Topic: UnoWallet - Instant Bitcoin Wallet (Read 4747 times)

Hi guys,
I like the idea, here are few of my concerns :

1. Adding a "Copy" private key is not a good idea. If you have some evil flash objects and slightly stupid user , you private key is gone. http://sdqali.in/blog/2013/04/05/clipboard-javascript/ . I dont think we should encourage user to put private keys in clipboard. Downloading a wallet file is a better option
2. Another concern/question is what entropy source are you using to automatically create the 50 chars long string ?Are you making sure there is enough entropy
3. What algorithm are using to create private key from the 50 char string? If you are doing sha 256 like http://brainwallet.org/, it makes no sense to randomize 50 char string, you can limit yourself to 8 characters.

Go Bitcoin!

Thanks to americandesi and Abdussamad for their feedback on the security of unowallet.

Below is a summary of possible known methods of url leakage from what I understood from this:

1. Server logs: we are in control of the logs, so I would not worry too much about it.
2. Browser extensions, toolbars and plugins: user is in control of it and we expect the user should have basic knowledge of their own system before using unowallet.
If you believe your wallet is compromised due to this, please "abandon" that wallet and get a new one (by visiting the unowallet bare url) and then transfer your funds to the new one.
3. Referer headers: this is the most important issue I could get from this. Fortunately Unowallet currently does not refer to any 3rd party sites. However, every developer needs to be aware of it when storing secrets in URLs. We will not put any 3rd party links on Unowallet.

It is a good practice to frequently change (get a new) unowallet url  (by visiting a bare url) and never using the old one again. This is akin to changing passwords frequently. Also, it is never a good practice to store any large amount in URL wallets.

URLs are encrypted. Why do you persist in spouting nonsense? And as far as web servers go I've stated clearly above that the destination server may keep logs of the URLs. You've even quoted that without reading it.

This is definitely False. If you have access to any webserver, please go through the access logs.
My statement still holds good. URLS ARE NOT ENCRYPTED IN SSL V3.0 / TLS 1.0 / 1.1

If you want to test it yourlself, then use a free tool called BURP Proxy from Port Swigger.

1) Install or RUN it on your laptop / Desktop (By default it listens on 127.0.0.1:8080)
2) Open up Firefox or any of your browser (In network connections, configure your browser to pass through this proxy 127.0.0.1:8080)
3) Now access gmail or any HTTPS site or for that matter unowallet.
4) You will see for yourself. If you want clarification, come back and post the results and i can explain it in detail.

The URL can be viewed/ stored by firewalls, gateways, etc... The information passed between is encrypted.

In the case of a URL wallet without additional protection, this is as good as passing a password across in cleartext.

If I am not wrong, your server stores all URL's accessed from the domain.

URL's *are* encrypted when you access a website via HTTPS. First the encrypted connection is negotiated then requests for web pages and hostnames are sent over:

http://stackoverflow.com/questions/499591/are-https-urls-encrypted

This is why you've traditionally been restricted to one HTTPS domain per IP address because the host name header is sent after the SSL connection has been established. That changes with SNI of course.

URL's are logged by the user's browser and the destination server if it maintains logs. Intermediate servers can't log them because they are encrypted.

Am not sure if i understand correctly here when you say Unowallet only allows https urls, so this string is always sent encrypted over the network but URL's sent via HTTPS are NOT encrypted. HTTPS encrypts data that are only sent through POST request.
In the sense, SSL encrypts only the HTTP packets and doesnot encrypt the HTTP headers (which includes URL). Hence it is called Transport Layer Security (TLS)

URL encryption is done only during IPSEC tunneling (eg : VPN).

The URL's are logged by user's browsers, intermediate ISP server logs and destination server logs and all the servers in between.

Sending anything critical via the URL is a very bad idea. Part of my masters project was based on breaking the AES encryption of the users accessing secure sites within the same LAN.

That is the reason, sites don't send user's PII (Personally Identifiable Information) using GET request (in URL).
Don't send anything critical via the URL. Make sure you send it as POST request within the HTTP packet and not in HTTP header.

P.S : If i have helped, then my btc address is in my signature. Tips are always welcome.
Thanks,

Unowallet is amazing! I mean its nuts but also amazing!

BTW you don't own unowallet.com do you? I bet a lot of people are going to end up there instead.

Unobase's auth is overkill. It does seem to have appropriate uses in a networked/ enterprise environment though.

2FA and passwords DO NOT defeat the purpose of an URL based wallet for sure. I understand your need to keep this stateless, but adding some form of authentication will definitely get my vote. I have woken up to empty wallets before and it is really not a good feeling when you need to store your funds in a place where you have no control over the security.

What risks are you likely to encounter by adding an identifier database?

You are still not storing private keys with this exercise.

This would also solve the problem of URL recording software/ malware.

Ping me when you get on Hangout... Will push through some info on making this better.

Thanks to everyone for their feedback. We give below a brief description of Unowallet.

How Unowallet works?

• When a full Unowallet url is accessed (e.g., uno-wallet.com/wallet/SomeSecretString),  the string after wallet/ is used to generate a private key in a deterministic way. The corresponding bitcoin address is then computed. Finally, the unspent outputs for that address are obtained and the balance computed. The wallet literally exists only when the url is open in the user's browser. The server never stores anything (urls/private keys/addresses) after that.
  
