Pages:
Author

Topic: UnoWallet - Instant Bitcoin Wallet (Read 4763 times)

hero member
Activity: 692
Merit: 569
October 30, 2013, 09:00:32 AM
#27
Hi guys,
I like the idea, here are few of my concerns :

1. Adding a "Copy" private key is not a good idea. If you have some evil flash objects and slightly stupid user , you private key is gone. http://sdqali.in/blog/2013/04/05/clipboard-javascript/ . I dont think we should encourage user to put private keys in clipboard. Downloading a wallet file is a better option
2. Another concern/question is what entropy source are you using to automatically create the 50 chars long string ?Are you making sure there is enough entropy
3. What algorithm are using to create private key from the 50 char string? If you are doing sha 256 like http://brainwallet.org/, it makes no sense to randomize 50 char string, you can limit yourself to 8 characters.

Go Bitcoin!
newbie
Activity: 6
Merit: 0
October 30, 2013, 02:52:07 AM
#26
Thanks to americandesi and Abdussamad for their feedback on the security of unowallet.

Below is a summary of possible known methods of url leakage from what I understood from this:

1. Server logs: we are in control of the logs, so I would not worry too much about it.
2. Browser extensions, toolbars and plugins: user is in control of it and we expect the user should have basic knowledge of their own system before using unowallet.
If you believe your wallet is compromised due to this, please "abandon" that wallet and get a new one (by visiting the unowallet bare url) and then transfer your funds to the new one.
3. Referer headers: this is the most important issue I could get from this. Fortunately Unowallet currently does not refer to any 3rd party sites. However, every developer needs to be aware of it when storing secrets in URLs. We will not put any 3rd party links on Unowallet.

It is a good practice to frequently change (get a new) unowallet url  (by visiting a bare url) and never using the old one again. This is akin to changing passwords frequently. Also, it is never a good practice to store any large amount in URL wallets.



legendary
Activity: 3710
Merit: 1586
October 28, 2013, 05:31:14 PM
#25
but URL's sent via HTTPS are NOT encrypted. HTTPS encrypts data that are only sent through POST request.
In the sense, SSL encrypts only the HTTP packets and doesnot encrypt the HTTP headers (which includes URL). Hence it is called Transport Layer Security (TLS)

URL's *are* encrypted when you access a website via HTTPS. First the encrypted connection is negotiated then requests for web pages and hostnames are sent over:

http://stackoverflow.com/questions/499591/are-https-urls-encrypted

This is why you've traditionally been restricted to one HTTPS domain per IP address because the host name header is sent after the SSL connection has been established. That changes with SNI of course.

URL's are logged by the user's browser and the destination server if it maintains logs. Intermediate servers can't log them because they are encrypted.

This is definitely False. If you have access to any webserver, please go through the access logs.
My statement still holds good. URLS ARE NOT ENCRYPTED IN SSL V3.0 / TLS 1.0 / 1.1


URLs are encrypted. Why do you persist in spouting nonsense? And as far as web servers go I've stated clearly above that the destination server may keep logs of the URLs. You've even quoted that without reading it.
hero member
Activity: 518
Merit: 500
BTC < > INR & USD
October 28, 2013, 05:25:39 PM
#24
but URL's sent via HTTPS are NOT encrypted. HTTPS encrypts data that are only sent through POST request.
In the sense, SSL encrypts only the HTTP packets and doesnot encrypt the HTTP headers (which includes URL). Hence it is called Transport Layer Security (TLS)

URL's *are* encrypted when you access a website via HTTPS. First the encrypted connection is negotiated then requests for web pages and hostnames are sent over:

http://stackoverflow.com/questions/499591/are-https-urls-encrypted

This is why you've traditionally been restricted to one HTTPS domain per IP address because the host name header is sent after the SSL connection has been established. That changes with SNI of course.

URL's are logged by the user's browser and the destination server if it maintains logs. Intermediate servers can't log them because they are encrypted.

This is definitely False. If you have access to any webserver, please go through the access logs.
My statement still holds good. URLS ARE NOT ENCRYPTED IN SSL V3.0 / TLS 1.0 / 1.1

If you want to test it yourlself, then use a free tool called BURP Proxy from Port Swigger.

