How do I know my password or backup information is not being shared when creating a new wallet?
Several services offer to create a new tezos wallet/account/key (tz1...). For example, consider Galleon Wallet. By entering a password, it produces a new wallet:
You then need to choose a set of 12 words, which are used to make a backup and to recover access to the account in case it is needed. My question is, how do I know the private information above is not being shared with anyone? I imagine this can somehow be seen in the source code of the program. But some are not open source. For instance, kukai is a web service that creates wallets. How can we know such creation of wallets is secure? Surely there must be some sort of "official" communication between these services and the blockchain. Is there some protocol that ensures such security, or is that a layer altogether detached from the interaction of these wallet creation services with the blockchain?
security wallets
asked Feb 21 at 9:43
luchonacholuchonacho
29318
add a comment |
Several services offer to create a new tezos wallet/account/key (tz1...). For example, consider Galleon Wallet. By entering a password, it produces a new wallet:
You then need to choose a set of 12 words, which are used to make a backup and to recover access to the account in case it is needed. My question is, how do I know the private information above is not being shared with anyone? I imagine this can somehow be seen in the source code of the program. But some are not open source. For instance, kukai is a web service that creates wallets. How can we know such creation of wallets is secure? Surely there must be some sort of "official" communication between these services and the blockchain. Is there some protocol that ensures such security, or is that a layer altogether detached from the interaction of these wallet creation services with the blockchain?
security wallets
asked Feb 21 at 9:43
luchonacholuchonacho
29318
add a comment |
Several services offer to create a new tezos wallet/account/key (tz1...). For example, consider Galleon Wallet. By entering a password, it produces a new wallet:
You then need to choose a set of 12 words, which are used to make a backup and to recover access to the account in case it is needed. My question is, how do I know the private information above is not being shared with anyone? I imagine this can somehow be seen in the source code of the program. But some are not open source. For instance, kukai is a web service that creates wallets. How can we know such creation of wallets is secure? Surely there must be some sort of "official" communication between these services and the blockchain. Is there some protocol that ensures such security, or is that a layer altogether detached from the interaction of these wallet creation services with the blockchain?
security wallets
asked Feb 21 at 9:43
luchonacholuchonacho
29318
Several services offer to create a new tezos wallet/account/key (tz1...). For example, consider Galleon Wallet. By entering a password, it produces a new wallet:
You then need to choose a set of 12 words, which are used to make a backup and to recover access to the account in case it is needed. My question is, how do I know the private information above is not being shared with anyone? I imagine this can somehow be seen in the source code of the program. But some are not open source. For instance, kukai is a web service that creates wallets. How can we know such creation of wallets is secure? Surely there must be some sort of "official" communication between these services and the blockchain. Is there some protocol that ensures such security, or is that a layer altogether detached from the interaction of these wallet creation services with the blockchain?
security wallets
security wallets
asked Feb 21 at 9:43
luchonacholuchonacho
29318
asked Feb 21 at 9:43
luchonacholuchonacho
29318
asked Feb 21 at 9:43
luchonacholuchonacho
29318
asked Feb 21 at 9:43
luchonacholuchonacho
29318
asked Feb 21 at 9:43
luchonacholuchonacho
29318
29318
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
If the key is generated on their server, you have no way to know.
If the key is generated locally in your browser, you may try to monitor the network to see what the wallet sends to the server. However, it might still find other ways to get the key, for example by waiting a random time before sending it, by encrypting the communication, or just by limiting the randomness when generating the key, so that it can guess it later.
I think the only reliable way is to use an external device, such as a Ledger or Trezor, it will generate the key and key it inside the device, so that the wallet will never access the key, only use the device to sign operations.
answered Feb 21 at 10:04
lefessanlefessan
2,257322
add a comment |
Any wallet software you choose to run comes with risks you should be fully aware of in order to properly protect yourself.
Whether its a web, desktop, or mobile app you are running code that someone else wrote and the best way to reduce the risk is to make sure you are using software that is open source and has been verified by the community as coming from a reputable developer.
Next you need to take steps to ensure that the code you are running actually comes from the developer and that you haven't mistakenly downloaded it from elsewhere. This primarily means avoiding phishing links by double checking the URLs and preferably making bookmarks to known good sites.
Keeping your computer free of malware. It doesn't matter what software you are running if your system is infected.
Finally, the best way to protect yourself is to use a hardware wallet device. This way the keys never leave the hardware device, which is especially important if you aren't certain that your computer isn't infected with malware. As long as you are careful to double check all input validation at each step the hardware wallet will keep you protected.
answered Feb 21 at 10:02
cousinitcousinit
681112
Mmm, but if you already created a wallet using software, it might be too late. In that case, would it be better to create a new one from hardware and then transfer all funds to that wallet?
– luchonacho
Feb 21 at 10:32
Overall, seems to be a deep flaw of software wallets. Honestly, no one should use them, and should probably not been endorser or suggested by the official blockchain foundation.
– luchonacho
Feb 21 at 10:33
Software wallets play a very important role in any crypto ecosystem, but people need to learn about the risks. If you are concerned about security and especially if you aren't confident about keeping your system safe from malware, the best recommendation is to get a hardware wallet device and transfer your important funds into it.
– cousinit
Feb 21 at 10:35
Actually, Galleon does not publish the source code!
– luchonacho
Feb 21 at 10:36
The credibility of a cryptocurrency depends heavily on the security of wallets, as that is what common users interact mostly with. It should be of primary concern for organisations like the Tezos foundation to make sure existing wallets are as safe as possible, rather than merely listing some and stating "we don't endorse them". In practice, that's what they are doing. Not good.
– luchonacho
Feb 21 at 10:40
|
show 1 more comment
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "698"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2ftezos.stackexchange.com%2fquestions%2f529%2fhow-do-i-know-my-password-or-backup-information-is-not-being-shared-when-creatin%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
If the key is generated on their server, you have no way to know.
If the key is generated locally in your browser, you may try to monitor the network to see what the wallet sends to the server. However, it might still find other ways to get the key, for example by waiting a random time before sending it, by encrypting the communication, or just by limiting the randomness when generating the key, so that it can guess it later.
I think the only reliable way is to use an external device, such as a Ledger or Trezor, it will generate the key and key it inside the device, so that the wallet will never access the key, only use the device to sign operations.
answered Feb 21 at 10:04
lefessanlefessan
2,257322
add a comment |
If the key is generated on their server, you have no way to know.
If the key is generated locally in your browser, you may try to monitor the network to see what the wallet sends to the server. However, it might still find other ways to get the key, for example by waiting a random time before sending it, by encrypting the communication, or just by limiting the randomness when generating the key, so that it can guess it later.
I think the only reliable way is to use an external device, such as a Ledger or Trezor, it will generate the key and key it inside the device, so that the wallet will never access the key, only use the device to sign operations.
answered Feb 21 at 10:04
lefessanlefessan
2,257322
add a comment |
If the key is generated on their server, you have no way to know.
If the key is generated locally in your browser, you may try to monitor the network to see what the wallet sends to the server. However, it might still find other ways to get the key, for example by waiting a random time before sending it, by encrypting the communication, or just by limiting the randomness when generating the key, so that it can guess it later.
I think the only reliable way is to use an external device, such as a Ledger or Trezor, it will generate the key and key it inside the device, so that the wallet will never access the key, only use the device to sign operations.
answered Feb 21 at 10:04
lefessanlefessan
2,257322
If the key is generated on their server, you have no way to know.
If the key is generated locally in your browser, you may try to monitor the network to see what the wallet sends to the server. However, it might still find other ways to get the key, for example by waiting a random time before sending it, by encrypting the communication, or just by limiting the randomness when generating the key, so that it can guess it later.
I think the only reliable way is to use an external device, such as a Ledger or Trezor, it will generate the key and key it inside the device, so that the wallet will never access the key, only use the device to sign operations.
answered Feb 21 at 10:04
lefessanlefessan
2,257322
answered Feb 21 at 10:04
lefessanlefessan
2,257322
answered Feb 21 at 10:04
lefessanlefessan
2,257322
answered Feb 21 at 10:04
lefessanlefessan
2,257322
2,257322
add a comment |
add a comment |
Any wallet software you choose to run comes with risks you should be fully aware of in order to properly protect yourself.
Whether its a web, desktop, or mobile app you are running code that someone else wrote and the best way to reduce the risk is to make sure you are using software that is open source and has been verified by the community as coming from a reputable developer.
Next you need to take steps to ensure that the code you are running actually comes from the developer and that you haven't mistakenly downloaded it from elsewhere. This primarily means avoiding phishing links by double checking the URLs and preferably making bookmarks to known good sites.
Keeping your computer free of malware. It doesn't matter what software you are running if your system is infected.
Finally, the best way to protect yourself is to use a hardware wallet device. This way the keys never leave the hardware device, which is especially important if you aren't certain that your computer isn't infected with malware. As long as you are careful to double check all input validation at each step the hardware wallet will keep you protected.
answered Feb 21 at 10:02
cousinitcousinit
681112
Mmm, but if you already created a wallet using software, it might be too late. In that case, would it be better to create a new one from hardware and then transfer all funds to that wallet?
