BitShares Forum
Main => Technical Support => Topic started by: karnal on June 11, 2015, 05:55:50 pm
-
If these have been answered elsewhere could you point to the source ?
- Will it have built-in TOTP support (2fa)?
- If yes, for which operations? [login, withdrawals, etc]
- Is it a pure brain-wallet like in NXT?
- If not, where is the wallet information stored ? Client/browser or server?
- Can a malicious server operator patch the javascript to steal user credentials and impersonate them ?
- If a wallet server is compromised, do users with wallets there get mtgoxed?
- Is SOCKS5/HTTP proxying baked in the 2.0 wallet/daemon? [connect to rpc server via proxy | connect to other peers via proxy]
-
It is a "brain wallet", private keys are never stored on the server, but kept encrypted in local browser storage and a backup of the key can be made on paper.
2FA will not be there on day one... but is planned
A malicious server could patch the javascript to steal the private key if and only if the user unlocks their wallet for spending; however, we plan to offer a plugin that does not fetch code from the server which will prevent this from happening.
If the server is compromised (read only) then everyone is safe.
If the server is compromised and can submit alternative javascript then active users are vulnerable unless they use a plugin.
Backend is pure websockets/http proxy is separate.
-
Wonderful. With browser extensions and (client) proper security it should then not be any more dangerous to use a remote server as the wallet vs local.
I must say I'm impressed, you guys are covering a lot of angles here. Good stuff man, good stuff.
-
If the server is compromised and can submit alternative javascript then active users are vulnerable unless they use a plugin.
Wonderful. With browser extensions and (client) proper security it should then not be any more dangerous to use a remote server as the wallet vs local.
I feel like it is worth mentioning that if the server is compromised (not just read-only) and even if the user is using a plugin rather than a hosted wallet, it is still less secure than accessing a local node. Sure the private keys aren't in danger, and with this addition (https://github.com/cryptonomex/graphene/issues/39) the client won't even fall for the trick of replacing the ID of the legitimate recipient's account name with the attackers ID, but the attacker could still pull off other attacks. For example, the attacker could do a double-spend attack: make it appear as if the user received money when they really didn't and before the user realizes they're under attack, they may have already given away the good or, more realistically, sent the irreversible digital tokens (e.g. ACCT between BTC and BitAssets) to the attacker. The attacker could also falsify the order book, potentially scaring the user into placing a stupid bid that ends up being in the attacker's advantage (however this would be a less likely and probably less profitable attack). Also, if the user creates a brand new account and sends funds to it all while the host is compromised, they are very vulnerable to losing all of those sent funds to the attacker. And finally who knows what other attacks become possible with a compromised host when new smart contracts are added that the user can interact with.
-
It is a "brain wallet", private keys are never stored on the server, but kept encrypted in local browser storage and a backup of the key can be made on paper.
So to someone who is not technical, what will be the safest way to access your web wallet - have a dedicated browser used for the purpose? Maybe have a browser on a USB for the purpose?
I heard BM talk about a wrapper, but that has a whole different meaning to me than i think he was referring to ;D
-
It is a "brain wallet", private keys are never stored on the server, but kept encrypted in local browser storage and a backup of the key can be made on paper.
So to someone who is not technical, what will be the safest way to access your web wallet - have a dedicated browser used for the purpose? Maybe have a browser on a USB for the purpose?
I heard BM talk about a wrapper, but that has a whole different meaning to me than i think he was referring to ;D
I'd just use incognito mode
-
I actually had a few questions about this as well...how much trust are we going to have to put into the server. Is there the possibility of reconfiguring the web wallet features to a different server?
-
I'm also wondering if it's at all possible for an SPV-like function in the future?
-
I'm also wondering if it's at all possible for an SPV-like function in the future?
Yes
-
I'm also wondering if it's at all possible for an SPV-like function in the future?
Yes
This is not the web wallet, correct? If so, when do you think this will be available to us?
-
Will accounts registered at wallet.bitshares.org be converted to 2.0 automatically?
-
Not automatically. You need to backup your brainkey and import that into graphehe.bitshares.org.
-
Once we start using the graphene web wallet is the any way to create a backup , I have been trying it with no success . Safari browser launches another browser tab , bu there is no file . Anyone know anything about that ?
-
Once we start using the graphene web wallet is the any way to create a backup , I have been trying it with no success . Safari browser launches another browser tab , bu there is no file . Anyone know anything about that ?
can backup in chrome without any issues