1) Install or RUN it on your laptop / Desktop (By default it listens on 127.0.0.1:8080)
2) Open up Firefox or any of your browser (In network connections, configure your browser to pass through this proxy 127.0.0.1:8080)
3) Now access gmail or any HTTPS site or for that matter unowallet.
4) You will see for yourself. If you want clarification, come back and post the results and i can explain it in detail.
legendary
Activity: 1890
Merit: 1000
Landscaping Bitcoin for India!
October 28, 2013, 04:14:18 PM
#23
but URL's sent via HTTPS are NOT encrypted. HTTPS encrypts data that are only sent through POST request.
In the sense, SSL encrypts only the HTTP packets and doesnot encrypt the HTTP headers (which includes URL). Hence it is called Transport Layer Security (TLS)

URL's *are* encrypted when you access a website via HTTPS. First the encrypted connection is negotiated then requests for web pages and hostnames are sent over:

http://stackoverflow.com/questions/499591/are-https-urls-encrypted

This is why you've traditionally been restricted to one HTTPS domain per IP address because the host name header is sent after the SSL connection has been established. That changes with SNI of course.

URL's are logged by the user's browser and the destination server if it maintains logs. Intermediate servers can't log them because they are encrypted.

The URL can be viewed/ stored by firewalls, gateways, etc... The information passed between is encrypted.

In the case of a URL wallet without additional protection, this is as good as passing a password across in cleartext.

If I am not wrong, your server stores all URL's accessed from the domain.
legendary
Activity: 3710
Merit: 1586
October 28, 2013, 02:49:27 PM
#22
but URL's sent via HTTPS are NOT encrypted. HTTPS encrypts data that are only sent through POST request.
In the sense, SSL encrypts only the HTTP packets and doesnot encrypt the HTTP headers (which includes URL). Hence it is called Transport Layer Security (TLS)

URL's *are* encrypted when you access a website via HTTPS. First the encrypted connection is negotiated then requests for web pages and hostnames are sent over:

http://stackoverflow.com/questions/499591/are-https-urls-encrypted

This is why you've traditionally been restricted to one HTTPS domain per IP address because the host name header is sent after the SSL connection has been established. That changes with SNI of course.

URL's are logged by the user's browser and the destination server if it maintains logs. Intermediate servers can't log them because they are encrypted.
hero member
Activity: 518
Merit: 500
BTC < > INR & USD
October 28, 2013, 11:06:02 AM
#21
Thanks to everyone for their feedback. We give below a brief description of Unowallet.

How Unowallet works?
    • When a full Unowallet url is accessed (e.g., uno-wallet.com/wallet/SomeSecretString),  the string after wallet/ is used to generate a private key in a deterministic way. The corresponding bitcoin address is then computed. Finally, the unspent outputs for that address are obtained and the balance computed. The wallet literally exists only when the url is open in the user's browser. The server never stores anything (urls/private keys/addresses) after that.

      Unowallet only allows https urls, so this string is always sent encrypted over the network. No one except your browser and our server have access to this string. Unowallet accepts any ASCII alphanumeric string of up to 50 characters. If this string is generated truly randomly, there is almost zero chance of someone guessing or bruteforcing it (see next point). [/i][/b]

    • When bare Unowallet url is visited (i.e.. uno-wallet.com/wallet or uno-wallet.com), a random 50 character string is generated automatically for the user to form a full url. Again, this string never travels over the network unencrypted. Only your browser and our server have access to this in plaintext.

      There are approximately 2298 strings of 50 alphanumeric characters. So the chance of someone guessing any url generated by our site is very low. In particular, using the birthday problem, even if we generate 2100 urls, the probability of at least one collision is only about 2-99.

      Of course, you are free to use any string after wallet/ as long as you ensure that it is hard to guess. For example, do not use a url such as uno-wallet.com/wallet/SatoshiNakamoto

    Recommended way to use unowallet:
    • Use TOR for added privacy. Our server will not know your real IP address.
    • Do not use any proxy servers to access unowallet.
    • Always access it from a secure computer (no viruses/browser extensions).
    • Always keep the url with you in a safe place. Email it to yourself if necessary.
    • Save also the private key so you are not tied to unowallet when spending funds. In fact, save the entire page, which contains all the necessary information.
    • Unowallet is designed for those people who need an instant address for receiving funds that they plan to move somewhere else soon afterwards. We do not recommend storing large amount there.

