Pages:
Author

Topic: offline air-gapped electrum (Read 392 times)

legendary
Activity: 2380
Merit: 5213
June 13, 2023, 03:43:20 AM
#29
I do not think that there is a way to QR phishing here.
The point here is that you should check the address, whether you copy-paste it or you use a QR code. As mentioned by o_e_l_e_o, the risk is never zero.


Can hackers modify signed message?
No.
If you change the receiving address or any other data, the signature will become invalid and you have to sign the transaction again.


Assuming Metamask shows the first 6 characters and the last 6 characters, 12 characters total, I think that's enough.
I remember Metamask used to display the first 4 and the last 4 characters.
I just pasted an ETH address in Metamask to see if it's still the same. It displayed the first 11 and the last 4 characters.
hero member
Activity: 406
Merit: 443
June 13, 2023, 03:16:29 AM
#28
That's exactly my point - double check everything. Assuming QR codes are zero risk is a bad idea. They are only as good as the software/device which generates them, and if that device is compromised, then so too is your QR code.

I do not know, but the chances of this succeeding seem slim, because either by changing the receiving address, which I liken to a clipboard virus, or that the software that you downloaded is not official, otherwise I do not think that there is a way to QR phishing here.

Can hackers modify signed message? Or tamper with the content of master public key without downloading an unofficial version?


I know with certain software like Metamask it’s more risky because the extension uses a small portion of desktop space and only shows the first few characters and last few characters. So it’s harder to verify the address you are sending it too is one of your own wallets.

Assuming Metamask shows the first 6 characters and the last 6 characters, 12 characters total, I think that's enough.
legendary
Activity: 2268
Merit: 18711
June 13, 2023, 01:59:09 AM
#27
However with electrum you can see the entire address and amounts you are sending it too. So you should always verify and double check everything.
That's exactly my point - double check everything. Assuming QR codes are zero risk is a bad idea. They are only as good as the software/device which generates them, and if that device is compromised, then so too is your QR code.
legendary
Activity: 3808
Merit: 1723
June 12, 2023, 11:52:27 PM
#26
This is actually perfect and carries 0 risk of being infected by a USB when you use it every time back and forth between your airgapped device and your online PC.
There is no such thing as zero risk.

You are right in saying it is a very secure method, but risk is never zero. Assuming your set up is perfectly safe is a bad idea, because it leads to you cutting corners and taking shortcuts thinking that nothing can go wrong. QR codes are only as good as the device which generates them. It is entirely possible for malware on your watch only device to generate a QR code which encodes a transaction which sends your coins to the wrong place. You scan that in to your airgapped device thinking nothing can go wrong, and you end up signing a malicious transaction.

QR codes are good, but you should always double check what the QR code is encoding/decoding.

Just read that you replied to my earlier post.

Yes I agree that it’s possible the watch only online wallet can have a phishing QR code which if signed and broadcasted could lead to sending the funds to the wrong address.

However with electrum you can see the entire address and amounts you are sending it too. So you should always verify and double check everything.

I know with certain software like Metamask it’s more risky because the extension uses a small portion of desktop space and only shows the first few characters and last few characters. So it’s harder to verify the address you are sending it too is one of your own wallets.
legendary
Activity: 2268
Merit: 18711
June 06, 2023, 01:42:41 AM
#25
what about this singing methode is it better then QR code ?
https://electrum.readthedocs.io/en/latest/coldstorage.html
This is the exact same method as using QR codes to transfer transactions between online and airgapped wallets. This method simply says "transfer the transaction file to your offline machine (e.g. with a usb stick)."

Transferring with QR codes or USB sticks are both equally possible. I prefer using QR codes for two reasons. First of all, it's a bit quicker to simply point a camera at a QR code than it is to save a file, transfer to a USB stick, and move that USB stick between devices. Secondly, and more importantly, is it is harder to transfer malware or leak private keys via a QR code than it is via a USB stick. Even the smallest USB stick will have hundreds of megabytes of empty space in which malware could copy itself to, whereas this is largely not possible (or at least far more difficult and noticeable) with QR codes.

So yes, you can use USB sticks if you like, and it is still very safe, but QR codes are safer (provided you are double checking everything as I explained two posts up).
newbie
Activity: 48
Merit: 0
June 05, 2023, 02:49:40 PM
#24
if im using a laptop as an offline air-gapped electrum wallet how to scan the QR code to sign the transaction should i link a camera to the laptop ?
You are going to be unable to scan a QR code without a camera, so yes, you'll need to buy a USB webcam or similar if your laptop does not have a built in webcam.

Your other option is to transfer your transactions back and forth via a USB drive, although this carries a slightly higher risk of transmitting malware or leaking your keys than via QR code.
what about this singing methode is it better then QR code ?
https://electrum.readthedocs.io/en/latest/coldstorage.html
legendary
Activity: 2268
Merit: 18711
June 05, 2023, 09:59:28 AM
#23
This is actually perfect and carries 0 risk of being infected by a USB when you use it every time back and forth between your airgapped device and your online PC.
There is no such thing as zero risk.

You are right in saying it is a very secure method, but risk is never zero. Assuming your set up is perfectly safe is a bad idea, because it leads to you cutting corners and taking shortcuts thinking that nothing can go wrong. QR codes are only as good as the device which generates them. It is entirely possible for malware on your watch only device to generate a QR code which encodes a transaction which sends your coins to the wrong place. You scan that in to your airgapped device thinking nothing can go wrong, and you end up signing a malicious transaction.

QR codes are good, but you should always double check what the QR code is encoding/decoding.
sr. member
Activity: 1078
Merit: 342
Sinbad Mixer: Mix Your BTC Quickly
June 05, 2023, 09:17:16 AM
#22
Regarding the scanning of the QR code. What I do is this. I don’t use a usb drive back and forth due to the slightest risk of infecting the cold computer.

I have an old digital camera and an old laptop. The laptop has a slot to read flash cards like the old style ones that digital cameras used. So I just use an old digital camera from like the year 2000. Take a photo, and take out the flash card and put it into the offline computer. This way it never touches the online computer.

Then use a program like QR decoder and copy that code to electrum and it will read the unsigned transaction.
This is actually perfect and carries 0 risk of being infected by a USB when you use it every time back and forth between your airgapped device and your online PC.

After reading your post, I remembered that I have an old camera with an SD card port which I rarely use and my air-gapped laptop has an SD card slot, so it would be great to use it. I think I could also connect my camera to the laptop using a USB cable and transfer the picture. Later, I can use a QR decoder to broadcast the transaction via Electrum.

I recently watched a YouTube video where a person shared credentials using an air-gapped computer without any networking or USB connection. He did that by utilizing two laptops with cameras, which is also a highly secure method. You can watch the video here Smiley
legendary
Activity: 3808
Merit: 1723
June 04, 2023, 11:19:55 PM
#21
Regarding the scanning of the QR code. What I do is this. I don’t use a usb drive back and forth due to the slightest risk of infecting the cold computer.

I have an old digital camera and an old laptop. The laptop has a slot to read flash cards like the old style ones that digital cameras used. So I just use an old digital camera from like the year 2000. Take a photo, and take out the flash card and put it into the offline computer. This way it never touches the online computer.

Then use a program like QR decoder and copy that code to electrum and it will read the unsigned transaction.
legendary
Activity: 2268
Merit: 18711
June 04, 2023, 12:58:45 PM
#20
if im using a laptop as an offline air-gapped electrum wallet how to scan the QR code to sign the transaction should i link a camera to the laptop ?
You are going to be unable to scan a QR code without a camera, so yes, you'll need to buy a USB webcam or similar if your laptop does not have a built in webcam.

Your other option is to transfer your transactions back and forth via a USB drive, although this carries a slightly higher risk of transmitting malware or leaking your keys than via QR code.
newbie
Activity: 48
Merit: 0
June 04, 2023, 12:41:52 PM
#19
I use the QR code option for importing created transactions from the watch-only wallet into the air-gapped wallet, and also for importing signed transactions into the online watch-only wallet for broadcasting, i think this option is more user-friendly.

After creating the tx in the watch-only wallet, you click on the QR code, and you use the offline wallet to scan this QR code, the transaction will be imported into the offline wallet, after signing, you click on the QR code and use the watch-only wallet to scan the QR code, once it is imported into the online wallet, you can now broadcast the transaction to the network.
if im using a laptop as an offline air-gapped electrum wallet how to scan the QR code to sign the transaction should i link a camera to the laptop ?
legendary
Activity: 3374
Merit: 3095
Playbet.io - Crypto Casino and Sportsbook
June 02, 2023, 06:47:25 PM
#18
Is anyone doing this and what is the app they are using to allow offline signing of ETH transactions and then port over to separate computer to broadcast, same flow as with Electrum? 

If you talking about ETH then you should make another thread to the altcoin section to get the right response.

