The BitShares Hosted Web Wallet is ready...

[merivercap]

I've tried to log in the web wallet with what I remembered as the password, but it's not working.

Is there any recovery mechanism as I continue to try?

[wuyanren]

Why not upgrade0.62

[jamesc]

Hmmmm....I haven't read the rest of the thread. How do I link my current account into the web wallet?

You can't because those might be titan and they weren't deterministic we created from the brain key.

Hmm ... IIRC this is not completely correct ... the bitshares client also uses deterministic keys .. also has a master key .. but that one is chosen randomly .. and was not generated from a brain key ..

Yes, thanks for clarifying...  I'm going for light-wallet compatibility and a version release scheme to test it right now.

BTW: The brain key in the bitshares client is used to create the master key.  I managed to get it very close to working the same way on the web, however, I consulted with the team and the way to do is to have light wallet brain-seed compatibility.  So, I'm going for light-wallet compatibility.  I just need a version release scheme so you can help me test it  without messing with production.

[kenCode]

What are the thoughts/recommendations/advise when using the webwallet on a mobile devise?

I have looked at this...We have a long ways to go, it did not do well on my phone.  I hope to get some help on layout fixes and I'll optimize it to make it perform.  I'm only thinking about security right now.

Security security security, exactly. Thank you @jcalfee1

[jamesc]

Hmmmm....I haven't read the rest of the thread. How do I link my current account into the web wallet?

You can't because those might be titan and they weren't deterministic we created from the brain key.

Hmm ... IIRC this is not completely correct ... the bitshares client also uses deterministic keys .. also has a master key .. but that one is chosen randomly .. and was not generated from a brain key ..

Yes, thanks for clarifying...  I'm going for light-wallet compatibility and a version release scheme to test it right now.

[jamesc]

What are the thoughts/recommendations/advise when using the webwallet on a mobile devise?


Sent from my iPad using Tapatalk

I have looked at this...We have a long ways to go, it did not do well on my phone.  I hope to get some help on layout fixes and I'll optimize it to make it perform.  I'm only thinking about security  right now.

[cnfund]

Great work!

[xeroc]

Hmmmm....I haven't read the rest of the thread. How do I link my current account into the web wallet?

You can't because those might be titan and they weren't deterministic we created from the brain key.

Hmm ... IIRC this is not completely correct ... the bitshares client also uses deterministic keys .. also has a master key .. but that one is chosen randomly .. and was not generated from a brain key ..

[jamesc]

Can I only access the web wallet from my computer and only on the browser I used to create the wallet?  Can I access it from another location or another computer?  What does the brain key do?

If you load the brain key onto another computer's browser, it can regenerate your keys allowing you to spend from that machine.

How exactly do I regenerate my keys... Can I do it on the same computer but with a different browser?

Yes... Also a different password should work but to be sure you should use your browser's incognito mode or different browser.

[jamesc]

Hmmmm....I haven't read the rest of the thread. How do I link my current account into the web wallet?

You can't because those might be titan and they weren't deterministic we created from the brain key.   

[xiahui135]

i can not use it. It crashed with chrome.

[vlight]

I cannot load registered account when using Dolphin browser on Android OS and i get error:

"Cannot read property 'private_data' of null".

The wallet itself is loaded and i am able to login, but the registered account is not listed.

nevermind, i have used Opera instead.

And that feeling when you can send USD or Gold directly from your brain .. it's amazing.. even if it's just a very small amount, lol   

[hpenvy2]

 
Change the name to Exchange instead of Wallet.
Integrate bitcoin and altcoins gateway
Then let's promote to crypto world as a web decentralize exchange, instead of just web wallet.
Just my

 

here here

[cube]

If someone hacked the web server all they could really do is turn it off.

Nope. And here is why.

If an attacker wants to steal the funds of everyone using the local client, they need to hack into each of their personal computers. If the attacker wants to steal the funds of everyone using the web wallet, they need to only hack into the web wallet server. They then replace the javascript served with one that extracts the locally stored brain keys and sends it to the attacker's server. Everyone that opens and unlocks the web wallet next time will have their funds stolen (it makes more sense to wait until the attacker has a critical mass of brain keys before stealing a single satoshi to not tip them off of the compromise).

Does multisig and 2FA solve anything? No, because the multisig is provided by the web wallet server and if that is compromised then the multisig is also compromised and useless.

It gets worse. It doesn't even require compromising the server, although the following attack is on the local scale rather than the global scale like the previous one. If the attacker can get between the victim and his internet connection, the attacker can use SSLstrip to feed their malicious javascript with a high probability of the victim not noticing that anything is wrong. Most people will not notice if the green lock icon is missing before typing their wallet passphrase. Another approach is to provide an HTTPS protected site (green lock icon included) but to a domain that looks like but is not actually wallet.bitshares.org (e.g. wallet.bltshares.org).

Edit: I just realized the SSLstrip hack would not allow the attacker to steal the brain key. If a homograph attack is used the site will not have access to the wallet.bitshares.org local storage. If the HTTPS is stripped, I believe the HTTP version of the site should also not be allowed to access the local storage that was set up under HTTPS. So the worst an attacker can do if they use the SSLstrip hack is to steal your wallet passphrase but not the encrypted master key or the brain key. Now if they were able to obtain the encrypted master key through other means (for example, use the SSLstrip attack to get your Dropbox/Google password and then use that to get your backed up encrypted JSON wallet, assuming you actually stored in a cloud service) then they could use that along with the captured passphrase to get access to the funds. But as you can see this attack is less of a threat. Also, keep in mind the original attack where the wallet.bitshares.org server is hacked still is valid and that is the more dangerous attack (and more worthwhile attack for the attacker) anyway.

Thanks for raising awareness for the security issues concerning a web wallet. 

There is an article showing 'how easy it is to hack the brain wallet passwords' -

http://www.reddit.com/r/Bitcoin/comments/1zti1p/17956_hacked_brainwallet_passwords/

Where money is concerned, it is important to address these security issues before every users start placing their coins and the responsibility of safeguarding them onto the hosting site.  Could the devs share with us how they could minimise these security risks?

[lil_jay890]

Can I only access the web wallet from my computer and only on the browser I used to create the wallet?  Can I access it from another location or another computer?  What does the brain key do?

If you load the brain key onto another computer's browser, it can regenerate your keys allowing you to spend from that machine.

How exactly do I regenerate my keys... Can I do it on the same computer but with a different browser?