Author Topic: A Little Help with security  (Read 2394 times)

0 Members and 1 Guest are viewing this topic.

Offline puppies

  • Hero Member
  • *****
  • Posts: 1659
    • View Profile
  • BitShares: puppies
Open ledger never sees your password or private keys.  You do however rely on open ledger to serve up the java script that is the actual wallet.  This java script then runs in your browser. 

The risk is that someone could hack open ledger and replace the real wallet java script with java script that would steal your private keys. 

You would have to go to open ledger and unlock your account while the server is compromised for this to happen.

If you were to switch to the lite wallet now then you would have no extra risk from having accessed open ledger in your browser on the past.
https://metaexchange.info | Bitcoin<->Altcoin exchange | Instant | Safe | Low spreads

Offline d3adh3ad

  • Jr. Member
  • **
  • Posts: 26
    • View Profile
Sorry, I don't know how to tag @ccedk from tapatalk.

Offline d3adh3ad

  • Jr. Member
  • **
  • Posts: 26
    • View Profile

@fav
  "1. someone could hack openledger and modify the code (grab your pw) - man in the middle attacks are certainly possible. hope they add 2fa soon"

That is a bit disturbing.. I hadn't realized that until now..
So keeping bts in the webwallet of OL is much much less secure than keeping btc in my bitcoinwallet on my pc, since most probably no one will ever care to try and hack me but most probably people will attemp to hack OL?
So we are promoting a decentalized exchange which is vulnerable to hacks as any other centralized exchange? If that ever happens then we can kiss goodbye bts price for ever..

there's always some risk... you can use the light wallet or run the wallet html files locally in your browser as an alternative to OL

But no trading on OL without inputting your password into a web page that is hosted by openledger? Even if I take my wallet download and load it into the lite wallet I still might feel that my wallet with the current password is tainted. Perhaps @ccedk could weigh in here. I'm sure I just missed it but surely there is a page somewhere that tells a new user this. I would have done things differently if these assumptions are true. I have to believe that this has been addressed somehow although I lack the ability to figure that out.

Offline fav

  • Hero Member
  • *****
  • Posts: 4278
  • No Pain, No Gain
    • View Profile
    • Follow Me!
  • BitShares: fav
@fav
  "1. someone could hack openledger and modify the code (grab your pw) - man in the middle attacks are certainly possible. hope they add 2fa soon"

That is a bit disturbing.. I hadn't realized that until now..
So keeping bts in the webwallet of OL is much much less secure than keeping btc in my bitcoinwallet on my pc, since most probably no one will ever care to try and hack me but most probably people will attemp to hack OL?
So we are promoting a decentalized exchange which is vulnerable to hacks as any other centralized exchange? If that ever happens then we can kiss goodbye bts price for ever..

there's always some risk... you can use the light wallet or run the wallet html files locally in your browser as an alternative to OL

Offline mf-tzo

  • Hero Member
  • *****
  • Posts: 1725
    • View Profile
@fav
  "1. someone could hack openledger and modify the code (grab your pw) - man in the middle attacks are certainly possible. hope they add 2fa soon"

That is a bit disturbing.. I hadn't realized that until now..
So keeping bts in the webwallet of OL is much much less secure than keeping btc in my bitcoinwallet on my pc, since most probably no one will ever care to try and hack me but most probably people will attemp to hack OL?
So we are promoting a decentalized exchange which is vulnerable to hacks as any other centralized exchange? If that ever happens then we can kiss goodbye bts price for ever..



Offline fav

  • Hero Member
  • *****
  • Posts: 4278
  • No Pain, No Gain
    • View Profile
    • Follow Me!
  • BitShares: fav
1. someone could hack openledger and modify the code (grab your pw) - man in the middle attacks are certainly possible. hope they add 2fa soon
2. 1.0 is irrelevant now
3. I use truecrypt / encrypted tar files as storage :)

Offline d3adh3ad

  • Jr. Member
  • **
  • Posts: 26
    • View Profile
So using openledger's web wallet, I have imported my 1.0 keys and claimed my balances into my new account. My questions are:

1. Is using the webwallet a security risk? If so, why? (I have searched but info on this isn't easy to find)
2. My passphrase on my 1.0 wallet was good but not great. My 2.0 account has a much better passphrase. Since my 1.0 keys are now imported and the balances claimed, is my 1.0 passphrase irrelevant? Do I need to do anything to protect those keys or the balances in them that continue to vest?
3. Assuming I keep my passphrase safe, is it safe to store the wallet file in a cloud service?

Thanks for your help in advance!
D3adh3ad