petjal
commented
2 years ago Fwiw, I use Chromebook guest mode, and check hashes here https://www.virustotal.com/gui/file/8b8e3c1be03501f57e395781de8a59fd553808e1eb1278710bd7b96dacb6d0f6/details
Open SenorFusion opened 2 years ago
petjal
commented
2 years ago Fwiw, I use Chromebook guest mode, and check hashes here https://www.virustotal.com/gui/file/8b8e3c1be03501f57e395781de8a59fd553808e1eb1278710bd7b96dacb6d0f6/details
petjal
commented
2 years ago Maybe we can submit bad links to virustotal and add community ratings and comments
SenorFusion
commented
2 years ago @petjal That is one step that at least checks that is hasn't been compromised by some obvious known malware.
However, I don't think that really covers enough ground. The tool could still be compromised in hundreds of different ways and not show up on a malware scan.
petjal
commented
2 years ago Yeah, I wasn't using it really for the malware scan, just the hash confirmation
petjal
commented
2 years ago any chance you can point to section of the "view source" to show the problem with fake sites such as those? what is their mechanism? do they send the private key off to an external url? bad/fake random number generation?
Zwilla
commented
2 years ago Love this tool since it started, I use it only at an air gapped computer, verifying every single line and new lines, I'm a dev since 1988 I know what happen with, the common ppl did't understand how it works, they have to trust blind!
I worked years ago at the project ethwallet and I didn't liked how it works so I build in some features which doesn't allow to use the wallet generation while online or other apps running in background, I allowed only trusted system apps while running. This works for me in hope the users of my fork didn't cheat them self.
I decided only to use the ethwallet only to run at an completely air gapped computer and use since only the offline send function and broadcast via QR Code, also this is a risk because if you broadcast the qr code you didn't know what it is sending, so I build an other tool to read in again at the same machine this qr code I use a cheap photo (no wifi no network no bt no nfc)
I'm paranoid at this point, and paranoia is my first name, so we can audit, we can build in a Security Model or any security feature in future -> THE COMMON USER HAS TO TRUST <-
But what we are searching is something, I call it trustless. this still didn't exist and will not!
I understand the concern but how can we protect user best?
And by the way: I give 5cents on any Security Model or an Audit, I have to trust, but I'm unable to.
Sometimes weeks after coding and review my work, I'm wondering about myself, sometimes I asked my self who has written these genius complicate lines, that it take several hours to understand my own code. (pro coders know what I mean). If I'm not on with a project instant, I did't trust my self and by the way I HATE NODE JS this is the most dangerous framework ever, as coder you HAVE TO TRUST any sh..t
First I want to be clear that this is a proposal and request and is in no way a complaint or accusation.
Broadly speaking, throughout recent crypto history several* "easy wallet generator" sites have followed a similar pattern:
*see: WalletGenerator (dot) net and BitcoinPaperWallet (dot) com (Please no one use those, they will both steal your coins.)
These tools all have several things in common: -Widely used -Widely trusted -Often recommended -Browser based -Encouraged to use offline -No way to verify that it is still trustworthy -Users still got their funds stolen
Yes - I know the bip39 tool here is better than those wallet generator sites. That is not the point. Yes - I know you can use bip39 tool offline. That is not the point. That does not solve this issue
Taking the WalletGenerator (dot) net example: Even if you had used it offline during the time it got compromised you still would have lost all of your funds.
It is exactly the same case with this tool.
Regular users have no way of verifying that the tool remains uncompromised, even if you use it offline.
I don't have a proposed solution to this problem, but I wanted to start the conversation because I see this bip39 tool recommended everywhere and all the time now days and it will be a target more and more often.