    Are my coins really safe in Unowallet?
    Although Unowallet is one of the easiest and fastest wallets to use (and its free!), it should be used only by people who have some knowledge about Bitcoin and know basic concepts of security. Several things can go wrong and cause you to lose your bitcoins.

    What can go wrong? These are some ways in which your wallet/url can be compromised:
    - Virus/trojans can capture every url you visit.
    - Browser extensions may log urls and forward to 3rd party sites (such as Google) for indexing.
    - You use an easily guessable url.
    - You use a url sent by (or shared with) someone else.
    - You use a url found from a search engine.

    We will probably not be able to help you out if you lose funds due to any of the above. Nevertheless, if such incidents happen, please do email us with details.

    How is Unowallet different from other 'instant' wallets?
    In a few ways: (1) Unowallet is entirely stateless. We do not store anything that can be used by an attacker to obtain the private key of a Unowallet address, should our site be hacked.
    (2) We also give you the private key to your address when you access a wallet (which you must save!), so you have full control of the funds in that address. (3) Unowallet transactions are 'on-chain'.

    What about passwords/2FA/etc?
    Unowallet does not support passwords or 2FA because it defeats the very purpose of url-based wallets. For those who are troubled with the "url-based-wallet" concept, we have another wallet in the beta-testing phase, called Unobase. This does authentication via OpenID using a provider such as Google/Yahoo/AOL/etc. 


    Disclaimer:
    Unowallet service is provided AS IS. This implies that we are not liable for any bitcoins you lose via Unowallet, irrespective of whether it is our fault or not.


    Am not sure if i understand correctly here when you say Unowallet only allows https urls, so this string is always sent encrypted over the network but URL's sent via HTTPS are NOT encrypted. HTTPS encrypts data that are only sent through POST request.
    In the sense, SSL encrypts only the HTTP packets and doesnot encrypt the HTTP headers (which includes URL). Hence it is called Transport Layer Security (TLS)

    URL encryption is done only during IPSEC tunneling (eg : VPN).

    The URL's are logged by user's browsers, intermediate ISP server logs and destination server logs and all the servers in between.

    Sending anything critical via the URL is a very bad idea. Part of my masters project was based on breaking the AES encryption of the users accessing secure sites within the same LAN.

    That is the reason, sites don't send user's PII (Personally Identifiable Information) using GET request (in URL).
    Don't send anything critical via the URL. Make sure you send it as POST request within the HTTP packet and not in HTTP header.

    P.S : If i have helped, then my btc address is in my signature. Tips are always welcome.
    Thanks,
    legendary
    Activity: 3710
    Merit: 1586
    October 28, 2013, 08:07:09 AM
    #20
    Unowallet is amazing! I mean its nuts but also amazing!

    BTW you don't own unowallet.com do you? I bet a lot of people are going to end up there instead.
    legendary
    Activity: 1890
    Merit: 1000
    Landscaping Bitcoin for India!
    October 10, 2013, 06:41:13 AM
    #19
    Quote
    What about passwords/2FA/etc?
    Unowallet does not support passwords or 2FA because it defeats the very purpose of url-based wallets. For those who are troubled with the "url-based-wallet" concept, we have another wallet in the beta-testing phase, called Unobase. This does authentication via OpenID using a provider such as Google/Yahoo/AOL/etc. 

    Unobase's auth is overkill. It does seem to have appropriate uses in a networked/ enterprise environment though.

    2FA and passwords DO NOT defeat the purpose of an URL based wallet for sure. I understand your need to keep this stateless, but adding some form of authentication will definitely get my vote. I have woken up to empty wallets before and it is really not a good feeling when you need to store your funds in a place where you have no control over the security.

    What risks are you likely to encounter by adding an identifier database?

    You are still not storing private keys with this exercise.

    This would also solve the problem of URL recording software/ malware.

    Ping me when you get on Hangout... Will push through some info on making this better.
    newbie
    Activity: 6
    Merit: 0
    September 22, 2013, 05:50:53 PM
    #18
    Thanks to everyone for their feedback. We give below a brief description of Unowallet.

