Author

Topic: Trezor intialization and Electrum use (Read 575 times)

hero member
Activity: 761
Merit: 606
September 19, 2016, 03:39:09 PM
#7
Great input guys!  I feel pretty good about my trezors now.  I don't do much with the mytrezor site.  I prefer to stay all within connection tunnels via tor hidden servers to electrum.  Nothing major going on just a privacy junkie!  On the other hand with my smaller everyday wallets I don't try to mask almost anything.  Its fun to actually use btc instead of being a coin hoarder!!  I do remember initializing these devices using what I believe is a perfectly clean linux machine.  I keep the VM snapshot spotless as far as I know!
newbie
Activity: 40
Merit: 0
September 19, 2016, 08:53:28 AM
#6
To my knowledge, nothing you have listed could be leaked at setup. As you mentioned, the seed never leaves the device, even at setup (apart from you writing it down). Shuffled PIN Pad and time delay after unsuccessful login attempts make it impossible to bruteforce. Maybe only passphrases could leak, if the computer has a keylogger on it.

This applies even if someone gets in the middle of the communication, during the set up process. Trezor calculates the seed itself, not from the computer.

On the other hand, if you are recovering an account, then a keylogger could catch the seed. That's why Trezor shuffles the order of the seed, in order to make it more difficult to get to the right order. While this is a huge computational task, for the safest recovery, I would still recommend either using an offline computer, or a burner offline android phone.

So yeah, I don't understand that "Privacy" claim. If you have been so careful, I do not see a reason to reinitialize your Trezor.
legendary
Activity: 1946
Merit: 1007
September 17, 2016, 06:46:20 AM
#5
From my understanding the potential leaks have to do with the fact that you are connecting to the mytrezor service through the chrome extension. If this somehow gets compromised or someone gets in the middle, your device is potentially not setup safe.

Unless someone was specifically targetting you during the initialization process, I don't think you have to worry about resetting the device on an offline machine.
legendary
Activity: 1806
Merit: 1164
September 16, 2016, 04:18:32 PM
#4
Thank you for the link.  Wow, that will be a long read, but I will head there and take it in this weekend.  I needed to get pointed, so thanks again!

Sorry was not clear. Just copy and paste your post here at the end of the Trezor thread on the forum and same at reddit. You should get an answer within a day. No need to read through the whole thread.
hero member
Activity: 761
Merit: 606
September 16, 2016, 03:28:51 PM
#3
Thank you for the link.  Wow, that will be a long read, but I will head there and take it in this weekend.  I needed to get pointed, so thanks again!
legendary
Activity: 1806
Merit: 1164
September 16, 2016, 03:20:02 PM
#2
If you want a response from a Trezor developer you really should post your concerns at the main Trezor thread here on the forum or at /r/Trezor on reddit.
hero member
Activity: 761
Merit: 606
September 16, 2016, 03:03:44 PM
#1
I wanted to investigate something I ran into while reading around.  I use Trezors with Electrum but I did initialize my hardware wallet(s) using mytrezor's site.  I will link one of the sites below and simply paste my area of concern.  You won't gain much if any knowledge beyond what I am pasting below by reading the article.  It is a reference to show where my thinking started.


https://www.buybitcoinworldwide.com/wallets/trezor/

PRIVACY

Data can be leaked upon setup if using TREZOR’s myWallet. For a more private initialization, use the Chrome extension or the python tools to setup your device on an offline computer.

end quote.


The subject of anything regarding leaks gets my attention.  With that in mind I wanted to discuss with specificity the leaks mentioned/quoted above.  First off, I am very advanced with internet connectivity so I have zero concerns that the mytrezor site has any traceable IP's due to my consistent vpn/tor combo useage.  I never use a raw connection so that avenue of "leak" means nothing to me in this case.  As I examine the process whereby a Trezor generates the "seed words" it is apparent that NO computer will ever see those words.  Of course they are personally hand written for MY backup purposes, but no leak of "seed" during initialization.  That means that a leak would be down to a PIN, but even that process is engineered to confound the attached computer since the visualized keypad is always rotating the numeric placement of the digits.  I use many different passphrases to generate numerous wallets, but those don't relate to the other wallets, and they were added after initialization of the device.  I have subsequently learned to use the Trezor app (Chrome extension) OFFLINE and configure the device that way.  At this point I have changed the PIN(s) and device "name(s)" offline.  I have NOT wiped/re-initialized the device because as mentioned already that would require me to move many wallet contents to other new wallets.  Of course doing things offline has security benefits, but I missed learning all this stuff before I initialized my hardware wallet(s).

1.  Can anyone specifically demonstrate to me/us what the potential leaks are that were mentioned in that article?  Hopefully there is nothing sinister "leak-wise" that goes on with the mytrezor handshake.

2.  I am asking for opinions as to whether it is warranted to re-initialize my Trezor(s) since I did not do them offline out of the gate?  At this point I have changed the PINs and device "names" offline, but that is it.

I want to learn as much as I can here.  Any information or links to some reading will be pursued.  Leave the devices alone or re-do them?
Jump to: