elective-stereophonic
elective-stereophonic
NRS v1.11.0e
Please login or register.

Login with username, password and session length
Advanced search  

News:

Latest Stable Nxt Client: Nxt 1.12.1 Upgrade before block 2870000 is mandatory!

Pages: 1 2 [3]  All

Author Topic: NRS v1.11.0e  (Read 22798 times)

cryptomommy

  • Jr. Member
  • **
  • Karma: +3/-0
  • Offline Offline
  • Posts: 26
    • View Profile
Re: NRS v1.11.0e
« Reply #40 on: November 07, 2016, 12:43:17 pm »

For mobile navigation the three bar button works however swiping the menu away stops working. Very minor.

Sent from my LGUS990 using Tapatalk

Logged
"Those who danced were thought to be quite insane by those who could not hear the music"

Nexxie

  • Full Member
  • ***
  • Karma: +6/-2
  • Offline Offline
  • Posts: 124
    • View Profile
Re: NRS v1.11.0e
« Reply #41 on: November 11, 2016, 06:11:39 pm »

Desktop application in MAC OS is non-functional. 

The browser application works fine though.

Hi

Where did you get a working browser application?

Thanks
Logged

Seccour

  • Sr. Member
  • ****
  • Karma: +68/-15
  • Offline Offline
  • Posts: 380
    • View Profile
Re: NRS v1.11.0e
« Reply #42 on: November 11, 2016, 08:17:52 pm »

The concern is of course someone getting access (physical or otherwise) to one's device and reading the browser's local storage, which is trivial to do. It's the same as storing it in a clear text file, but after logging in once the user might not even be aware his passphrase is lying around unencrypted on disk... I hope this isn't going to cause any problems.

Perhaps a better way is to save the passphrase only for the session and keep only the account ID permanently. Downside is of course you always have to supply the pass for forging

Is it really trivial to read the device browser local storage?
At least the data saved in disk and memory should be encrypted in most modern browsers.
You'll have to take control over the webview component and development tools while connected to the NXT client in order to steal the passphrase.
Can you do that without root access to the device?

The alternative is that users constantly copy/paste or QR scan the passphrase which opens the door for copy/paste or camera hacking which is not less dangerous.
Steal I don't recommend to store the passphrase of a high balance account on the device.

Browsers don't encrypt local storage by default. What would they encrypt it with, unless the user has some sort of master password? An attacker only needs file system access.

I tried to find where it is stored on disk - chromium on ubuntu stores it's in the folder ~/.config/chromium/Default/Local Storage, where for each website there is an unencrypted SQLite DB. Retrieving it is as simple as opening it with an SQLite browser: http://i.imgur.com/wIHjzhI.png
For other browsers/OS it will be similar.

This appears a great risk, as these files may lay around indefinitely without the user knowing it (and closing tabs is probably more common than logging out)

I agree, the local storage data is not encrypted just obfuscated, still you need to hack into the workstation or device itself to get to it.
The original plan was to save the passphrase in the local storage only for accounts with a balance of less than 10K NXT, and we can also make this limit configurable.
But this does not take into account asset value and other holdings. I guess it's better than nothing.

Another way could be to clear the pass from storage on window close event, unless the user has set something like "keep passphrase in local storage" on the settings page, which by default is false. If the user comes back and the passphrase was cleared, log him in with account ID only.

Agree with that. And you should inform the user that the passphrase is stored un-encrypted ( and possibly accessible by an attacker ) on the computer if he select to keep it in local storage.
Logged
SecFund : 9125535795764729261 (Asset ID)

VanBreuk

  • Hero Member
  • *****
  • Karma: +362/-19
  • Offline Offline
  • Posts: 2772
    • View Profile
Re: NRS v1.11.0e
« Reply #43 on: November 12, 2016, 03:31:42 am »

Desktop application in MAC OS is non-functional. 

The browser application works fine though.

Hi

Where did you get a working browser application?

Thanks

The zip package in every release (the "Download for Linux" link at https://nxt.org/download ) works as multi-platform release. Instead of running the desktop application you run the Nxt server in a terminal window, and access the wallet using your web browser, locally.

I don't use a mac, but as far as I know if you have Java 8 installed you need to grab the zip, uncompress, and open a terminal window inside of that folder. Then execute the server with run.sh, and once you see a message saying that the Nxt Server has been started successfully just open a web browser to http://localhost:7876
Logged
GPG Fingerprint: B020 D1C1 F289 3B2C 3577  9EAD 455D D175 5913 C7F1

Riker

  • Core Dev
  • Hero Member
  • *****
  • Karma: +439/-42
  • Offline Offline
  • Posts: 1796
    • View Profile
Re: NRS v1.11.0e
« Reply #44 on: November 12, 2016, 10:26:32 am »

You need to refresh the desktop application from the system tray once. Fixed for the next release
Logged
NXT Core Dev
Account: NXT-HBFW-X8TE-WXPW-DZFAG
Public Key: D8311651 Key fingerprint: 0560 443B 035C EE08 0EC0  D2DD 275E 94A7 D831 1651

Riker

  • Core Dev
  • Hero Member
  • *****
  • Karma: +439/-42
  • Offline Offline
  • Posts: 1796
    • View Profile
Re: NRS v1.11.0e
« Reply #45 on: November 12, 2016, 10:28:46 am »

In the next release we only store the passphrase on the device for the mobile. There is a setting which controls this, turned off by default for the desktop wallet and web wallet
Logged
NXT Core Dev
Account: NXT-HBFW-X8TE-WXPW-DZFAG
Public Key: D8311651 Key fingerprint: 0560 443B 035C EE08 0EC0  D2DD 275E 94A7 D831 1651

box1413

  • Hero Member
  • *****
  • Karma: +101/-4
  • Offline Offline
  • Posts: 687
    • View Profile
Re: NRS v1.11.0e
« Reply #46 on: November 23, 2016, 04:45:05 pm »

Someone can answer this in detail if possible. Add in wallet images of the app to increase expose. http://bitcoin.stackexchange.com/questions/38768/which-altcoins-have-their-own-mobile-friendly-wallet-created-by-the-core-devs
Logged
Pages: 1 2 [3]  All
 

elective-stereophonic
elective-stereophonic
assembly
assembly