elective-stereophonic
elective-stereophonic
NRS v1.11.0e
Please login or register.

Login with username, password and session length
Advanced search  

News:

Latest Nxt Client: Nxt 1.11.15

Pages: 1 [2] 3  All

Author Topic: NRS v1.11.0e  (Read 19605 times)

martismartis

  • Hero Member
  • *****
  • Karma: +73/-10
  • Offline Offline
  • Posts: 1237
    • View Profile
Re: NRS v1.11.0e
« Reply #20 on: October 31, 2016, 08:50:04 am »

Maybe it's a GUI bug, but "assets value" in the main dashboard window shows "0".
Logged

Riker

  • Core Dev
  • Hero Member
  • *****
  • Karma: +439/-42
  • Online Online
  • Posts: 1792
    • View Profile
Re: NRS v1.11.0e
« Reply #21 on: October 31, 2016, 08:57:09 am »

The concern is of course someone getting access (physical or otherwise) to one's device and reading the browser's local storage, which is trivial to do. It's the same as storing it in a clear text file, but after logging in once the user might not even be aware his passphrase is lying around unencrypted on disk... I hope this isn't going to cause any problems.

Perhaps a better way is to save the passphrase only for the session and keep only the account ID permanently. Downside is of course you always have to supply the pass for forging

Is it really trivial to read the device browser local storage?
At least the data saved in disk and memory should be encrypted in most modern browsers.
You'll have to take control over the webview component and development tools while connected to the NXT client in order to steal the passphrase.
Can you do that without root access to the device?

The alternative is that users constantly copy/paste or QR scan the passphrase which opens the door for copy/paste or camera hacking which is not less dangerous.
Steal I don't recommend to store the passphrase of a high balance account on the device.
Logged
NXT Core Dev
Account: NXT-HBFW-X8TE-WXPW-DZFAG
Public Key: D8311651 Key fingerprint: 0560 443B 035C EE08 0EC0  D2DD 275E 94A7 D831 1651

Riker

  • Core Dev
  • Hero Member
  • *****
  • Karma: +439/-42
  • Online Online
  • Posts: 1792
    • View Profile
Re: NRS v1.11.0e
« Reply #22 on: October 31, 2016, 08:58:18 am »

One interesting use case for the mobile app is to use an old phone or tablet completely offline only for signing transactions. This way you never have to expose your passphrase to online computer.
See https://nxtwiki.org/wiki/Offline_Transaction_Signing
If someone likes to try this and report their experience that would be great.
Logged
NXT Core Dev
Account: NXT-HBFW-X8TE-WXPW-DZFAG
Public Key: D8311651 Key fingerprint: 0560 443B 035C EE08 0EC0  D2DD 275E 94A7 D831 1651

Riker

  • Core Dev
  • Hero Member
  • *****
  • Karma: +439/-42
  • Online Online
  • Posts: 1792
    • View Profile
Re: NRS v1.11.0e
« Reply #23 on: October 31, 2016, 09:00:01 am »

Maybe it's a GUI bug, but "assets value" in the main dashboard window shows "0".

Calculating the asset value for account with many assets was identified as a performance problem.
Therefore we now only do it ones when you load the client and not every 30 seconds like it used to be.
Under which circumstances do you see the 0 balance?
Logged
NXT Core Dev
Account: NXT-HBFW-X8TE-WXPW-DZFAG
Public Key: D8311651 Key fingerprint: 0560 443B 035C EE08 0EC0  D2DD 275E 94A7 D831 1651

lurker10

  • Hero Member
  • *****
  • Karma: +168/-33
  • Offline Offline
  • Posts: 1334
    • View Profile
Re: NRS v1.11.0e
« Reply #24 on: October 31, 2016, 09:05:29 am »

One interesting use case for the mobile app is to use an old phone or tablet completely offline only for signing transactions. This way you never have to expose your passphrase to online computer.
See https://nxtwiki.org/wiki/Offline_Transaction_Signing
If someone likes to try this and report their experience that would be great.

Thank you for this mobile client. What is the minimum OS (Android, iOS) requirements?
Logged
Run a node - win a prize! "Lucky node" project jar: NXT-8F28-EDVE-LPPX-HY4E7

martismartis

  • Hero Member
  • *****
  • Karma: +73/-10
  • Offline Offline
  • Posts: 1237
    • View Profile
Re: NRS v1.11.0e
« Reply #25 on: October 31, 2016, 09:44:14 am »

Maybe it's a GUI bug, but "assets value" in the main dashboard window shows "0".

