Author Topic: A few basic questions regarding the new web wallet  (Read 3197 times)

0 Members and 1 Guest are viewing this topic.

Offline fav

  • Hero Member
  • *****
  • Posts: 4278
  • No Pain, No Gain
    • View Profile
    • Follow Me!
  • BitShares: fav
Once we start using the graphene web wallet is the any way to create a backup , I have been trying it with no success . Safari browser launches another browser tab , bu there is no file . Anyone know anything about that ?

can backup in chrome without any issues

Offline bitacer

Once we start using the graphene web wallet is the any way to create a backup , I have been trying it with no success . Safari browser launches another browser tab , bu there is no file . Anyone know anything about that ?

Offline boombastic

  • Sr. Member
  • ****
  • Posts: 251
    • View Profile
    • AngelShares Explorer
Not automatically.  You need to backup your brainkey and import that into graphehe.bitshares.org. 
http://bitshares.dacplay.org/r/boombastic
Support My Witness: mr.agsexplorer
BTC: 1Bb6V1UStz45QMAamjaX8rDjsnQnBpHvE8

Offline wmbutler

  • Full Member
  • ***
  • Posts: 129
    • View Profile
    • Music City Bitcoins
  • GitHub: wmbutler
Will accounts registered at wallet.bitshares.org be converted to 2.0 automatically?
PTS: PnBVP1iLTsV6U8z4BeJYhF8jMpkLhtTi9r
BTS2.0: billbutler
There are 10 kinds of people. Those who understand binary and those who do not.

Offline VoR0220

I'm also wondering if it's at all possible for an SPV-like function in the future?

Yes

This is not the web wallet, correct? If so, when do you think this will be available to us?
https://metaexchange.info | Bitcoin<->Altcoin exchange | Instant | Safe | Low spreads

Offline bytemaster

I'm also wondering if it's at all possible for an SPV-like function in the future?

Yes
For the latest updates checkout my blog: http://bytemaster.bitshares.org
Anything said on these forums does not constitute an intent to create a legal obligation or contract between myself and anyone else.   These are merely my opinions and I reserve the right to change them at any time.

Offline VoR0220

I'm also wondering if it's at all possible for an SPV-like function in the future?
https://metaexchange.info | Bitcoin<->Altcoin exchange | Instant | Safe | Low spreads

Offline VoR0220

I actually had a few questions about this as well...how much trust are we going to have to put into the server. Is there the possibility of reconfiguring the web wallet features to a different server?
https://metaexchange.info | Bitcoin<->Altcoin exchange | Instant | Safe | Low spreads

Offline fav

  • Hero Member
  • *****
  • Posts: 4278
  • No Pain, No Gain
    • View Profile
    • Follow Me!
  • BitShares: fav
It is a "brain wallet", private keys are never stored on the server, but kept encrypted in local browser storage and a backup of the key can be made on paper.

So to someone who is not technical, what will be the safest way to access your web wallet - have a dedicated browser used for the purpose? Maybe have a browser on a USB for the purpose?

I heard BM talk about a wrapper, but that has a whole different meaning to me than i think he was referring to  ;D

I'd just use incognito mode

Offline mike623317

  • Hero Member
  • *****
  • Posts: 637
    • View Profile
It is a "brain wallet", private keys are never stored on the server, but kept encrypted in local browser storage and a backup of the key can be made on paper.

So to someone who is not technical, what will be the safest way to access your web wallet - have a dedicated browser used for the purpose? Maybe have a browser on a USB for the purpose?

I heard BM talk about a wrapper, but that has a whole different meaning to me than i think he was referring to  ;D

Offline arhag

  • Hero Member
  • *****
  • Posts: 1214
    • View Profile
    • My posts on Steem
  • BitShares: arhag
  • GitHub: arhag
If the server is compromised and can submit alternative javascript then active users are vulnerable unless they use a plugin.

Wonderful. With browser extensions and (client) proper security it should then not be any more dangerous to use a remote server as the wallet vs local.

I feel like it is worth mentioning that if the server is compromised (not just read-only) and even if the user is using a plugin rather than a hosted wallet, it is still less secure than accessing a local node. Sure the private keys aren't in danger, and with this addition the client won't even fall for the trick of replacing the ID of the legitimate recipient's account name with the attackers ID, but the attacker could still pull off other attacks. For example, the attacker could do a double-spend attack: make it appear as if the user received money when they really didn't and before the user realizes they're under attack, they may have already given away the good or, more realistically, sent the irreversible digital tokens (e.g. ACCT between BTC and BitAssets) to the attacker. The attacker could also falsify the order book, potentially scaring the user into placing a stupid bid that ends up being in the attacker's advantage (however this would be a less likely and probably less profitable attack). Also, if the user creates a brand new account and sends funds to it all while the host is compromised, they are very vulnerable to losing all of those sent funds to the attacker. And finally who knows what other attacks become possible with a compromised host when new smart contracts are added that the user can interact with.

Offline karnal

  • Hero Member
  • *****
  • Posts: 1068
    • View Profile
Wonderful. With browser extensions and (client) proper security it should then not be any more dangerous to use a remote server as the wallet vs local.

I must say I'm impressed, you guys are covering a lot of angles here. Good stuff man, good stuff.


Offline bytemaster

It is a "brain wallet", private keys are never stored on the server, but kept encrypted in local browser storage and a backup of the key can be made on paper.

2FA will not be there on day one... but is planned

A malicious server could patch the javascript to steal the private key if and only if the user unlocks their wallet for spending; however, we plan to offer a plugin that does not fetch code from the server which will prevent this from happening.

If the server is compromised (read only) then everyone is safe. 
If the server is compromised and can submit alternative javascript then active users are vulnerable unless they use a plugin.

Backend is pure websockets/http proxy is separate. 
For the latest updates checkout my blog: http://bytemaster.bitshares.org
Anything said on these forums does not constitute an intent to create a legal obligation or contract between myself and anyone else.   These are merely my opinions and I reserve the right to change them at any time.

Offline karnal

  • Hero Member
  • *****
  • Posts: 1068
    • View Profile
If these have been answered elsewhere could you point to the source ?

- Will it have built-in TOTP support (2fa)?
- If yes, for which operations? [login, withdrawals, etc]

- Is it a pure brain-wallet like in NXT?
- If not, where is the wallet information stored ? Client/browser or server?

- Can a malicious server operator patch the javascript to steal user credentials and impersonate them ?
- If a wallet server is compromised, do users with wallets there get mtgoxed?

- Is SOCKS5/HTTP proxying baked in the 2.0 wallet/daemon? [connect to rpc server via proxy | connect to other peers via proxy]
« Last Edit: June 11, 2015, 05:59:11 pm by karnal »