– luchonacho
Feb 21 at 10:32
Overall, seems to be a deep flaw of software wallets. Honestly, no one should use them, and should probably not been endorser or suggested by the official blockchain foundation.
– luchonacho
Feb 21 at 10:33
Software wallets play a very important role in any crypto ecosystem, but people need to learn about the risks. If you are concerned about security and especially if you aren't confident about keeping your system safe from malware, the best recommendation is to get a hardware wallet device and transfer your important funds into it.
– cousinit
Feb 21 at 10:35
Actually, Galleon does not publish the source code!
– luchonacho
Feb 21 at 10:36
The credibility of a cryptocurrency depends heavily on the security of wallets, as that is what common users interact mostly with. It should be of primary concern for organisations like the Tezos foundation to make sure existing wallets are as safe as possible, rather than merely listing some and stating "we don't endorse them". In practice, that's what they are doing. Not good.
– luchonacho
Feb 21 at 10:40
|
show 1 more comment
Any wallet software you choose to run comes with risks you should be fully aware of in order to properly protect yourself.
Whether its a web, desktop, or mobile app you are running code that someone else wrote and the best way to reduce the risk is to make sure you are using software that is open source and has been verified by the community as coming from a reputable developer.
Next you need to take steps to ensure that the code you are running actually comes from the developer and that you haven't mistakenly downloaded it from elsewhere. This primarily means avoiding phishing links by double checking the URLs and preferably making bookmarks to known good sites.
Keeping your computer free of malware. It doesn't matter what software you are running if your system is infected.
Finally, the best way to protect yourself is to use a hardware wallet device. This way the keys never leave the hardware device, which is especially important if you aren't certain that your computer isn't infected with malware. As long as you are careful to double check all input validation at each step the hardware wallet will keep you protected.
answered Feb 21 at 10:02
cousinitcousinit
681112
Mmm, but if you already created a wallet using software, it might be too late. In that case, would it be better to create a new one from hardware and then transfer all funds to that wallet?
– luchonacho
Feb 21 at 10:32
Overall, seems to be a deep flaw of software wallets. Honestly, no one should use them, and should probably not been endorser or suggested by the official blockchain foundation.
– luchonacho
Feb 21 at 10:33
Software wallets play a very important role in any crypto ecosystem, but people need to learn about the risks. If you are concerned about security and especially if you aren't confident about keeping your system safe from malware, the best recommendation is to get a hardware wallet device and transfer your important funds into it.
– cousinit
Feb 21 at 10:35
Actually, Galleon does not publish the source code!
– luchonacho
Feb 21 at 10:36
The credibility of a cryptocurrency depends heavily on the security of wallets, as that is what common users interact mostly with. It should be of primary concern for organisations like the Tezos foundation to make sure existing wallets are as safe as possible, rather than merely listing some and stating "we don't endorse them". In practice, that's what they are doing. Not good.
– luchonacho
Feb 21 at 10:40
|
show 1 more comment
Any wallet software you choose to run comes with risks you should be fully aware of in order to properly protect yourself.
Whether its a web, desktop, or mobile app you are running code that someone else wrote and the best way to reduce the risk is to make sure you are using software that is open source and has been verified by the community as coming from a reputable developer.
Next you need to take steps to ensure that the code you are running actually comes from the developer and that you haven't mistakenly downloaded it from elsewhere. This primarily means avoiding phishing links by double checking the URLs and preferably making bookmarks to known good sites.
Keeping your computer free of malware. It doesn't matter what software you are running if your system is infected.
Finally, the best way to protect yourself is to use a hardware wallet device. This way the keys never leave the hardware device, which is especially important if you aren't certain that your computer isn't infected with malware. As long as you are careful to double check all input validation at each step the hardware wallet will keep you protected.
answered Feb 21 at 10:02
cousinitcousinit
681112
Any wallet software you choose to run comes with risks you should be fully aware of in order to properly protect yourself.
Whether its a web, desktop, or mobile app you are running code that someone else wrote and the best way to reduce the risk is to make sure you are using software that is open source and has been verified by the community as coming from a reputable developer.
Next you need to take steps to ensure that the code you are running actually comes from the developer and that you haven't mistakenly downloaded it from elsewhere. This primarily means avoiding phishing links by double checking the URLs and preferably making bookmarks to known good sites.
Keeping your computer free of malware. It doesn't matter what software you are running if your system is infected.
Finally, the best way to protect yourself is to use a hardware wallet device. This way the keys never leave the hardware device, which is especially important if you aren't certain that your computer isn't infected with malware. As long as you are careful to double check all input validation at each step the hardware wallet will keep you protected.
answered Feb 21 at 10:02
cousinitcousinit
681112
answered Feb 21 at 10:02
cousinitcousinit
681112
answered Feb 21 at 10:02
cousinitcousinit
681112
answered Feb 21 at 10:02
cousinitcousinit
681112
681112
Mmm, but if you already created a wallet using software, it might be too late. In that case, would it be better to create a new one from hardware and then transfer all funds to that wallet?
– luchonacho
Feb 21 at 10:32
Overall, seems to be a deep flaw of software wallets. Honestly, no one should use them, and should probably not been endorser or suggested by the official blockchain foundation.
– luchonacho
Feb 21 at 10:33
Software wallets play a very important role in any crypto ecosystem, but people need to learn about the risks. If you are concerned about security and especially if you aren't confident about keeping your system safe from malware, the best recommendation is to get a hardware wallet device and transfer your important funds into it.
– cousinit
Feb 21 at 10:35
Actually, Galleon does not publish the source code!
– luchonacho
Feb 21 at 10:36
The credibility of a cryptocurrency depends heavily on the security of wallets, as that is what common users interact mostly with. It should be of primary concern for organisations like the Tezos foundation to make sure existing wallets are as safe as possible, rather than merely listing some and stating "we don't endorse them". In practice, that's what they are doing. Not good.
– luchonacho
Feb 21 at 10:40
|
show 1 more comment
Mmm, but if you already created a wallet using software, it might be too late. In that case, would it be better to create a new one from hardware and then transfer all funds to that wallet?
– luchonacho
Feb 21 at 10:32
Overall, seems to be a deep flaw of software wallets. Honestly, no one should use them, and should probably not been endorser or suggested by the official blockchain foundation.
– luchonacho
Feb 21 at 10:33
Software wallets play a very important role in any crypto ecosystem, but people need to learn about the risks. If you are concerned about security and especially if you aren't confident about keeping your system safe from malware, the best recommendation is to get a hardware wallet device and transfer your important funds into it.
– cousinit
Feb 21 at 10:35
Actually, Galleon does not publish the source code!
– luchonacho
Feb 21 at 10:36
The credibility of a cryptocurrency depends heavily on the security of wallets, as that is what common users interact mostly with. It should be of primary concern for organisations like the Tezos foundation to make sure existing wallets are as safe as possible, rather than merely listing some and stating "we don't endorse them". In practice, that's what they are doing. Not good.
– luchonacho
Feb 21 at 10:40
Mmm, but if you already created a wallet using software, it might be too late. In that case, would it be better to create a new one from hardware and then transfer all funds to that wallet?
– luchonacho
Feb 21 at 10:32
Mmm, but if you already created a wallet using software, it might be too late. In that case, would it be better to create a new one from hardware and then transfer all funds to that wallet?
– luchonacho
Feb 21 at 10:32
Overall, seems to be a deep flaw of software wallets. Honestly, no one should use them, and should probably not been endorser or suggested by the official blockchain foundation.
– luchonacho
Feb 21 at 10:33
Overall, seems to be a deep flaw of software wallets. Honestly, no one should use them, and should probably not been endorser or suggested by the official blockchain foundation.
– luchonacho
Feb 21 at 10:33
Software wallets play a very important role in any crypto ecosystem, but people need to learn about the risks. If you are concerned about security and especially if you aren't confident about keeping your system safe from malware, the best recommendation is to get a hardware wallet device and transfer your important funds into it.
– cousinit
Feb 21 at 10:35
Software wallets play a very important role in any crypto ecosystem, but people need to learn about the risks. If you are concerned about security and especially if you aren't confident about keeping your system safe from malware, the best recommendation is to get a hardware wallet device and transfer your important funds into it.
– cousinit
Feb 21 at 10:35
Actually, Galleon does not publish the source code!
– luchonacho
Feb 21 at 10:36
Actually, Galleon does not publish the source code!
– luchonacho
Feb 21 at 10:36
The credibility of a cryptocurrency depends heavily on the security of wallets, as that is what common users interact mostly with. It should be of primary concern for organisations like the Tezos foundation to make sure existing wallets are as safe as possible, rather than merely listing some and stating "we don't endorse them". In practice, that's what they are doing. Not good.
– luchonacho
Feb 21 at 10:40
The credibility of a cryptocurrency depends heavily on the security of wallets, as that is what common users interact mostly with. It should be of primary concern for organisations like the Tezos foundation to make sure existing wallets are as safe as possible, rather than merely listing some and stating "we don't endorse them". In practice, that's what they are doing. Not good.
– luchonacho
Feb 21 at 10:40
|
show 1 more comment
Thanks for contributing an answer to Tezos Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2ftezos.stackexchange.com%2fquestions%2f529%2fhow-do-i-know-my-password-or-backup-information-is-not-being-shared-when-creatin%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