And I think there is no app yet for ETH that can make offline transaction but they do have a web version that you can also with your phone check this link here
legendary
Activity: 2702
Merit: 3045
Top Crypto Casino
June 02, 2023, 05:25:37 PM
#17
^^
If you want full anonymity and full privacy then you should connect you Electrum wallet to your own server.
Even if you look up one if your addresses on an online explorer (without providing the master public key) then there is a high risk of exposing your other addresses (by tracking change addresses and consumed inputs).
If you want full privacy then better connect to your own servers.
legendary
Activity: 1512
Merit: 4795
Leading Crypto Sports Betting & Casino Platform
June 02, 2023, 06:38:49 AM
#16
Using any online website by sharing your MPK with them would put your privacy at risk, so in my opinion it's better to use the watch-only wallet created by Electrum.
This is one of the worst thing to do. But using Electrum without the use of Tor means no anonymity too. If you want anonymity, you can check address on an explorer with Tor, but inputting your master public key on an explorer is insane.

For privacy, you have no other option than to go for full node wallet, using Tor with it.

For anonymity, you have no option than to use Tor while using a wallet.

If you use IP address on a wallet, no privacy no anonymity too.

But inputting your master public key on an explorer is insane. Watch-only wallet is the proper way.
sr. member
Activity: 1078
Merit: 342
Sinbad Mixer: Mix Your BTC Quickly
June 02, 2023, 06:18:56 AM
#15
~snip~
He doesn't need to create two wallets, it's just one wallet on the air-gapped device. The other one is a watch-only wallet that uses his MPK. I haven't tried any Explorer like the one on blockchain.com, I just clicked on the link you posted and I couldn't find the addresses that belongs to that MPK. Maybe it's not there or I just don't know how?

To be honest, I think Electrum would be better. It shows basically everything and all the addresses of your wallet, as you can see in the picture below. Using any online website by sharing your MPK with them would put your privacy at risk, so in my opinion it's better to use the watch-only wallet created by Electrum.


legendary
Activity: 2268
Merit: 18711
June 02, 2023, 03:11:55 AM
#14
-snip-
He needs a watch only wallet in order to create transactions for his airgapped wallet to sign. You cannot do this with a block explorer. Further, your watch only wallet should be connected to your own node for your privacy. Handing your xpub to a blockchain explorer is a privacy disaster.
legendary
Activity: 2534
Merit: 6080
Self-proclaimed Genius
June 01, 2023, 11:14:19 PM
#13
Interesting about scanning the QR code, what do you use the scan it?  Not sure how I would have the airgapped computer read a QR code.
I have a reply in the link below your reply, but that's only for scanning a raw transaction's QR code.

For the master public key, you can scan it in 'install wizard' menu: "Standard wallet->Use a master key" via the camera icon [] below the area where you normally type/paste the master public key.
For the offline wallet's master public key QR Code, you can display it in the "Wallet->Information" menu using the QR code icon: []
member
Activity: 85
Merit: 25
June 01, 2023, 08:49:24 PM
#12
I will ask this new but related question here as someone using Electrum on Tails might be able to help.  Feedback so far has been great by the way, thanks all Smiley  So I will be running Tails offline and then using offline signing in Electrum and use usb thumb drive to go back and forth to broadcast.  I would actually like to do a similar technique with ETH, and see most of the offline signing options available involve using another device like android, but I would like to use the app on Tails the same as Electrum.  Is anyone doing this and what is the app they are using to allow offline signing of ETH transactions and then port over to separate computer to broadcast, same flow as with Electrum? 
hero member
Activity: 868
Merit: 737
June 01, 2023, 07:02:56 PM
#11
You need to have two wallets. One of them should be an offline wallet and the other one should be a watch-only wallet on an online device.
The offline wallet is used for signing transactions and the online wallet is used for seeing your balance and transactions history, creating unsinged transactions, and broadcasting transactions.
Another way is Explorer, OP shouldn't create 2 wallets or a watch-only wallet for just tracking his balance, he can use Explorer, like blockchain.com. This is more simple and can save his device space.

For example, xpub/zpub I create from electrum:

https://www.blockchain.com/explorer/assets/btc/xpub/zpub6oLs8QUeZV4d4g4686uK5ZC4ApUhMYAG4AQznZpik7gcyqbXBNquxP9ir2XDqpvnkgZAeWUrSatVNjBgspRFuo59o1TuAfTf2EzmdCn6iWA

If OP doesn't know how to get the master public key, he must go to the wallet setting on top, and then click the information, like the picture below:




member
Activity: 81
Merit: 30
June 01, 2023, 09:34:57 AM
#10
Pages:
Jump to: