
Show HN: Sixty Large – wallet generator for cryptocurrencies - arasmussen
http://www.sixtylarge.com
======
ck2
Amazing but the only good wallet generator is one that runs offline.

~~~
arasmussen
Technically, it does run offline. If you pop open your developer console,
you'll notice it isn't making any requests. All of the wallet generation is
done on client side, no public address or private key ever touches our server.
After the page loads, it'll still work with no internet connection.

~~~
salibhai
Just an idea: provide a zip file version for the paranoid, put it on github

~~~
ck2
I think both IE and Firefox has an "all in one" archive format for a webpage
that includes all the external files and can run directly from the single
file.

That would be a neat alternative.

But I think they built a website for the traffic, not to give away their work.

------
pmorici
I agree with the other comment that says that the only good wallet generator
is one that runs off line but even if you wanted to use an online one this
site isn't even secured with HTTPS no way I would trust this for anything.

~~~
justizin
see the above comment where no data is sent to their server.

~~~
sp332
But since the content isn't delivered over HTTPS, it could be MITM'd to
include malicious code that does send your keys somewhere.

~~~
jccooper
If you watch your browser you can see if it does or doesn't. You only need
trust your browser at that point.

If you don't trust your browser, you can monitor network activity as the OS
level. Should provide a pretty good assurance.

That said, I still wouldn't use it without (a) a private browser window, (b)
taking the machine offline, and (c) killing the browser before going back
online. Unfortunately, I don't think most people who will use this will do
such a thing.

(And I'm still not sure I'd trust it for any really serious work.)

~~~
sp332
Well that's not the only way it could be broken. The generator could give you
a chosen (or less-random) address.

------
kordless
A few things that bother me:

\- no QR codes

\- no link to a Github repo where I can download it

\- no randomization function to seed the generator

Additionally, I think best practices should dictate none of these paper wallet
generators should display their functionality while they are connected to the
Internet. All of us have a duty to build software that is secure and has clear
intent. Users get confused easily.

As an aside, I gave the retired couple next door a paper wallet last night for
letting me borrow their printer. I put $10 on it for ink. The husband is an
ameuter astronomer and used to code, so he's technical. The wife said she's
been watching for news about Bitcoin. She said that she heard something about
"that mount place" and hoped they were OK. I told her to get some popcorn.

~~~
kordless
I should have said 'should NOT display functionality when connected'.

------
bitJericho
Too bad it's not sent securely.

~~~
ChrisClark
It's not sent at all. Everything seems to be generated locally.

~~~
adambard
The code to generate keys locally is still sent over an unsecured connection.

~~~
jleehey
Why does this matter? You'll need to get the code somehow, and once its on
your machine, it doesn't make any requests. You can take a look at the code to
find out if its malicious or not.

~~~
bitJericho
How on Earth would you be able to (easily) tell if the scripts loaded into
memory are the scripts at the legitimate URL location? Eg:

    
    
        <script type="text/javascript" src="/js/lib/bitcoinjs-min.js"></script>
        <script type="text/javascript" src="/js/lib/jquery-2.1.0.min.js"></script>
        <script data-main="/js/main" src="/js/lib/require.min.js"></script>

~~~
jccooper
You can still verify that it's not communicating. Browser (and/or OS tools)
will show that easily.

What you can't verify easily (without inspecting the source through your
browser) is that the keys its giving you are brand new. Figuring that's a bit
more involved--and you'd have to do that every time you load the page. Which
really kills the ease of using a website.

------
ryanmcbride
The fact that it handles dogecoin is a huge plus for me, but I'm gonna wait a
while before I jump onboard to make sure it's actually safe.

~~~
lozf
Just use
[http://www.dogecoinpaperwallet.org/](http://www.dogecoinpaperwallet.org/) \--
at least it's been around longer and based on code that's been discussed
before.

------
gojomo
Except for the altcoin support, the classic BitAddress.org seems much better,
in features/security/review/offline-ability/etc:

[https://bitaddress.org](https://bitaddress.org)

[https://github.com/pointbiz/bitaddress.org](https://github.com/pointbiz/bitaddress.org)