    How Unowallet works?
    • When a full Unowallet url is accessed (e.g., uno-wallet.com/wallet/SomeSecretString),  the string after wallet/ is used to generate a private key in a deterministic way. The corresponding bitcoin address is then computed. Finally, the unspent outputs for that address are obtained and the balance computed. The wallet literally exists only when the url is open in the user's browser. The server never stores anything (urls/private keys/addresses) after that.

      Unowallet only allows https urls, so this string is always sent encrypted over the network. No one except your browser and our server have access to this string. Unowallet accepts any ASCII alphanumeric string of up to 50 characters. If this string is generated truly randomly, there is almost zero chance of someone guessing or bruteforcing it (see next point).

    • When bare Unowallet url is visited (i.e.. uno-wallet.com/wallet or uno-wallet.com), a random 50 character string is generated automatically for the user to form a full url. Again, this string never travels over the network unencrypted. Only your browser and our server have access to this in plaintext.

      Of course, you are free to use any string after wallet/ as long as you ensure that it is hard to guess. For example, do not use a url such as uno-wallet.com/wallet/SatoshiNakamoto

    Recommended way to use unowallet:
    • Use TOR for added privacy. Our server will not know your real IP address.
    • Do not use any proxy servers to access unowallet.
    • Always access it from a secure computer (no viruses/browser extensions).
    • Always keep the url with you in a safe place. Email it to yourself if necessary.
    • Save also the private key so you are not tied to unowallet when spending funds. In fact, save the entire page, which contains all the necessary information.
    • Unowallet is designed for those people who need an instant address for receiving funds that they plan to move somewhere else soon afterwards. We do not recommend storing large amount there.

    Are my coins really safe in Unowallet?
    Although Unowallet is one of the easiest and fastest wallets to use (and its free!), it should be used only by people who have some knowledge about Bitcoin and know basic concepts of security. Several things can go wrong and cause you to lose your bitcoins.

    What can go wrong? These are some ways in which your wallet/url can be compromised:
    - Virus/trojans can capture every url you visit.
    - Browser extensions may log urls and forward to 3rd party sites (such as Google) for indexing.
    - You use an easily guessable url.
    - You use a url sent by (or shared with) someone else.
    - You use a url found from a search engine.

    We will probably not be able to help you out if you lose funds due to any of the above. Nevertheless, if such incidents happen, please do email us with details.

    How is Unowallet different from other 'instant' wallets?
    In a few ways: (1) Unowallet is entirely stateless. We do not store anything that can be used by an attacker to obtain the private key of a Unowallet address, should our site be hacked.
    (2) We also give you the private key to your address when you access a wallet (which you must save!), so you have full control of the funds in that address. (3) Unowallet transactions are 'on-chain'.

    What about passwords/2FA/etc?
    Unowallet does not support passwords or 2FA because it defeats the very purpose of url-based wallets. For those who are troubled with the "url-based-wallet" concept, we have another wallet in the beta-testing phase, called Unobase. This does authentication via OpenID using a provider such as Google/Yahoo/AOL/etc.  


    Disclaimer:
    Unowallet service is provided AS IS. This implies that we are not liable for any bitcoins you lose via Unowallet, irrespective of whether it is our fault or not.
    legendary
    Activity: 1001
    Merit: 1005
    September 21, 2013, 04:00:37 PM
    #17
    Hi Dashingriddler,

    SSL urls are encrypted (at least the stuff after the base url) as discussed in the following post

    http://stackoverflow.com/questions/499591/are-https-urls-encrypted

    legendary
    Activity: 1258
    Merit: 1001
    September 21, 2013, 01:51:38 AM
    #16
    MAJOR SECURITY FLAW.

    Someone can easily get lucky and "guess" or bruteforce into wallet URL.
    There is no password ability given what so ever.. Any BTC put in these wallets are open for the taking..

     1AAcnJvU4oVTXqYj6K4pqRRW5HLLFdugoX
    Guessing or bruteforcing the URL is like guessing or bruteforcing the private key. So i am not bothered at this level.
    To me the network seems to be little vulnurable. I dont know if SSL protects the data only or will include a level of encryption for URL itself. Also the URLs get stored in history of the browser and such. The guy from behind you can just take a photo of the URL without your knowledge using his mobile phone.

    One thing that can be done along with what ever is already there is:
    Navigate to the home age of uno wallet and on that page the code that you give in the URL should be there as plain text masked with javascript, then provide a text box where u enter the code that u see in the URL itself and it gets submitted to the server as POST and loads the new page - and hence the URL itself never include any private info.
    So basically the new user will copy the code from the home page and store it safely while the repeat users would enter the code to go to access the wallet.
    legendary
    Activity: 1890
    Merit: 1000
    Landscaping Bitcoin for India!
    September 20, 2013, 09:22:13 PM
    #15
    passwords can be bruteforced too.. so no less security than passwords.

    It would help to add a layer of protection with a password or some other multi-auth method. It is likely to store wealth and in the event that it does gather significant value, it will become a target to list based attacks, etc. A password mechanism built into the same URL would be sweet.
    legendary
    Activity: 1001
    Merit: 1005
    September 19, 2013, 03:03:44 PM
    #14
    passwords can be bruteforced too.. so no less security than passwords.
    legendary
    Activity: 1358
    Merit: 1003
    Designer - Developer
    September 19, 2013, 05:33:39 AM
    #13
    MAJOR SECURITY FLAW.

    Someone can easily get lucky and "guess" or bruteforce into wallet URL.
    There is no password ability given what so ever.. Any BTC put in these wallets are open for the taking..

     1AAcnJvU4oVTXqYj6K4pqRRW5HLLFdugoX
    full member
    Activity: 196
    Merit: 100
    September 19, 2013, 05:10:57 AM
    #12
    Change the look and feel of the site

    Make things more attractive like others
    member
    Activity: 75
    Merit: 10
    August 08, 2013, 10:50:54 PM
    #11
    Here is the latest version of unowallet [a secure instant bitcoin wallet].  No longer in alpha, now in beta:

    https://unowallet.cfapps.io/wallet

    Important Note:  if you send funds to an unowallet, you must remember the URL.  If you forget to record the URL, you will lose your bitcoin! 

    Why?  UnoWallet is stateless.  This means that each wallet is created on the fly, in real time, and our servers do not record the URLs or private keys of users at any point in time.  Why?  if there's no server, there's no data to hack!

    Another Important Note:  unowallet provides you with the private key of each wallet.  This way, even if you ever forget your URL, as long as you save your private key, you will be able to retrieve your funds from anywhere.
    legendary
    Activity: 1890
    Merit: 1000
    Landscaping Bitcoin for India!
    July 07, 2013, 01:13:32 AM
    #10
    Quote
    Hi,

    I was testing the wallet last night and made a couple of changes without realizing it was the production version Smiley
    I have reverted those changes.
    In case you transferred money since last night after meetup and before today morning 11AM,
    your funds are available in a different wallet.

    http://oldwallet.wetakecoins.cloudbees.net/

    Funds transferred before yesterday evening and after today morning ar in the original wallet.

    http://wallet.wetakecoins.cloudbees.net/

    Thanks
    newbie
    Activity: 6
    Merit: 0
    July 06, 2013, 01:46:13 AM
    #9
    We would like to get feedback for this wallet, both positive and negative. If you like the idea and find it useful, consider donating to support further development. The address is mentioned on the site.
    member
    Activity: 75
    Merit: 10
    July 05, 2013, 09:22:37 AM
    #8
    Haha, 0.1 BTC

    Much smarter to keep the major flaw for yourself and exploit it once you get traffic.

    Good point.  You have a better idea for encouraging people to help us beta test?

    By the way, if you do lose a few satoshis caused by an error on our part, we will refund you the satoshis (within reason).  

    [again, we are in tinkering mode, do NOT put anything more than spare change here.]

    And if you are looking for a GREAT e-wallet, please visit blockchain.info  

    I do believe that davout wrote Instawallet.
    He might be referring to a higher bounty on the Major flaw bit.

    Cool, didn't know that Benson.  Nice to meet you davout.  Smiley

    Ok, I'll up the bounty to 1 btc.  And I've also created this address to collect additional funds from anybody who wishes to support this initiative, please send bitcoin here to sweeten the pot to help find the first big flaw:

    12aBAC1caY4CFLMSKNgGSrMsodHRNALdkS

    Will give our engineers another week to tighten up any obvious issues from our end.  

    Then will increase bounty pledge to 2 btc....  
    Pages:
    Jump to: