Bkchain web-wallets! (electrum-like client-side BIP32 deterministic webwallets)

http://bkchain.org/ppc/wallet

Well, the title says most of it!
I was trying over the last few weeks to implement HD wallet (electrum-like).
So far, it works for PPC, LTC, BTC.
I suppose that makes it one of the first client-side web wallet for peercoin!

USE AT YOUR OWN RISK! IT IS STILL A VERY EARLY ALPHA, ONLY FOR TESTING PURPOSE. NO RESPONSABILITY!
That said, it seems to works well enough for basic case (but many corner cases are maybe not covered well).

A few notes:

[ul][li]Full Hierarchical Deterministic wallet with both receiving and change address.[/li]
[li]It will fetch as many as necessary to have empty ones. Used address will be striked.[/li]
[li]Sign and send transaction from your browser. It will automatically gather unspent outputs from your various receiving/change addresses.[/li]
[li]Seed are electrum-compatible. That is, for BTC it should generate same addresses.[/li]
[li]Client side encryption. Nothing stored on server. Client signs transactions and push them through API. This should help avoid many usual vectors of attacks.[/li]
[li]Feel free to review the code (security, etc…). Many of the used javascript libraries are known, and the important part is happening in wallet.js.[/li]
[li]I need to add https. In the meantime it’s probably OK, since encryption/signing is javascript client-side only, outside people can’t see more than your API address/balance requests.[/li][/ul]

Testing & feedback welcome! Don’t forget, it’s a very early release.

Enjoy!

Special thanks to carbonwallet, brainwallet & bip32.

EDIT:
Created a github webpage: https://github.com/bkchain

[ul][li]Issues/requests/bug reports go there.[/li]
[li]As soon as I get around it, that’s where I plan to put sources.[/li][/ul]

Very nice! Thank you

Wow, good job!

one more wow

Looks good for an Alpha. Got 1 PPC in there to test.
When transferring it almost immediately increased the wallet with 1 PPC before a confirmation was made.
Would be great to add an indicator when 6 confirmations have taken place, but I suspect you already have that on your list

Just switched to https (SSL) and added some information on main login page.

Nice, a Peercoin logo on that page would also be great.

Edit: and while I was mucking around in the wallet, it would also be great to have the QR code for receiving funds (e.g. by clicking on an address)
That way businesses and others can receive mobile PPC payments very easy without a payment processor. They can also see the network accepting the payment and wait for the number of confirmation they think is appropriate for the payment and this all on their mobile device. Again love the work you are doing at the forefront of what one day would be commonplace.

Just added Watch-only mode with Master Public Key (that you can fetch using your seed or directly from electrum for BTC), and QR code.

Also, I was mistaken in the naming, and it is not actually BIP32-compatible but only Electrum-compatible (which didn’t implement BIP32 yet).
Another BIP32 wallet will be added later alongside the current electrum one.

Like the QR codes and Master Public Key to check balance.Works all fine in Firefox on my PC.

However I do have a problem with my 3 year old tablet which I can’t update. It doesn’t enable the ‘Open wallet’ button after entering the master public key or the seed. All other buttons do work.

It’s probably something very specific, but I hope you might know a trick that makes it work without compromising the look and feel for others. Just keen to get it to work on my mobile device, but maybe I just need to buy a new one?

[quote=“Cybnate, post:9, topic:2075”]Like the QR codes and Master Public Key to check balance.Works all fine in Firefox on my PC.

However I do have a problem with my 3 year old tablet which I can’t update. It doesn’t enable the ‘Open wallet’ button after entering the master public key or the seed. All other buttons do work.

It’s probably something very specific, but I hope you might know a trick that makes it work without compromising the look and feel for others. Just keen to get it to work on my mobile device, but maybe I just need to buy a new one?[/quote]

By any chance, if you just add and remove a character at the end, does it work? Trigger is key press, and if you just copy/paste it might not be detected as a key press.
I’ll check if there is another trigger I could use to check passphrase validity.

Thanks BKchain. That does the trick on my tablet. My phone is less cooperative, but again I’m not using the latest stuff.
It also took about 2 minutes on my 1.5Ghz tablet to open the wallet. Hitting the old hardware barrier again I guess.

Hope that another trigger than keypress as you suggest works better. Not keen to key in that long password. Using a password manager for that as you guessed. Change the key press method might also get my phone to work, not sure why that isn’t working. The seed button does work, but trick keypress doesn’t work on phone.