Calculating the asset value for account with many assets was identified as a performance problem.
Therefore we now only do it ones when you load the client and not every 30 seconds like it used to be.
Under which circumstances do you see the 0 balance?

I always see the "0". Maybe problem is, that it is not updated every 30 seconds, just one time during loging in.
Logged

martismartis

  • Hero Member
  • *****
  • Karma: +73/-10
  • Offline Offline
  • Posts: 1237
    • View Profile
Re: NRS v1.11.0e
« Reply #26 on: October 31, 2016, 09:45:21 am »

I see mobile client as the second account for main account control. With few NXT in it. It's like 2FA with mobile phone.
Logged

toenu

  • Full Member
  • ***
  • Karma: +52/-1
  • Offline Offline
  • Posts: 231
    • View Profile
Re: NRS v1.11.0e
« Reply #27 on: October 31, 2016, 10:31:09 am »

The concern is of course someone getting access (physical or otherwise) to one's device and reading the browser's local storage, which is trivial to do. It's the same as storing it in a clear text file, but after logging in once the user might not even be aware his passphrase is lying around unencrypted on disk... I hope this isn't going to cause any problems.

Perhaps a better way is to save the passphrase only for the session and keep only the account ID permanently. Downside is of course you always have to supply the pass for forging

Is it really trivial to read the device browser local storage?
At least the data saved in disk and memory should be encrypted in most modern browsers.
You'll have to take control over the webview component and development tools while connected to the NXT client in order to steal the passphrase.
Can you do that without root access to the device?

The alternative is that users constantly copy/paste or QR scan the passphrase which opens the door for copy/paste or camera hacking which is not less dangerous.
Steal I don't recommend to store the passphrase of a high balance account on the device.

Browsers don't encrypt local storage by default. What would they encrypt it with, unless the user has some sort of master password? An attacker only needs file system access.

I tried to find where it is stored on disk - chromium on ubuntu stores it's in the folder ~/.config/chromium/Default/Local Storage, where for each website there is an unencrypted SQLite DB. Retrieving it is as simple as opening it with an SQLite browser: http://i.imgur.com/wIHjzhI.png
For other browsers/OS it will be similar.

This appears a great risk, as these files may lay around indefinitely without the user knowing it (and closing tabs is probably more common than logging out)
Logged

Riker

  • Core Dev
  • Hero Member
  • *****
  • Karma: +439/-42
  • Online Online
  • Posts: 1792
    • View Profile
Re: NRS v1.11.0e
« Reply #28 on: October 31, 2016, 11:16:02 am »

The concern is of course someone getting access (physical or otherwise) to one's device and reading the browser's local storage, which is trivial to do. It's the same as storing it in a clear text file, but after logging in once the user might not even be aware his passphrase is lying around unencrypted on disk... I hope this isn't going to cause any problems.

Perhaps a better way is to save the passphrase only for the session and keep only the account ID permanently. Downside is of course you always have to supply the pass for forging

Is it really trivial to read the device browser local storage?
At least the data saved in disk and memory should be encrypted in most modern browsers.
You'll have to take control over the webview component and development tools while connected to the NXT client in order to steal the passphrase.
Can you do that without root access to the device?

The alternative is that users constantly copy/paste or QR scan the passphrase which opens the door for copy/paste or camera hacking which is not less dangerous.
Steal I don't recommend to store the passphrase of a high balance account on the device.

Browsers don't encrypt local storage by default. What would they encrypt it with, unless the user has some sort of master password? An attacker only needs file system access.

I tried to find where it is stored on disk - chromium on ubuntu stores it's in the folder ~/.config/chromium/Default/Local Storage, where for each website there is an unencrypted SQLite DB. Retrieving it is as simple as opening it with an SQLite browser: http://i.imgur.com/wIHjzhI.png
For other browsers/OS it will be similar.

This appears a great risk, as these files may lay around indefinitely without the user knowing it (and closing tabs is probably more common than logging out)

I agree, the local storage data is not encrypted just obfuscated, still you need to hack into the workstation or device itself to get to it.
The original plan was to save the passphrase in the local storage only for accounts with a balance of less than 10K NXT, and we can also make this limit configurable.
But this does not take into account asset value and other holdings. I guess it's better than nothing.
Logged
NXT Core Dev
Account: NXT-HBFW-X8TE-WXPW-DZFAG
Public Key: D8311651 Key fingerprint: 0560 443B 035C EE08 0EC0  D2DD 275E 94A7 D831 1651

Riker

  • Core Dev
  • Hero Member
  • *****
  • Karma: +439/-42
  • Online Online
  • Posts: 1792
    • View Profile
Re: NRS v1.11.0e
« Reply #29 on: October 31, 2016, 12:03:27 pm »

Maybe it's a GUI bug, but "assets value" in the main dashboard window shows "0".

Calculating the asset value for account with many assets was identified as a performance problem.
Therefore we now only do it ones when you load the client and not every 30 seconds like it used to be.
Under which circumstances do you see the 0 balance?

I always see the "0". Maybe problem is, that it is not updated every 30 seconds, just one time during loging in.

Works for me, please PM your account id
Logged
NXT Core Dev
Account: NXT-HBFW-X8TE-WXPW-DZFAG
Public Key: D8311651 Key fingerprint: 0560 443B 035C EE08 0EC0  D2DD 275E 94A7 D831 1651

toenu

  • Full Member
  • ***
  • Karma: +52/-1
  • Offline Offline
  • Posts: 231
    • View Profile
Re: NRS v1.11.0e
« Reply #30 on: October 31, 2016, 12:29:06 pm »

The concern is of course someone getting access (physical or otherwise) to one's device and reading the browser's local storage, which is trivial to do. It's the same as storing it in a clear text file, but after logging in once the user might not even be aware his passphrase is lying around unencrypted on disk... I hope this isn't going to cause any problems.

Perhaps a better way is to save the passphrase only for the session and keep only the account ID permanently. Downside is of course you always have to supply the pass for forging

Is it really trivial to read the device browser local storage?
At least the data saved in disk and memory should be encrypted in most modern browsers.
You'll have to take control over the webview component and development tools while connected to the NXT client in order to steal the passphrase.
Can you do that without root access to the device?

The alternative is that users constantly copy/paste or QR scan the passphrase which opens the door for copy/paste or camera hacking which is not less dangerous.
Steal I don't recommend to store the passphrase of a high balance account on the device.

Browsers don't encrypt local storage by default. What would they encrypt it with, unless the user has some sort of master password? An attacker only needs file system access.

I tried to find where it is stored on disk - chromium on ubuntu stores it's in the folder ~/.config/chromium/Default/Local Storage, where for each website there is an unencrypted SQLite DB. Retrieving it is as simple as opening it with an SQLite browser: http://i.imgur.com/wIHjzhI.png
For other browsers/OS it will be similar.

This appears a great risk, as these files may lay around indefinitely without the user knowing it (and closing tabs is probably more common than logging out)

I agree, the local storage data is not encrypted just obfuscated, still you need to hack into the workstation or device itself to get to it.
The original plan was to save the passphrase in the local storage only for accounts with a balance of less than 10K NXT, and we can also make this limit configurable.
But this does not take into account asset value and other holdings. I guess it's better than nothing.

Another way could be to clear the pass from storage on window close event, unless the user has set something like "keep passphrase in local storage" on the settings page, which by default is false. If the user comes back and the passphrase was cleared, log him in with account ID only.
Logged

Tosch110

  • Ex-Staff Member
  • Hero Member
  • *****
  • Karma: +211/-18
  • Offline Offline
  • Posts: 2365
    • View Profile
Re: NRS v1.11.0e
« Reply #31 on: November 01, 2016, 10:05:55 pm »

Awesome updates, thanks for the work!

apenzl

  • Hero Member
  • *****
  • Karma: +246/-10
  • Offline Offline
  • Posts: 2493
    • View Profile
    • Nxter.org
Re: NRS v1.11.0e
« Reply #32 on: November 01, 2016, 11:26:53 pm »

Echo that ^ !!!

Will this beautiful (atm BETA) mobile client be available to use for all Ardor childchains too?

Coradan

  • Full Member
  • ***
  • Karma: +21/-3
  • Offline Offline
  • Posts: 206
    • View Profile
Re: NRS v1.11.0e
« Reply #33 on: November 02, 2016, 08:33:01 am »

Sorry, but the ionic view ID ec170f70 is wrong.  It does not work...

Could you give the right one?

Well done! And Thanks a lot...
Logged
One more thing: NXT
http://www.nxt.cool

Riker

  • Core Dev
  • Hero Member
  • *****
  • Karma: +439/-42
  • Online Online
  • Posts: 1792
    • View Profile
Re: NRS v1.11.0e
« Reply #34 on: November 02, 2016, 09:19:06 am »

Sorry, but the ionic view ID ec170f70 is wrong.  It does not work...

Could you give the right one?

Well done! And Thanks a lot...

It appears that you need to register at http://ionic.io/ with your email then PM me your email so that I can share the app with you.
I'll update the instructions.
Logged
NXT Core Dev
Account: NXT-HBFW-X8TE-WXPW-DZFAG
Public Key: D8311651 Key fingerprint: 0560 443B 035C EE08 0EC0  D2DD 275E 94A7 D831 1651

cryptomommy

  • Jr. Member
  • **
  • Karma: +3/-0
  • Offline Offline
  • Posts: 26
    • View Profile
Re: NRS v1.11.0e
« Reply #35 on: November 05, 2016, 12:39:02 pm »

Desktop Windows 10 - Browser wallet is working; however desktop loads blue background and nothing else. testing mobile now :)
Logged
"Those who danced were thought to be quite insane by those who could not hear the music"

galeki

  • Full Member
  • ***
  • Karma: +16/-2
  • Offline Offline
  • Posts: 228
    • View Profile
Re: NRS v1.11.0e
« Reply #36 on: November 05, 2016, 12:43:29 pm »

Desktop Windows 10 - Browser wallet is working; however desktop loads blue background and nothing else. testing mobile now :)

Same here(Win10). Need 'Refresh Wallet' manually every time to show the desktop wallet.
Logged

cryptomommy

  • Jr. Member
  • **
  • Karma: +3/-0
  • Offline Offline
  • Posts: 26
    • View Profile
Re: NRS v1.11.0e
« Reply #37 on: November 05, 2016, 01:04:48 pm »

For the mobile app - Dashboard works like a charm - navigation fly to the left stops working if you go into any of the other nav options though making it impossible to use. This is going to be very exciting once it is fully functional - should send data over https be selected by default?
Logged
"Those who danced were thought to be quite insane by those who could not hear the music"

Riker

  • Core Dev
  • Hero Member
  • *****
  • Karma: +439/-42
  • Online Online
  • Posts: 1792
    • View Profile
Re: NRS v1.11.0e
« Reply #38 on: November 05, 2016, 05:42:08 pm »

Desktop Windows 10 - Browser wallet is working; however desktop loads blue background and nothing else. testing mobile now :)

Same here(Win10). Need 'Refresh Wallet' manually every time to show the desktop wallet.

This should be fixed in the next release
Logged
NXT Core Dev
Account: NXT-HBFW-X8TE-WXPW-DZFAG
Public Key: D8311651 Key fingerprint: 0560 443B 035C EE08 0EC0  D2DD 275E 94A7 D831 1651

Riker

  • Core Dev
  • Hero Member
  • *****
  • Karma: +439/-42
  • Online Online
  • Posts: 1792
    • View Profile
Re: NRS v1.11.0e
« Reply #39 on: November 05, 2016, 05:50:34 pm »

For the mobile app - Dashboard works like a charm - navigation fly to the left stops working if you go into any of the other nav options though making it impossible to use. This is going to be very exciting once it is fully functional - should send data over https be selected by default?

Please explain exactly the steps to reproduce this. For me the left pane navigation always works when clicking the 3 horizontal lines buttons to show and hide it.

Regarding Https, the ajax connection from the webview to remote nodes cannot use Https with a self signed certificate like most of the remote nodes currently implement.
Therefore selecting random Https node does not work. Currently if you need Https you need to make sure you have a CA certified certificate on the remote node and configure the connection manually from the app using the mobile settings modal.

What I can try to do is for each remote Https node, attempt to connect and identify the specific failure on self signed certificate and ignore these nodes. Will try to implement for the next release.
Logged
NXT Core Dev
Account: NXT-HBFW-X8TE-WXPW-DZFAG
Public Key: D8311651 Key fingerprint: 0560 443B 035C EE08 0EC0  D2DD 275E 94A7 D831 1651
Pages: 1 [2] 3  All
 

elective-stereophonic
elective-stereophonic
assembly
assembly