that you get in your browser (since your browser holds an unencrypted version of your wallet).
The really big difference is, that the person that hosts the wallet can spend your coins if you send your password. Because if you sign serverside, your wallet has to be decrypted atleast once for a short period of time. You as the owner of the server can interfere if you chose to, or if your server is compromised and bad code is implemented coins can be stolen. That is the reason that the guy that created blockchain.info said that all wallets that don't offer browserside signing WILL be hacked/scamed.
Well, of course the guy would say that. Everyone will say their product is better.
The fact is: you need to decrypt the wallet at some point in order to spend coins. The decryption can happen on the browser or the server, and to decrypt it you will need to type your password.
Don't forget when you sign up in blockchain.info you ALSO type your password on their website. There's no guarantee that they didn't save a copy of your password somewhere.
What I am saying is that I don't see the "save in the browser" as being any safer, to me this is more marketing that actual security. If there's any security experts here please prove me wrong (and I will be happy to be proven wrong).
You get this wrong i think. You don't operate on "their website". You can actually download the java code and run it WITHOUT internet connection, then you reconnect and broadcast the transaction.
There is a BIG difference. They are NOT able to steal your password.
He isn't some random actually, but one of the most respected member of the whole bitcoin community.
I understand what you are saying. But I think you don't understand what I am saying. Tell me one scenario where an attacker would be able to steal your NXT from wallet.mynxt.info but not your Bitcoins from Blockchain.info using the same technique.
Btw, I am not questioning any individual. Blockchain.info is a company and as such you would expect it to do what companies do (earn money, spend money, do marketing, sales, plans, etc).
If one computer is hacked than ONE person loses money.
If your server is compromised, he gets access to every wallet that logs in....
If you decide to collect the passwords and go rouge ....
The argument is extremely simple...
Read this: http://bitcoin.stackexchange.com/questions/5249/how-secure-is-blockchain-info
Where is the list of client side javascript libraries for signing? (a bounty was offered by cfb for this)
Maybe change it to a simpler version:
Much color, so many less words, yammy nxt 
Quote
Unregistered users = 3 votes per hour!
Just click 3 times on the VOTE Button for NXT - that's it!
>>>>>>>>>>>>>>> PLEASE VOTE! <<<<<<<<<<<<<<<
>>>>>>>>>>>>>>> PLEASE VOTE! <<<<<<<<<<<<<<<
We should be in 1st place in a little bit.
Yes but the signing happens on your server, that is the problem. With blockchain.info type wallet, NOTHING leaves the browser. Only the broadcast happens on the server there. This is a HUGE difference.
Why is it such a big difference? If an attacker has a keylogger you may lose your coins the same way in mynxt.info and blockchain.info.
What is important is that the wallet is encrypted and in order to decrypt it you need the user's password. Whether the decrypting happens on the server or on the browser, I don't think this is such a big deal. In fact, I can imagine people developing a malware that you get in your browser (since your browser holds an unencrypted version of your wallet).
The really big difference is, that the person that hosts the wallet can spend your coins if you send your password. Because if you sign serverside, your wallet has to be decrypted atleast once for a short period of time. You as the owner of the server can interfere if you chose to, or if your server is compromised and bad code is implemented coins can be stolen. That is the reason that the guy that created blockchain.info said that all wallets that don't offer browserside signing WILL be hacked/scamed.
Well, of course the guy would say that. Everyone will say their product is better.
The fact is: you need to decrypt the wallet at some point in order to spend coins. The decryption can happen on the browser or the server, and to decrypt it you will need to type your password.
Don't forget when you sign up in blockchain.info you ALSO type your password on their website. There's no guarantee that they didn't save a copy of your password somewhere.
What I am saying is that I don't see the "save in the browser" as being any safer, to me this is more marketing that actual security. If there's any security experts here please prove me wrong (and I will be happy to be proven wrong).
You get this wrong i think. You don't operate on "their website". You can actually download the java code and run it WITHOUT internet connection, then you reconnect and broadcast the transaction.
There is a BIG difference. They are NOT able to steal your password.
He isn't some random actually, but one of the most respected member of the whole bitcoin community.
I understand what you are saying. But I think you don't understand what I am saying. Tell me one scenario where an attacker would be able to steal your NXT from wallet.mynxt.info but not your Bitcoins from Blockchain.info using the same technique.
Btw, I am not questioning any individual. Blockchain.info is a company and as such you would expect it to do what companies do (earn money, spend money, do marketing, sales, plans, etc).
Abuelau, ChuckOne, you should really read this:
https://blockchain.info/wallet/technical-faq
and pay attention to TwinWinNerD. If you can't sign transactions offline (that is without transmitting private keys to anyone), you can't build a secure web wallet. Period.
The way to do this in the browser is via JS a-la blockchain.info.
https://blockchain.info/wallet/technical-faq
and pay attention to TwinWinNerD. If you can't sign transactions offline (that is without transmitting private keys to anyone), you can't build a secure web wallet. Period.
The way to do this in the browser is via JS a-la blockchain.info.
I found a very good explanation of blockchain.info, can any dev read this and tell me how much work it would be to clone this (it is all opensource!!) ?
We can make this work after the local signing is available.
http://bitcoin.stackexchange.com/questions/5249/how-secure-is-blockchain-info
We can make this work after the local signing is available.
http://bitcoin.stackexchange.com/questions/5249/how-secure-is-blockchain-info
It's an Amazon AWS EC2, I have a lot of experience working with AWS.
Great.
That should be it.Regardless of the issues presented above. I think you did a great service to NXT. Have you already been supported/funded by some of these committees?
For the online wallet - no.
Don't know where to add a request. Maybe somebody could help on that?
Does anybody know how to create the redeemScript bytes?
https://bitcointalksearch.org/topic/m.5241415
Within a few days from when I can solve this, I should be able to get a test version of automated multisig gateways released. please help.
James
https://bitcointalksearch.org/topic/m.5241415
Within a few days from when I can solve this, I should be able to get a test version of automated multisig gateways released. please help.
James
QUICK UPDATE
Atomic-Trade will be adding Nxt. I'm paying for integration with my own funds since AT agreed to add USD/Nxt trade abilities. This will allow any users to buy Nxt with USD directly. Currently AT only offers USD/BTC trading, so we will have an advantage over other alts on the exchange. Also, when I get home this evening, expect Nxt to lead the voting in Mintpal
Atomic-Trade will be adding Nxt. I'm paying for integration with my own funds since AT agreed to add USD/Nxt trade abilities. This will allow any users to buy Nxt with USD directly. Currently AT only offers USD/BTC trading, so we will have an advantage over other alts on the exchange. Also, when I get home this evening, expect Nxt to lead the voting in Mintpal
Another great day for nxt!
Maybe change it to a simpler version:
Much color, so many less words, yammy nxt
Quote
Unregistered users = 3 votes per hour!
Just click 3 times on the VOTE Button for NXT - that's it!
>>>>>>>>>>>>>>> PLEASE VOTE! <<<<<<<<<<<<<<<
>>>>>>>>>>>>>>> PLEASE VOTE! <<<<<<<<<<<<<<<
Question:
How much do you think would a java based blockchain.info-like wallet for NXT cost to program? Do you think it would be worth to start a bounty for that?
How much do you think would a java based blockchain.info-like wallet for NXT cost to program? Do you think it would be worth to start a bounty for that?
Which part? Do you mean the iPhone mobile app? Or the website?
The part where blockchain.info works within you browser and no information leaves your browers, only the encrypted backup on your server. As i understand, we can now sign transactions without the client?
We basically need an online wallet WITHOUT trust.
How is that possible?
Your browser downloads the java file (code?!?) and your wallet gets decrypted only within this java environment on your browser. With bitcoin you can prepare a transaction locally, you don't need a connection to the blockchain for that. After you have finished signing the transaction, you can broadcast it. No sensitive information ever leaves your browser!
The thing is that NRS does not yet have API to accept signed transactions. CFB is working on that, as I understand it.
Once that is done, the browser can sign the transaction and broadcast it to any public node.
Oh, i though that is ready already. Well then this is on hold anyway.
Question:
How much do you think would a java based blockchain.info-like wallet for NXT cost to program? Do you think it would be worth to start a bounty for that?
How much do you think would a java based blockchain.info-like wallet for NXT cost to program? Do you think it would be worth to start a bounty for that?
Which part? Do you mean the iPhone mobile app? Or the website?
The part where blockchain.info works within you browser and no information leaves your browers, only the encrypted backup on your server. As i understand, we can now sign transactions without the client?
We basically need an online wallet WITHOUT trust.
How is that possible?
Your browser downloads the java file (code?!?) and your wallet gets decrypted only within this java environment on your browser. With bitcoin you can prepare a transaction locally, you don't need a connection to the blockchain for that. After you have finished signing the transaction, you can broadcast it. No sensitive information ever leaves your browser!
The thing is that NRS does not yet have API to accept signed transactions. CFB is working on that, as I understand it.
Once that is done, the browser can sign the transaction and broadcast it to any public node.
Just to inform, 0.7.6 runs smoothly on Android TV stick public node.
For a while
For a while
+1
Yes but the signing happens on your server, that is the problem. With blockchain.info type wallet, NOTHING leaves the browser. Only the broadcast happens on the server there. This is a HUGE difference.
Why is it such a big difference? If an attacker has a keylogger you may lose your coins the same way in mynxt.info and blockchain.info.
What is important is that the wallet is encrypted and in order to decrypt it you need the user's password. Whether the decrypting happens on the server or on the browser, I don't think this is such a big deal. In fact, I can imagine people developing a malware that you get in your browser (since your browser holds an unencrypted version of your wallet).
The really big difference is, that the person that hosts the wallet can spend your coins if you send your password. Because if you sign serverside, your wallet has to be decrypted atleast once for a short period of time. You as the owner of the server can interfere if you chose to, or if your server is compromised and bad code is implemented coins can be stolen. That is the reason that the guy that created blockchain.info said that all wallets that don't offer browserside signing WILL be hacked/scamed.
Well, of course the guy would say that. Everyone will say their product is better.
The fact is: you need to decrypt the wallet at some point in order to spend coins. The decryption can happen on the browser or the server, and to decrypt it you will need to type your password.
Don't forget when you sign up in blockchain.info you ALSO type your password on their website. There's no guarantee that they didn't save a copy of your password somewhere.
What I am saying is that I don't see the "save in the browser" as being any safer, to me this is more marketing that actual security. If there's any security experts here please prove me wrong (and I will be happy to be proven wrong).
You get this wrong i think. You don't operate on "their website". You can actually download the java code and run it WITHOUT internet connection, then you reconnect and broadcast the transaction.
There is a BIG difference. They are NOT able to steal your password.
He isn't some random actually, but one of the most respected member of the whole bitcoin community.
Your browser downloads the java file (code?!?) and your wallet gets decrypted only within this java environment on your browser. With bitcoin you can prepare a transaction locally, you don't need a connection to the blockchain for that. After you have finished signing the transaction, you can broadcast it. No sensitive information ever leaves your browser!
Ohh noo. No java applet, please.
I could imagine that this is implemented in JavaScript. But then you rely on the server, sending you the JS.
So, where is the trust? You need to trust your browser vendor, you need to trust the server that sends you the JS, you need to trust your browser plugins/addons, you need to trust your OS, you hardware, etc. etc.
Jump to: