How do I know my password or backup information is not being shared when creating a new wallet?












6















Several services offer to create a new tezos wallet/account/key (tz1...). For example, consider Galleon Wallet. By entering a password, it produces a new wallet:



enter image description here



You then need to choose a set of 12 words, which are used to make a backup and to recover access to the account in case it is needed. My question is, how do I know the private information above is not being shared with anyone? I imagine this can somehow be seen in the source code of the program. But some are not open source. For instance, kukai is a web service that creates wallets. How can we know such creation of wallets is secure? Surely there must be some sort of "official" communication between these services and the blockchain. Is there some protocol that ensures such security, or is that a layer altogether detached from the interaction of these wallet creation services with the blockchain?










share|improve this question



























    6















    Several services offer to create a new tezos wallet/account/key (tz1...). For example, consider Galleon Wallet. By entering a password, it produces a new wallet:



    enter image description here



    You then need to choose a set of 12 words, which are used to make a backup and to recover access to the account in case it is needed. My question is, how do I know the private information above is not being shared with anyone? I imagine this can somehow be seen in the source code of the program. But some are not open source. For instance, kukai is a web service that creates wallets. How can we know such creation of wallets is secure? Surely there must be some sort of "official" communication between these services and the blockchain. Is there some protocol that ensures such security, or is that a layer altogether detached from the interaction of these wallet creation services with the blockchain?










    share|improve this question

























      6












      6








      6








      Several services offer to create a new tezos wallet/account/key (tz1...). For example, consider Galleon Wallet. By entering a password, it produces a new wallet:



      enter image description here



      You then need to choose a set of 12 words, which are used to make a backup and to recover access to the account in case it is needed. My question is, how do I know the private information above is not being shared with anyone? I imagine this can somehow be seen in the source code of the program. But some are not open source. For instance, kukai is a web service that creates wallets. How can we know such creation of wallets is secure? Surely there must be some sort of "official" communication between these services and the blockchain. Is there some protocol that ensures such security, or is that a layer altogether detached from the interaction of these wallet creation services with the blockchain?










      share|improve this question














      Several services offer to create a new tezos wallet/account/key (tz1...). For example, consider Galleon Wallet. By entering a password, it produces a new wallet:



      enter image description here



      You then need to choose a set of 12 words, which are used to make a backup and to recover access to the account in case it is needed. My question is, how do I know the private information above is not being shared with anyone? I imagine this can somehow be seen in the source code of the program. But some are not open source. For instance, kukai is a web service that creates wallets. How can we know such creation of wallets is secure? Surely there must be some sort of "official" communication between these services and the blockchain. Is there some protocol that ensures such security, or is that a layer altogether detached from the interaction of these wallet creation services with the blockchain?







      security wallets






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Feb 21 at 9:43









      luchonacholuchonacho

      29318




      29318






















          2 Answers
          2






          active

          oldest

          votes


















          5














          If the key is generated on their server, you have no way to know.



          If the key is generated locally in your browser, you may try to monitor the network to see what the wallet sends to the server. However, it might still find other ways to get the key, for example by waiting a random time before sending it, by encrypting the communication, or just by limiting the randomness when generating the key, so that it can guess it later.



          I think the only reliable way is to use an external device, such as a Ledger or Trezor, it will generate the key and key it inside the device, so that the wallet will never access the key, only use the device to sign operations.






          share|improve this answer































            4














            Any wallet software you choose to run comes with risks you should be fully aware of in order to properly protect yourself.




            1. Whether its a web, desktop, or mobile app you are running code that someone else wrote and the best way to reduce the risk is to make sure you are using software that is open source and has been verified by the community as coming from a reputable developer.


            2. Next you need to take steps to ensure that the code you are running actually comes from the developer and that you haven't mistakenly downloaded it from elsewhere. This primarily means avoiding phishing links by double checking the URLs and preferably making bookmarks to known good sites.


            3. Keeping your computer free of malware. It doesn't matter what software you are running if your system is infected.



            Finally, the best way to protect yourself is to use a hardware wallet device. This way the keys never leave the hardware device, which is especially important if you aren't certain that your computer isn't infected with malware. As long as you are careful to double check all input validation at each step the hardware wallet will keep you protected.






            share|improve this answer
























            • Mmm, but if you already created a wallet using software, it might be too late. In that case, would it be better to create a new one from hardware and then transfer all funds to that wallet?

              – luchonacho
              Feb 21 at 10:32











            • Overall, seems to be a deep flaw of software wallets. Honestly, no one should use them, and should probably not been endorser or suggested by the official blockchain foundation.

              – luchonacho
              Feb 21 at 10:33











            • Software wallets play a very important role in any crypto ecosystem, but people need to learn about the risks. If you are concerned about security and especially if you aren't confident about keeping your system safe from malware, the best recommendation is to get a hardware wallet device and transfer your important funds into it.

              – cousinit
              Feb 21 at 10:35













            • Actually, Galleon does not publish the source code!

              – luchonacho
              Feb 21 at 10:36











            • The credibility of a cryptocurrency depends heavily on the security of wallets, as that is what common users interact mostly with. It should be of primary concern for organisations like the Tezos foundation to make sure existing wallets are as safe as possible, rather than merely listing some and stating "we don't endorse them". In practice, that's what they are doing. Not good.

              – luchonacho
              Feb 21 at 10:40











            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "698"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            noCode: true, onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2ftezos.stackexchange.com%2fquestions%2f529%2fhow-do-i-know-my-password-or-backup-information-is-not-being-shared-when-creatin%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            5














            If the key is generated on their server, you have no way to know.



            If the key is generated locally in your browser, you may try to monitor the network to see what the wallet sends to the server. However, it might still find other ways to get the key, for example by waiting a random time before sending it, by encrypting the communication, or just by limiting the randomness when generating the key, so that it can guess it later.



            I think the only reliable way is to use an external device, such as a Ledger or Trezor, it will generate the key and key it inside the device, so that the wallet will never access the key, only use the device to sign operations.






            share|improve this answer




























              5














              If the key is generated on their server, you have no way to know.



              If the key is generated locally in your browser, you may try to monitor the network to see what the wallet sends to the server. However, it might still find other ways to get the key, for example by waiting a random time before sending it, by encrypting the communication, or just by limiting the randomness when generating the key, so that it can guess it later.



              I think the only reliable way is to use an external device, such as a Ledger or Trezor, it will generate the key and key it inside the device, so that the wallet will never access the key, only use the device to sign operations.






              share|improve this answer


























                5












                5








                5







                If the key is generated on their server, you have no way to know.



                If the key is generated locally in your browser, you may try to monitor the network to see what the wallet sends to the server. However, it might still find other ways to get the key, for example by waiting a random time before sending it, by encrypting the communication, or just by limiting the randomness when generating the key, so that it can guess it later.



                I think the only reliable way is to use an external device, such as a Ledger or Trezor, it will generate the key and key it inside the device, so that the wallet will never access the key, only use the device to sign operations.






                share|improve this answer













                If the key is generated on their server, you have no way to know.



                If the key is generated locally in your browser, you may try to monitor the network to see what the wallet sends to the server. However, it might still find other ways to get the key, for example by waiting a random time before sending it, by encrypting the communication, or just by limiting the randomness when generating the key, so that it can guess it later.



                I think the only reliable way is to use an external device, such as a Ledger or Trezor, it will generate the key and key it inside the device, so that the wallet will never access the key, only use the device to sign operations.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Feb 21 at 10:04









                lefessanlefessan

                2,257322




                2,257322























                    4














                    Any wallet software you choose to run comes with risks you should be fully aware of in order to properly protect yourself.




                    1. Whether its a web, desktop, or mobile app you are running code that someone else wrote and the best way to reduce the risk is to make sure you are using software that is open source and has been verified by the community as coming from a reputable developer.


                    2. Next you need to take steps to ensure that the code you are running actually comes from the developer and that you haven't mistakenly downloaded it from elsewhere. This primarily means avoiding phishing links by double checking the URLs and preferably making bookmarks to known good sites.


                    3. Keeping your computer free of malware. It doesn't matter what software you are running if your system is infected.



                    Finally, the best way to protect yourself is to use a hardware wallet device. This way the keys never leave the hardware device, which is especially important if you aren't certain that your computer isn't infected with malware. As long as you are careful to double check all input validation at each step the hardware wallet will keep you protected.






                    share|improve this answer
























                    • Mmm, but if you already created a wallet using software, it might be too late. In that case, would it be better to create a new one from hardware and then transfer all funds to that wallet?

                      – luchonacho
                      Feb 21 at 10:32











                    • Overall, seems to be a deep flaw of software wallets. Honestly, no one should use them, and should probably not been endorser or suggested by the official blockchain foundation.

                      – luchonacho
                      Feb 21 at 10:33











                    • Software wallets play a very important role in any crypto ecosystem, but people need to learn about the risks. If you are concerned about security and especially if you aren't confident about keeping your system safe from malware, the best recommendation is to get a hardware wallet device and transfer your important funds into it.

                      – cousinit
                      Feb 21 at 10:35













                    • Actually, Galleon does not publish the source code!

