Jump to content
Sign in to follow this  
Miles

How to create wallet for new user

Recommended Posts

Posted (edited)
On 4/14/2019 at 9:17 PM, Flintstone said:

Have a look through here first to get an understanding of how wallets work and how to create one https://www.xrpchat.com/links/ as there are various ways. I recommend creating one offline on a safe air-gapped computer that will not connect to the internet. You can never be too safe.

https://bithomp.com/wallets

 

 

Interesting. Question, how is using the Paper Wallet feature secure seeing its all online? Click Generate New to create new public and private keys but are those keys actually random and not stored anywhere on servers?

Also, as an experiment I unplugged my internet. All tabs said No Internet Connection, but the Bithomp Paper Wallet page was still able to create new paper wallets offline. How is this possible?

Thanks!

Edited by MegaNerd

Share this post


Link to post
Share on other sites
2 minutes ago, MegaNerd said:

are those keys actually random and not stored anywhere on servers?

If the page works when saved locally and you've disconnected from the internet, then that's a good sign. Your scepticism is still justified though, because a malicious actor might sneakily incorporate some kind of hierarchical-deterministic generator into a seemingly innocent web page such that he knows what address-range is being generated by his victims (even without collecting their data).

For the example that Flintstone has provided, reason to trust the site are:

  1. The author's reputation
  2. The author's known identity
  3. The transparency of the XRPL.

Putting items 1 to 3 together, the author has a strong incentive not to release malicious code.

Therefore the hazard to watch out for is that you accidentally visit a fake site that only looks like the one in Flintstone's link. For instance, a site that's disguised by a domain name with Greek or Russian letters in it. Compare the words “bithοmp” and “bithomp”. The first contains the Greek letter omicron, whereas the second contains the letter “o”, but can you tell then apart? If a thief were to register a domain name containing the first variant, he could use it to trick you into downloaded a malicious address-generator. This is why you should never click on links found by Google when security is at stake — it's safer to type them out by hand.

Share this post


Link to post
Share on other sites
Posted (edited)

@MegaNerd You can download the offline tools and generate a key-pair offline, but that still doesn't resolve the following issue, unless you can verify the code yourself, you still have an element of trust.

15 minutes ago, tev said:

Your scepticism is still justified though, because a malicious actor might sneakily incorporate some kind of hierarchical-deterministic generator into a seemingly innocent web page such that he knows what address-range is being generated by his victims (even without collecting their data).

To eliminate any trust, have a clean machine that will never see the internet again. Install NPM and Node.js and derive your key-pair from the following code:

var keypairs = require('ripple-keypairs');
var seed = (process.argv.length==3) ? process.argv[2] : keypairs.generateSeed();
var keypair = keypairs.deriveKeypair(seed);
console.log("Ripple-address: " + keypairs.deriveAddress(keypair.publicKey));
console.log("Ripple-secret:  " + seed);

See this post: https://www.xrpchat.com/topic/10503-generating-keys-on-ripple-site/

Edited by Flintstone

Share this post


Link to post
Share on other sites
20 hours ago, Flintstone said:

@MegaNerd You can download the offline tools and generate a key-pair offline, but that still doesn't resolve the following issue, unless you can verify the code yourself, you still have an element of trust.

To eliminate any trust, have a clean machine that will never see the internet again. Install NPM and Node.js and derive your key-pair from the following code:

var keypairs = require('ripple-keypairs');
var seed = (process.argv.length==3) ? process.argv[2] : keypairs.generateSeed();
var keypair = keypairs.deriveKeypair(seed);
console.log("Ripple-address: " + keypairs.deriveAddress(keypair.publicKey));
console.log("Ripple-secret:  " + seed);

See this post: https://www.xrpchat.com/topic/10503-generating-keys-on-ripple-site/

 

21 hours ago, tev said:

If the page works when saved locally and you've disconnected from the internet, then that's a good sign. Your scepticism is still justified though, because a malicious actor might sneakily incorporate some kind of hierarchical-deterministic generator into a seemingly innocent web page such that he knows what address-range is being generated by his victims (even without collecting their data).

For the example that Flintstone has provided, reason to trust the site are:

  1. The author's reputation
  2. The author's known identity
  3. The transparency of the XRPL.

Putting items 1 to 3 together, the author has a strong incentive not to release malicious code.

Therefore the hazard to watch out for is that you accidentally visit a fake site that only looks like the one in Flintstone's link. For instance, a site that's disguised by a domain name with Greek or Russian letters in it. Compare the words “bithοmp” and “bithomp”. The first contains the Greek letter omicron, whereas the second contains the letter “o”, but can you tell then apart? If a thief were to register a domain name containing the first variant, he could use it to trick you into downloaded a malicious address-generator. This is why you should never click on links found by Google when security is at stake — it's safer to type them out by hand.

Thanks so much!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...