  Unowallet only allows https urls, so this string is always sent encrypted over the network. No one except your browser and our server have access to this string. Unowallet accepts any ASCII alphanumeric string of up to 50 characters. If this string is generated truly randomly, there is almost zero chance of someone guessing or bruteforcing it (see next point).
  
  
• When bare Unowallet url is visited (i.e.. uno-wallet.com/wallet or uno-wallet.com), a random 50 character string is generated automatically for the user to form a full url. Again, this string never travels over the network unencrypted. Only your browser and our server have access to this in plaintext.
  
  Of course, you are free to use any string after wallet/ as long as you ensure that it is hard to guess. For example, do not use a url such as uno-wallet.com/wallet/SatoshiNakamoto
  

Recommended way to use unowallet:

• Use TOR for added privacy. Our server will not know your real IP address.
• Do not use any proxy servers to access unowallet.
• Always access it from a secure computer (no viruses/browser extensions).
• Always keep the url with you in a safe place. Email it to yourself if necessary.
• Save also the private key so you are not tied to unowallet when spending funds. In fact, save the entire page, which contains all the necessary information.
• Unowallet is designed for those people who need an instant address for receiving funds that they plan to move somewhere else soon afterwards. We do not recommend storing large amount there.
  

Are my coins really safe in Unowallet?
Although Unowallet is one of the easiest and fastest wallets to use (and its free!), it should be used only by people who have some knowledge about Bitcoin and know basic concepts of security. Several things can go wrong and cause you to lose your bitcoins.

What can go wrong? These are some ways in which your wallet/url can be compromised:
- Virus/trojans can capture every url you visit.
- Browser extensions may log urls and forward to 3rd party sites (such as Google) for indexing.
- You use an easily guessable url.
- You use a url sent by (or shared with) someone else.
- You use a url found from a search engine.

We will probably not be able to help you out if you lose funds due to any of the above. Nevertheless, if such incidents happen, please do email us with details.

How is Unowallet different from other 'instant' wallets?
In a few ways: (1) Unowallet is entirely stateless. We do not store anything that can be used by an attacker to obtain the private key of a Unowallet address, should our site be hacked.
(2) We also give you the private key to your address when you access a wallet (which you must save!), so you have full control of the funds in that address. (3) Unowallet transactions are 'on-chain'.

What about passwords/2FA/etc?
Unowallet does not support passwords or 2FA because it defeats the very purpose of url-based wallets. For those who are troubled with the "url-based-wallet" concept, we have another wallet in the beta-testing phase, called Unobase. This does authentication via OpenID using a provider such as Google/Yahoo/AOL/etc.  


Disclaimer:
Unowallet service is provided AS IS. This implies that we are not liable for any bitcoins you lose via Unowallet, irrespective of whether it is our fault or not.

Hi Dashingriddler,

SSL urls are encrypted (at least the stuff after the base url) as discussed in the following post

http://stackoverflow.com/questions/499591/are-https-urls-encrypted

Guessing or bruteforcing the URL is like guessing or bruteforcing the private key. So i am not bothered at this level.
To me the network seems to be little vulnurable. I dont know if SSL protects the data only or will include a level of encryption for URL itself. Also the URLs get stored in history of the browser and such. The guy from behind you can just take a photo of the URL without your knowledge using his mobile phone.

One thing that can be done along with what ever is already there is:
Navigate to the home age of uno wallet and on that page the code that you give in the URL should be there as plain text masked with javascript, then provide a text box where u enter the code that u see in the URL itself and it gets submitted to the server as POST and loads the new page - and hence the URL itself never include any private info.
So basically the new user will copy the code from the home page and store it safely while the repeat users would enter the code to go to access the wallet.

It would help to add a layer of protection with a password or some other multi-auth method. It is likely to store wealth and in the event that it does gather significant value, it will become a target to list based attacks, etc. A password mechanism built into the same URL would be sweet.

passwords can be bruteforced too.. so no less security than passwords.

MAJOR SECURITY FLAW.

Someone can easily get lucky and "guess" or bruteforce into wallet URL.
There is no password ability given what so ever.. Any BTC put in these wallets are open for the taking..

 1AAcnJvU4oVTXqYj6K4pqRRW5HLLFdugoX

Change the look and feel of the site

Make things more attractive like others

Here is the latest version of unowallet [a secure instant bitcoin wallet].  No longer in alpha, now in beta:

https://unowallet.cfapps.io/wallet

Important Note:  if you send funds to an unowallet, you must remember the URL.  If you forget to record the URL, you will lose your bitcoin! 

Why?  UnoWallet is stateless.  This means that each wallet is created on the fly, in real time, and our servers do not record the URLs or private keys of users at any point in time.  Why?  if there's no server, there's no data to hack!

Another Important Note:  unowallet provides you with the private key of each wallet.  This way, even if you ever forget your URL, as long as you save your private key, you will be able to retrieve your funds from anywhere.

We would like to get feedback for this wallet, both positive and negative. If you like the idea and find it useful, consider donating to support further development. The address is mentioned on the site.

Cool, didn't know that Benson.  Nice to meet you davout.  

Ok, I'll up the bounty to 1 btc.  And I've also created this address to collect additional funds from anybody who wishes to support this initiative, please send bitcoin here to sweeten the pot to help find the first big flaw:

12aBAC1caY4CFLMSKNgGSrMsodHRNALdkS

Will give our engineers another week to tighten up any obvious issues from our end.  

Then will increase bounty pledge to 2 btc....