offline air-gapped electrum | Bitcointalksearch.org

hosseinimr93

legendary

Activity: 2380

Merit: 5213

Quote from: Yamane_Keto on June 13, 2023, 03:16:29 AM

I do not think that there is a way to QR phishing here.

The point here is that you should check the address, whether you copy-paste it or you use a QR code. As mentioned by o_e_l_e_o, the risk is never zero.

Quote from: Yamane_Keto on June 13, 2023, 03:16:29 AM

Can hackers modify signed message?

No.
If you change the receiving address or any other data, the signature will become invalid and you have to sign the transaction again.

Quote from: Yamane_Keto on June 13, 2023, 03:16:29 AM

Assuming Metamask shows the first 6 characters and the last 6 characters, 12 characters total, I think that's enough.

I remember Metamask used to display the first 4 and the last 4 characters.
I just pasted an ETH address in Metamask to see if it's still the same. It displayed the first 11 and the last 4 characters.

Yamane_Keto

hero member

Activity: 406

Merit: 443

Quote from: o_e_l_e_o on June 13, 2023, 01:59:09 AM

That's exactly my point - double check everything. Assuming QR codes are zero risk is a bad idea. They are only as good as the software/device which generates them, and if that device is compromised, then so too is your QR code.

I do not know, but the chances of this succeeding seem slim, because either by changing the receiving address, which I liken to a clipboard virus, or that the software that you downloaded is not official, otherwise I do not think that there is a way to QR phishing here.

Can hackers modify signed message? Or tamper with the content of master public key without downloading an unofficial version?

Quote from: adaseb on June 12, 2023, 11:52:27 PM

I know with certain software like Metamask it’s more risky because the extension uses a small portion of desktop space and only shows the first few characters and last few characters. So it’s harder to verify the address you are sending it too is one of your own wallets.

Assuming Metamask shows the first 6 characters and the last 6 characters, 12 characters total, I think that's enough.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18711

Quote from: adaseb on June 12, 2023, 11:52:27 PM

However with electrum you can see the entire address and amounts you are sending it too. So you should always verify and double check everything.

That's exactly my point - double check everything. Assuming QR codes are zero risk is a bad idea. They are only as good as the software/device which generates them, and if that device is compromised, then so too is your QR code.

adaseb

legendary

Activity: 3808

Merit: 1723

Quote from: o_e_l_e_o on June 05, 2023, 09:59:28 AM

Quote from: Aikidoka on June 05, 2023, 09:17:16 AM

This is actually perfect and carries 0 risk of being infected by a USB when you use it every time back and forth between your airgapped device and your online PC.

There is no such thing as zero risk.

You are right in saying it is a very secure method, but risk is never zero. Assuming your set up is perfectly safe is a bad idea, because it leads to you cutting corners and taking shortcuts thinking that nothing can go wrong. QR codes are only as good as the device which generates them. It is entirely possible for malware on your watch only device to generate a QR code which encodes a transaction which sends your coins to the wrong place. You scan that in to your airgapped device thinking nothing can go wrong, and you end up signing a malicious transaction.

QR codes are good, but you should always double check what the QR code is encoding/decoding.

Just read that you replied to my earlier post.

Yes I agree that it’s possible the watch only online wallet can have a phishing QR code which if signed and broadcasted could lead to sending the funds to the wrong address.

However with electrum you can see the entire address and amounts you are sending it too. So you should always verify and double check everything.

I know with certain software like Metamask it’s more risky because the extension uses a small portion of desktop space and only shows the first few characters and last few characters. So it’s harder to verify the address you are sending it too is one of your own wallets.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18711

Quote from: new19980 on June 05, 2023, 02:49:40 PM

what about this singing methode is it better then QR code ?
https://electrum.readthedocs.io/en/latest/coldstorage.html

This is the exact same method as using QR codes to transfer transactions between online and airgapped wallets. This method simply says "transfer the transaction file to your offline machine (e.g. with a usb stick)."

Transferring with QR codes or USB sticks are both equally possible. I prefer using QR codes for two reasons. First of all, it's a bit quicker to simply point a camera at a QR code than it is to save a file, transfer to a USB stick, and move that USB stick between devices. Secondly, and more importantly, is it is harder to transfer malware or leak private keys via a QR code than it is via a USB stick. Even the smallest USB stick will have hundreds of megabytes of empty space in which malware could copy itself to, whereas this is largely not possible (or at least far more difficult and noticeable) with QR codes.

So yes, you can use USB sticks if you like, and it is still very safe, but QR codes are safer (provided you are double checking everything as I explained two posts up).

new19980

newbie

Activity: 48

Merit: 0

Quote from: o_e_l_e_o on June 04, 2023, 12:58:45 PM

Quote from: new19980 on June 04, 2023, 12:41:52 PM

if im using a laptop as an offline air-gapped electrum wallet how to scan the QR code to sign the transaction should i link a camera to the laptop ?

You are going to be unable to scan a QR code without a camera, so yes, you'll need to buy a USB webcam or similar if your laptop does not have a built in webcam.

Your other option is to transfer your transactions back and forth via a USB drive, although this carries a slightly higher risk of transmitting malware or leaking your keys than via QR code.

what about this singing methode is it better then QR code ?
https://electrum.readthedocs.io/en/latest/coldstorage.html

o_e_l_e_o

legendary

Activity: 2268

Merit: 18711

Quote from: Aikidoka on June 05, 2023, 09:17:16 AM

This is actually perfect and carries 0 risk of being infected by a USB when you use it every time back and forth between your airgapped device and your online PC.

There is no such thing as zero risk.

You are right in saying it is a very secure method, but risk is never zero. Assuming your set up is perfectly safe is a bad idea, because it leads to you cutting corners and taking shortcuts thinking that nothing can go wrong. QR codes are only as good as the device which generates them. It is entirely possible for malware on your watch only device to generate a QR code which encodes a transaction which sends your coins to the wrong place. You scan that in to your airgapped device thinking nothing can go wrong, and you end up signing a malicious transaction.

QR codes are good, but you should always double check what the QR code is encoding/decoding.

Aikidoka

sr. member

Activity: 1078

Merit: 342

Sinbad Mixer: Mix Your BTC Quickly

Quote from: adaseb on June 04, 2023, 11:19:55 PM

Regarding the scanning of the QR code. What I do is this. I don’t use a usb drive back and forth due to the slightest risk of infecting the cold computer.

I have an old digital camera and an old laptop. The laptop has a slot to read flash cards like the old style ones that digital cameras used. So I just use an old digital camera from like the year 2000. Take a photo, and take out the flash card and put it into the offline computer. This way it never touches the online computer.

Then use a program like QR decoder and copy that code to electrum and it will read the unsigned transaction.

This is actually perfect and carries 0 risk of being infected by a USB when you use it every time back and forth between your airgapped device and your online PC.

After reading your post, I remembered that I have an old camera with an SD card port which I rarely use and my air-gapped laptop has an SD card slot, so it would be great to use it. I think I could also connect my camera to the laptop using a USB cable and transfer the picture. Later, I can use a QR decoder to broadcast the transaction via Electrum.

I recently watched a YouTube video where a person shared credentials using an air-gapped computer without any networking or USB connection. He did that by utilizing two laptops with cameras, which is also a highly secure method. You can watch the video here

adaseb

legendary

Activity: 3808

Merit: 1723

Regarding the scanning of the QR code. What I do is this. I don’t use a usb drive back and forth due to the slightest risk of infecting the cold computer.

I have an old digital camera and an old laptop. The laptop has a slot to read flash cards like the old style ones that digital cameras used. So I just use an old digital camera from like the year 2000. Take a photo, and take out the flash card and put it into the offline computer. This way it never touches the online computer.

Then use a program like QR decoder and copy that code to electrum and it will read the unsigned transaction.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18711

Quote from: new19980 on June 04, 2023, 12:41:52 PM

if im using a laptop as an offline air-gapped electrum wallet how to scan the QR code to sign the transaction should i link a camera to the laptop ?

You are going to be unable to scan a QR code without a camera, so yes, you'll need to buy a USB webcam or similar if your laptop does not have a built in webcam.

Your other option is to transfer your transactions back and forth via a USB drive, although this carries a slightly higher risk of transmitting malware or leaking your keys than via QR code.

new19980

newbie

Activity: 48

Merit: 0

Quote from: Z-tight on June 01, 2023, 06:27:26 AM

I use the QR code option for importing created transactions from the watch-only wallet into the air-gapped wallet, and also for importing signed transactions into the online watch-only wallet for broadcasting, i think this option is more user-friendly.

After creating the tx in the watch-only wallet, you click on the QR code, and you use the offline wallet to scan this QR code, the transaction will be imported into the offline wallet, after signing, you click on the QR code and use the watch-only wallet to scan the QR code, once it is imported into the online wallet, you can now broadcast the transaction to the network.

if im using a laptop as an offline air-gapped electrum wallet how to scan the QR code to sign the transaction should i link a camera to the laptop ?

BitMaxz

legendary

Activity: 3374

Merit: 3095

Playbet.io - Crypto Casino and Sportsbook

Quote from: 22bits on June 01, 2023, 08:49:24 PM

Is anyone doing this and what is the app they are using to allow offline signing of ETH transactions and then port over to separate computer to broadcast, same flow as with Electrum?

If you talking about ETH then you should make another thread to the altcoin section to get the right response.

And I think there is no app yet for ETH that can make offline transaction but they do have a web version that you can also with your phone check this link here

khaled0111

legendary

Activity: 2702

Merit: 3045

Top Crypto Casino

^^
If you want full anonymity and full privacy then you should connect you Electrum wallet to your own server.
Even if you look up one if your addresses on an online explorer (without providing the master public key) then there is a high risk of exposing your other addresses (by tracking change addresses and consumed inputs).
If you want full privacy then better connect to your own servers.

Charles-Tim

legendary

Activity: 1512

Merit: 4795

Leading Crypto Sports Betting & Casino Platform

Quote from: Aikidoka on June 02, 2023, 06:18:56 AM

Using any online website by sharing your MPK with them would put your privacy at risk, so in my opinion it's better to use the watch-only wallet created by Electrum.

This is one of the worst thing to do. But using Electrum without the use of Tor means no anonymity too. If you want anonymity, you can check address on an explorer with Tor, but inputting your master public key on an explorer is insane.

For privacy, you have no other option than to go for full node wallet, using Tor with it.

For anonymity, you have no option than to use Tor while using a wallet.

If you use IP address on a wallet, no privacy no anonymity too.

But inputting your master public key on an explorer is insane. Watch-only wallet is the proper way.

Aikidoka

sr. member

Activity: 1078

Merit: 342

Sinbad Mixer: Mix Your BTC Quickly

Quote from: Sarah Azhari on June 01, 2023, 07:02:56 PM

~snip~

He doesn't need to create two wallets, it's just one wallet on the air-gapped device. The other one is a watch-only wallet that uses his MPK. I haven't tried any Explorer like the one on blockchain.com, I just clicked on the link you posted and I couldn't find the addresses that belongs to that MPK. Maybe it's not there or I just don't know how?

To be honest, I think Electrum would be better. It shows basically everything and all the addresses of your wallet, as you can see in the picture below. Using any online website by sharing your MPK with them would put your privacy at risk, so in my opinion it's better to use the watch-only wallet created by Electrum.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18711

Quote from: Sarah Azhari on June 01, 2023, 07:02:56 PM

-snip-

He needs a watch only wallet in order to create transactions for his airgapped wallet to sign. You cannot do this with a block explorer. Further, your watch only wallet should be connected to your own node for your privacy. Handing your xpub to a blockchain explorer is a privacy disaster.

nc50lc

legendary

Activity: 2534

Merit: 6080

Self-proclaimed Genius

Quote from: 22bits on June 01, 2023, 09:20:51 AM

Interesting about scanning the QR code, what do you use the scan it? Not sure how I would have the airgapped computer read a QR code.

I have a reply in the link below your reply, but that's only for scanning a raw transaction's QR code.

For the master public key, you can scan it in 'install wizard' menu: "Standard wallet->Use a master key" via the camera icon [

] below the area where you normally type/paste the master public key.
For the offline wallet's master public key QR Code, you can display it in the "Wallet->Information" menu using the QR code icon: [

]

22bits

member

Activity: 85

Merit: 25

I will ask this new but related question here as someone using Electrum on Tails might be able to help. Feedback so far has been great by the way, thanks all

So I will be running Tails offline and then using offline signing in Electrum and use usb thumb drive to go back and forth to broadcast. I would actually like to do a similar technique with ETH, and see most of the offline signing options available involve using another device like android, but I would like to use the app on Tails the same as Electrum. Is anyone doing this and what is the app they are using to allow offline signing of ETH transactions and then port over to separate computer to broadcast, same flow as with Electrum?

Sarah Azhari

hero member

Activity: 868

Merit: 737

Quote from: hosseinimr93 on May 31, 2023, 07:53:00 PM

You need to have two wallets. One of them should be an offline wallet and the other one should be a watch-only wallet on an online device.
The offline wallet is used for signing transactions and the online wallet is used for seeing your balance and transactions history, creating unsinged transactions, and broadcasting transactions.

Another way is Explorer, OP shouldn't create 2 wallets or a watch-only wallet for just tracking his balance, he can use Explorer, like blockchain.com. This is more simple and can save his device space.

For example, xpub/zpub I create from electrum:

https://www.blockchain.com/explorer/assets/btc/xpub/zpub6oLs8QUeZV4d4g4686uK5ZC4ApUhMYAG4AQznZpik7gcyqbXBNquxP9ir2XDqpvnkgZAeWUrSatVNjBgspRFuo59o1TuAfTf2EzmdCn6iWA

If OP doesn't know how to get the master public key, he must go to the wallet setting on top, and then click the information, like the picture below:

Sidney986

member

Activity: 81

Merit: 30

See this link for adding camera

https://bitcointalksearch.org/topic/webcam-electrum-5369457

Topic: offline air-gapped electrum (Read 392 times)