The QR codes work nicely and can be read by other phones from my tablet screen.

Any chance for features? E.g. a send payments address list? Ability to add labels to the addresses? Just some ideas.

Keep on doing the good work!

BTW Did you notice that someone donated 500 PPC to your ‘empty’ project on peer4commit? Any chance you start publishing the code there anytime soon?

[quote=“Cybnate, post:11, topic:2075”]Thanks BKchain. That does the trick on my tablet. My phone is less cooperative, but again I’m not using the latest stuff.
It also took about 2 minutes on my 1.5Ghz tablet to open the wallet. Hitting the old hardware barrier again I guess.

Hope that another trigger than keypress as you suggest works better. Not keen to key in that long password. Using a password manager for that as you guessed. Change the key press method might also get my phone to work, not sure why that isn’t working. The seed button does work, but trick keypress doesn’t work on phone.

The QR codes work nicely and can be read by other phones from my tablet screen.

Any chance for features? E.g. a send payments address list? Ability to add labels to the addresses? Just some ideas.

Keep on doing the good work!

BTW Did you notice that someone donated 500 PPC to your ‘empty’ project on peer4commit? Any chance you start publishing the code there anytime soon?[/quote]

Ok I’ll look into the keypress thing. Didn’t notice about the donation, that’s nice!
Concerning frontend, I was hesitating to rewrite little bit the website so that it doesn’t require a python server to render pages anymore (i.e. even blockchain pages become static like the wallet one, and it pulls data all through JSON API). I think that might make it much more accessible (just loading the html static pages and open them in a browser locally).

On the backend side, I still have one outstanding crash/issue to fix on server side before I can clean, polish and publish it (I’ll probably do frontend in meantime, it’s probably the most important for wallet security).
After that, my plan is to add cold storage signing to the website.

Also, small update to reassure people on the heartbleed issue:

It has been fixed on bkchain.org (updated OpenSSL and installed new SSL certificates).

Just a quick reminder, since wallet is encrypted client side, the worst that could have happened was someone sniffing your public address balance and unspent output requests (privacy risk). Since private key decryption/signing is 100% client side, nothing could have happened to your private keys with this attack (no security risk).

Good news, I think I just found what the backend issue was. Currently regenerating a few database and it should be much more stable from now on (I occasionally had to restart it for BTC/LTC once in a while recently – PPC wasn’t much affected due to small size of database).
I will be able to focus on releasing source soon then!

[quote=“Cybnate, post:11, topic:2075”]Hope that another trigger than keypress as you suggest works better. Not keen to key in that long password. Using a password manager for that as you guessed. Change the key press method might also get my phone to work, not sure why that isn’t working. The seed button does work, but trick keypress doesn’t work on phone.

The QR codes work nicely and can be read by other phones from my tablet screen.

Any chance for features? E.g. a send payments address list? Ability to add labels to the addresses? Just some ideas.

Keep on doing the good work!

BTW Did you notice that someone donated 500 PPC to your ‘empty’ project on peer4commit? Any chance you start publishing the code there anytime soon?[/quote]

Now you should be able to have the button enabling itself after copy pasting key. Let me know how it works for you.

Concerning payment address list / labels, it would need to have some form of server storage (vs 100% client side through deterministic address as of now).
It’s definitely something that could be added though, probably the client could store this info on the server totally encrypted by himself (no need for account, for example a hash of the public master key could be used as “token” – and this data would probably be encrypted using AES with some other hash generated through public key as well).
It’s just meta-information anyway.
Only thing that could be annoying is to prevent various DDoS attacks (since I have no way to check account, everybody could just DDoS server space with lot of trash data).

I like the idea of this site. But you should have this warning on the website too.

May things could still go wrong. For instance if you have some browser plug-in or add-on installed that is watching sites for this type of data to steal the information.

Thanks for your codes changes. Did some more tests in multiple browsers. The copy/pasting now works fine on modern browsers. Had good results with Windows Firefox browser and built-in browser for Android and Android Firefox.
However my old native browser on tablet refuses to register the button touch after your change. It seems inactive. Not sure if you can do anything about that, maybe it is not worth it anymore.

Regarding labels, I didn’t think about the risk of DDOS in this case. Would indeed be hard to fend off with no user accounts. Therefore it may not be such a good idea. Is there maybe a way you can do something with local cookies? Not great because it would only work on the client you would set it up, unless you would copy the cookies across?

Maybe use a file which each user can store in their own cloud service? User still need to remember the right path to the folder though. I don’t know, just thoughts.

Maybe leave the labels and focus on the user interface and have a more user friendly interface on top of the current one which can still exist in background. You might want to have a look at some of the Android mobile wallets for inspiration e.g. this one http://bitcoinboard.net/wp-content/uploads/2013/12/android-mobile-wallet.png

…and was there any risk of heartbleed (openssl flaw) with your site? If so, did you already fix that?

Thanks again for you contribution to providing new functionality for Peercoins. Hope you open source your code soon, so others can learn and contribute to the code.

I like the idea of this site. But you should have this warning on the website too.

May things could still go wrong. For instance if you have some browser plug-in or add-on installed that is watching sites for this type of data to steal the information.[/quote]
Won’t hurt to have a warning, but the risk you raise is not that different than having a keylogger on your pc capturing the passphrase of your wallet. In both cases caution is required when installing new software or visiting vague websites. A good and continiously updated viruscanner would go a long way.

Just a quick update, I’m currently rewriting the website with a templating engine that can run both server and client-side. Objective is to have both a dynamic website (server-side, as-is) and also generate a 100% server-less (static) website that can directly query the backend with existing API (block-explorer interface will run 100% on client-side, same as wallet). Both server and client-side would share most of the code.

If this works out well, this will allow people to get source on github, review source and open .html directly in their browser (without any web-server).
Worst case (if I can’t succeed easily with existing toolkits), I will fallback to require people to install a Node.js server client-side (would be much easier for me, but installation barrier is much higher than simply opening a static .html in a browser). Hopefully it won’t be needed though.
Or if you think requiring a Node.js server is not a problem, I could probably avoid the hassle.

It’s a huge rewrite compared to what I used to do before (converting from python+uwsgi to Node.js), so it will probably take ~1 or 2 more weeks I would say.

As soon as it’s done, I will be able to publish the frontend sourcecode. Backend should follow soon after. As a result, people should be able to run the whole ecosystem by themself.

[quote=“bkchain, post:18, topic:2075”]Just a quick update, I’m currently rewriting the website with a templating engine that can run both server and client-side. Objective is to have both a dynamic website (server-side, as-is) and also generate a 100% server-less (static) website that can directly query the backend with existing API (block-explorer interface will run 100% on client-side, same as wallet). Both server and client-side would share most of the code.

If this works out well, this will allow people to get source on github, review source and open .html directly in their browser (without any web-server).
Worst case (if I can’t succeed easily with existing toolkits), I will fallback to require people to install a Node.js server client-side (would be much easier for me, but installation barrier is much higher than simply opening a static .html in a browser). Hopefully it won’t be needed though.
Or if you think requiring a Node.js server is not a problem, I could probably avoid the hassle.

It’s a huge rewrite compared to what I used to do before (converting from python+uwsgi to Node.js), so it will probably take ~1 or 2 more weeks I would say.

As soon as it’s done, I will be able to publish the frontend sourcecode. Backend should follow soon after. As a result, people should be able to run the whole ecosystem by themself.[/quote]
That is great news. Thank you for working on this which I think will be a huge contribution to the Peercoin ecosystem.
I’m not sure about using Node.js as that might open a can of worms with browsers and security, but I have no idea how bad the hassle is you have to go through.

Do I understand that your rewritten web-wallets still support BTC, LTC and Doge at the same time? This would then be very similar to the Omniwallet project. If so, things get interesting 8)

[quote=“Cybnate, post:19, topic:2075”]That is great news. Thank you for working on this which I think will be a huge contribution to the Peercoin ecosystem.
I’m not sure about using Node.js as that might open a can of worms with browsers and security, but I have no idea how bad the hassle is you have to go through.

Do I understand that your rewritten web-wallets still support BTC, LTC and Doge at the same time? This would then be very similar to the Omniwallet project. If so, things get interesting 8)[/quote]

It’s OK, I managed to make a 100% static version of it (i.e. a bunch of .html files that you can checkout from github and open directly in your local file system).
Node.js will be necessary only for hosted version (to have better URL rewriting, API, and to have static page per block without AJAX so that search engine can index properly).

And yes, there will be web wallets for all currencies.