                      – luchonacho
                      Feb 21 at 10:36











                    • The credibility of a cryptocurrency depends heavily on the security of wallets, as that is what common users interact mostly with. It should be of primary concern for organisations like the Tezos foundation to make sure existing wallets are as safe as possible, rather than merely listing some and stating "we don't endorse them". In practice, that's what they are doing. Not good.

                      – luchonacho
                      Feb 21 at 10:40
















                    4














                    Any wallet software you choose to run comes with risks you should be fully aware of in order to properly protect yourself.




                    1. Whether its a web, desktop, or mobile app you are running code that someone else wrote and the best way to reduce the risk is to make sure you are using software that is open source and has been verified by the community as coming from a reputable developer.


                    2. Next you need to take steps to ensure that the code you are running actually comes from the developer and that you haven't mistakenly downloaded it from elsewhere. This primarily means avoiding phishing links by double checking the URLs and preferably making bookmarks to known good sites.


                    3. Keeping your computer free of malware. It doesn't matter what software you are running if your system is infected.



                    Finally, the best way to protect yourself is to use a hardware wallet device. This way the keys never leave the hardware device, which is especially important if you aren't certain that your computer isn't infected with malware. As long as you are careful to double check all input validation at each step the hardware wallet will keep you protected.






                    share|improve this answer
























                    • Mmm, but if you already created a wallet using software, it might be too late. In that case, would it be better to create a new one from hardware and then transfer all funds to that wallet?

                      – luchonacho
                      Feb 21 at 10:32











                    • Overall, seems to be a deep flaw of software wallets. Honestly, no one should use them, and should probably not been endorser or suggested by the official blockchain foundation.

                      – luchonacho
                      Feb 21 at 10:33











                    • Software wallets play a very important role in any crypto ecosystem, but people need to learn about the risks. If you are concerned about security and especially if you aren't confident about keeping your system safe from malware, the best recommendation is to get a hardware wallet device and transfer your important funds into it.

                      – cousinit
                      Feb 21 at 10:35













                    • Actually, Galleon does not publish the source code!

                      – luchonacho
                      Feb 21 at 10:36











                    • The credibility of a cryptocurrency depends heavily on the security of wallets, as that is what common users interact mostly with. It should be of primary concern for organisations like the Tezos foundation to make sure existing wallets are as safe as possible, rather than merely listing some and stating "we don't endorse them". In practice, that's what they are doing. Not good.

                      – luchonacho
                      Feb 21 at 10:40














                    4












                    4








                    4







                    Any wallet software you choose to run comes with risks you should be fully aware of in order to properly protect yourself.




                    1. Whether its a web, desktop, or mobile app you are running code that someone else wrote and the best way to reduce the risk is to make sure you are using software that is open source and has been verified by the community as coming from a reputable developer.


                    2. Next you need to take steps to ensure that the code you are running actually comes from the developer and that you haven't mistakenly downloaded it from elsewhere. This primarily means avoiding phishing links by double checking the URLs and preferably making bookmarks to known good sites.


                    3. Keeping your computer free of malware. It doesn't matter what software you are running if your system is infected.



                    Finally, the best way to protect yourself is to use a hardware wallet device. This way the keys never leave the hardware device, which is especially important if you aren't certain that your computer isn't infected with malware. As long as you are careful to double check all input validation at each step the hardware wallet will keep you protected.






                    share|improve this answer













                    Any wallet software you choose to run comes with risks you should be fully aware of in order to properly protect yourself.




                    1. Whether its a web, desktop, or mobile app you are running code that someone else wrote and the best way to reduce the risk is to make sure you are using software that is open source and has been verified by the community as coming from a reputable developer.


                    2. Next you need to take steps to ensure that the code you are running actually comes from the developer and that you haven't mistakenly downloaded it from elsewhere. This primarily means avoiding phishing links by double checking the URLs and preferably making bookmarks to known good sites.


                    3. Keeping your computer free of malware. It doesn't matter what software you are running if your system is infected.



                    Finally, the best way to protect yourself is to use a hardware wallet device. This way the keys never leave the hardware device, which is especially important if you aren't certain that your computer isn't infected with malware. As long as you are careful to double check all input validation at each step the hardware wallet will keep you protected.







                    share|improve this answer












                    share|improve this answer



                    share|improve this answer










                    answered Feb 21 at 10:02









                    cousinitcousinit

                    681112




                    681112













                    • Mmm, but if you already created a wallet using software, it might be too late. In that case, would it be better to create a new one from hardware and then transfer all funds to that wallet?

                      – luchonacho
                      Feb 21 at 10:32











                    • Overall, seems to be a deep flaw of software wallets. Honestly, no one should use them, and should probably not been endorser or suggested by the official blockchain foundation.

                      – luchonacho
                      Feb 21 at 10:33











                    • Software wallets play a very important role in any crypto ecosystem, but people need to learn about the risks. If you are concerned about security and especially if you aren't confident about keeping your system safe from malware, the best recommendation is to get a hardware wallet device and transfer your important funds into it.

                      – cousinit
                      Feb 21 at 10:35













                    • Actually, Galleon does not publish the source code!

                      – luchonacho
                      Feb 21 at 10:36











                    • The credibility of a cryptocurrency depends heavily on the security of wallets, as that is what common users interact mostly with. It should be of primary concern for organisations like the Tezos foundation to make sure existing wallets are as safe as possible, rather than merely listing some and stating "we don't endorse them". In practice, that's what they are doing. Not good.

                      – luchonacho
                      Feb 21 at 10:40



















                    • Mmm, but if you already created a wallet using software, it might be too late. In that case, would it be better to create a new one from hardware and then transfer all funds to that wallet?

                      – luchonacho
                      Feb 21 at 10:32











                    • Overall, seems to be a deep flaw of software wallets. Honestly, no one should use them, and should probably not been endorser or suggested by the official blockchain foundation.

                      – luchonacho
                      Feb 21 at 10:33











                    • Software wallets play a very important role in any crypto ecosystem, but people need to learn about the risks. If you are concerned about security and especially if you aren't confident about keeping your system safe from malware, the best recommendation is to get a hardware wallet device and transfer your important funds into it.

                      – cousinit
                      Feb 21 at 10:35













                    • Actually, Galleon does not publish the source code!

                      – luchonacho
                      Feb 21 at 10:36











                    • The credibility of a cryptocurrency depends heavily on the security of wallets, as that is what common users interact mostly with. It should be of primary concern for organisations like the Tezos foundation to make sure existing wallets are as safe as possible, rather than merely listing some and stating "we don't endorse them". In practice, that's what they are doing. Not good.

                      – luchonacho
                      Feb 21 at 10:40

















                    Mmm, but if you already created a wallet using software, it might be too late. In that case, would it be better to create a new one from hardware and then transfer all funds to that wallet?

                    – luchonacho
                    Feb 21 at 10:32





                    Mmm, but if you already created a wallet using software, it might be too late. In that case, would it be better to create a new one from hardware and then transfer all funds to that wallet?

                    – luchonacho
                    Feb 21 at 10:32













                    Overall, seems to be a deep flaw of software wallets. Honestly, no one should use them, and should probably not been endorser or suggested by the official blockchain foundation.

                    – luchonacho
                    Feb 21 at 10:33





                    Overall, seems to be a deep flaw of software wallets. Honestly, no one should use them, and should probably not been endorser or suggested by the official blockchain foundation.

                    – luchonacho
                    Feb 21 at 10:33













                    Software wallets play a very important role in any crypto ecosystem, but people need to learn about the risks. If you are concerned about security and especially if you aren't confident about keeping your system safe from malware, the best recommendation is to get a hardware wallet device and transfer your important funds into it.

                    – cousinit
                    Feb 21 at 10:35







                    Software wallets play a very important role in any crypto ecosystem, but people need to learn about the risks. If you are concerned about security and especially if you aren't confident about keeping your system safe from malware, the best recommendation is to get a hardware wallet device and transfer your important funds into it.

                    – cousinit
                    Feb 21 at 10:35















                    Actually, Galleon does not publish the source code!

                    – luchonacho
                    Feb 21 at 10:36





                    Actually, Galleon does not publish the source code!

                    – luchonacho
                    Feb 21 at 10:36













                    The credibility of a cryptocurrency depends heavily on the security of wallets, as that is what common users interact mostly with. It should be of primary concern for organisations like the Tezos foundation to make sure existing wallets are as safe as possible, rather than merely listing some and stating "we don't endorse them". In practice, that's what they are doing. Not good.

                    – luchonacho
                    Feb 21 at 10:40





                    The credibility of a cryptocurrency depends heavily on the security of wallets, as that is what common users interact mostly with. It should be of primary concern for organisations like the Tezos foundation to make sure existing wallets are as safe as possible, rather than merely listing some and stating "we don't endorse them". In practice, that's what they are doing. Not good.

                    – luchonacho
                    Feb 21 at 10:40


















                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Tezos Stack Exchange!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2ftezos.stackexchange.com%2fquestions%2f529%2fhow-do-i-know-my-password-or-backup-information-is-not-being-shared-when-creatin%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    mysqli_query(): Empty query in /home/lucindabrummitt/public_html/blog/wp-includes/wp-db.php on line 1924

                    How to change which sound is reproduced for terminal bell?

                    Can I use Tabulator js library in my java Spring + Thymeleaf project?