<p​lowsof:matrix.org> i commented on the btcpayserver proposal repo.getmonero.org/monero-project/c…als/-/merge_requests/538#note_29352

<o​frnxmr:xmr.mx> bounties.monero.social/posts/124/5-…erver-allow-syncing-via-remote-node should be paid to nicolas dorier 🙃

<o​frnxmr:xmr.mx> github.com/btcpayserver/btcpayserver-monero-plugin#configuration

<o​frnxmr:xmr.mx> > Currently BTCPay Server requires a user to sync a pruned/full node in order to accept XMR payments.

<o​frnxmr:xmr.mx> this part of the bounty has never been true

<o​frnxmr:xmr.mx> nahuhh/ofrnXpay 11aa3d7 example, this is a (no longer functional) script that setup a localhost (onion etc) btcpayserver with a remote node

<o​frnxmr:xmr.mx> It's actually much older than 11 months, but i uploaded it to github after losing an updated version

<o​frnxmr:xmr.mx> .. my main issue with the proposal is that it suggests it will do things that have already been done. Like adding remote node support, reviewing remote node support. How do you add something that is already there? And if you didnt know it was there, then you clearly havent reviewed much of anything

Revuo Monero maintenance (2025 Q2) has moved to funding! ccs.getmonero.org/proposals/revuo-monero-maintenance-2025-q2.html

<s​pirobel:kernal.eu> I looked into this a bit. This article goes into what its capabilities are microsoft.com/en-us/security/blog/2…onnaissance-to-cryptocurrency-theft There is no talk about the initial compromise being caused by insecurity in browser wallets. It just collects browser wallet information after the system is already compromised. <clipped message>

<s​pirobel:kernal.eu> If people used different kinds of wallets it would collect this information as well. The best way to protect against this kind of problem that the end users machine is compromised is to use multisig by default. I am not a big fan of hardware wallets or code storage solutions / air gapping, if they are not combined with multisig. By itself this can lead to a false sense of security<clipped message>

<s​pirobel:kernal.eu> . In the case of hardware wallets the end users machine is replaced with a small proprietary arduino tier computer. So one problem is replaced with another. Air gapping by itself is no solution either. If the payoff is high enough, this obstacle can be overcome too. The most prominent example for this is stuxnet. That being said: The third milestone of the Browser Wallet proposal <clipped message>

<s​pirobel:kernal.eu> includes a multisig companion app that will be able to be used offline. So it will be a bit like the anonero UX but with multisig instead of putting the key material on just one device. So people can combine air gapping, a second offline android device, and the browser wallet.

<s​pirobel:kernal.eu> tldr: the monero browser wallet contains multisig features so an end user compromised device will not lead to a loss of funds.

<3​21bob321:monero.social> Got a question boog900 gets paid less and has more milestones then hinto how come ?

<b​oog900:monero.social> Separate proposals, we both do monthly milestones.

<s​nowman:tetaneutral.net> are there any good web wallets for any coin out there

<s​nowman:tetaneutral.net> seems like a big waste of time. people use app

<p​erson:neat.chat> how do I convert my menero to usd I can do in coinbase wallet but half of the value disappears which is unacceptable

Coinbase supports monero?

<p​erson:neat.chat> the wallet does\

Seems odd. I have no experience with coinbase at all

2 ways, use haveno, not sure if that works for you

Or convert to a coin your exchange supports using a swap service

You can find a listing of the swap services on trocador

Probably don't send or receive directly with CB but instead use an intermediate wallet

Recommending to do so ad I don't know what CB allows

<o​frnxmr:xmr.mx> Lol wut

<o​frnxmr:xmr.mx> You have monero in your "coinbase wallet ™️" ?

I have no idea what a coinbase wallet is

<s​pirobel:kernal.eu> the most used wallet apps are all browser wallets. If you look at phantom and backpack for example. Under the hood they contain a mini browser. This distinction between browser wallets and app wallets becomes increasingly blurry. All the bigger ecosystems use web technology to decouple specific applications from the secret key holding wallet apps.

<3​21bob321:monero.social> blog.chromium.org/2024/04/fighting-cookie-theft-using-device.html?m=1

<3​21bob321:monero.social> @spirobel

<s​pirobel:kernal.eu> this is interesting. One way to avoid cookie theft currently is to use httpOnly cookies. This so called "httpOnly" cookie is not available to the local js context. It is only sent to the server. So cookie theft will not work if a website authentication system is built with httpOnly session cookies, even if an XSS vulnerability is found.

what is the desire for a browser wallet. it's very clear that most people over the past few weeks have no desire for a browser wallet whatsoever. so the other side of the question is, why purpose would a browser wallet serve?

s/why/what/

<s​pirobel:kernal.eu> It is very clear over the past few weeks that there is a desire for a browser wallet and the questions and concerns only make this momentum stronger.

no one else thinks that

everyone is seeing the exact opposite

it's been denied over and over again

<s​pirobel:kernal.eu> nonsense. maybe your matrix bridge didnt update

<s​pirobel:kernal.eu> scroll up the chat.

spirobel why do you want a browser wallet?

<s​pirobel:kernal.eu> because its a massive opportunity to have an impact.

if that's your answer, that explains why no one supports it.

there's nothing concrete there

give a concrete answer on what problem a browser wallet solves

<s​pirobel:kernal.eu> there is a lot concrete here. It has been explained multiple times

no one can see it

we only see problems

<s​pirobel:kernal.eu> it will make multisig based applications easier to build and more secure

<s​pirobel:kernal.eu> just one example

everyone things a browser wallet is a huge insecurity. and no benefits are being given

<s​pirobel:kernal.eu> yeah that is a you problem. also not we. just a minority of refuseniks

<s​pirobel:kernal.eu> it is not fundamentally more or less secure.

<s​pirobel:kernal.eu> But the way it will be built, centered around multisig UX will make the end result more secure

<s​pirobel:kernal.eu> and pleasant to use

spirobel what is it about the multisig experience, that requires a browser wallet?

couldn't the UX be improved without it being a browser wallet?

<s​pirobel:kernal.eu> there needs to be some kind of API to connect with the service. There needs to be a closeness to the thing you are interacting with and at the same time it needs to be compartmentalized. The browser is the right tool to build this.

<s​pirobel:kernal.eu> non browser centric apps can benefit from this as well down the line. You see how phantom and backpack introduced mobile wallets that feature a dedicated explore tab that lets you enter dapp urls. if you are truly opposed to the browser you could rebuilt a custom frontend for the apps you want to use later on. But the forcing function of going down the browser UX is important.

<s​pirobel:kernal.eu> We also see many dedicated apps that use electron, tauri etc. So in the end we end up with web technology in any case. Its just less secure and less unified as a whole

<s​pirobel:kernal.eu> which leads to wasted effort and time. Every app needs to be essentially a wallet app

that's why there's monero APIs for various different languages, without bringing along the attach surface of an entire browser.

attack*

a "wallet" is a signing tool, among other ease of use stuff. I don't think anyone wants their signing keys in something as vulnerable as a browser.

<s​pirobel:kernal.eu> I could give more specific examples of other ecosystems: imagine pump fun trying to convince established wallet apps to build an integration. Or trying to launch a wallet app when they first started. It is impossible for people to experiment without having the ability to connect wallets to apps and try new things. The list of examples is endless.

<s​pirobel:kernal.eu> zero days for browsers cost millions for a reason: they are rare and hard to find and hard to build exploits for. But I understand the concern. Thats why the 3 milestone is a multisig companion app that enables the splitting of the private key material to another device. So even if there is a compromise (which would also compromise your native apps btw. If your browser is vulnerab<clipped message>

<s​pirobel:kernal.eu> le, your native wallet app is under the same danger as an extension)

<s​pirobel:kernal.eu> zero days for browsers cost millions for a reason: they are rare and hard to find and hard to build exploits for. But I understand the concern. Thats why the third milestone is a multisig companion app that enables the splitting of the private key material to another device. So even if there is a compromise (which would also compromise your native apps btw. If your browser is vuln<clipped message>

<s​pirobel:kernal.eu> erable, your native wallet app is under the same danger as an extension)

<s​pirobel:kernal.eu> the funds will still be safe.

"There neds to be a closeness to the thing you are interacting with

"

I saw it mentioned before, and i agree with, that qr codes basically solve this

what need for more closeness is there?

<r​4v3r23:monero.social> absolutely nothing. just over engineering

<s​pirobel:kernal.eu> I wrote a longer comment about this before. QR codes are basically cross device copy and paste. They have their place, but they also have limitations and dangers. Scanning QR codes from untrusted websites with a second device can lead to accidental leakage of information. Especially because its unclear who and what apps / system services will have access to the camera feed of the <clipped message>

<s​pirobel:kernal.eu> smartphone. It has been shown in other ecosystems that the browser wallet interface is an important milestone to decouple the wallet from apps and encourage new innovation. to the degree that even the mobile apps include a browser as well.

<s​pirobel:kernal.eu> I think we heard this argument now. If you want to go into more depth I am happy to, but its getting a bit repetitive. Maybe try to think deeper and ask why this technology is so wide spread

if the website is untrusted, a browser wallet is vulnerable also

<s​pirobel:kernal.eu> this whole QR codes for everthing theme feels a bit like 2014 when wechat became popular in china and western tech people kept raving about how this is the future

even if there is something spying on the camera feed, it's only addresses and signed transactions. no risk there. it's the code itself that would need to be changed.

<s​pirobel:kernal.eu> there is a difference: would you recommend copy and pasting randomly from a tor browser tab into a gmail tab open in the daily browser? no. QR-codes are cross device copy and paste. Can lead to a bad outcome. In the browser wallet if its properly done its possible to ensure that no information is leaked and identities are mixed up.

<s​pirobel:kernal.eu> there is a difference: would you recommend copy and pasting randomly from a tor browser tab into a gmail tab open in the daily browser? no. QR-codes are cross device copy and paste. Can lead to a bad outcome. In the browser wallet if its properly done its possible to ensure that no information is leaked and identities are not mixed up.

<s​pirobel:kernal.eu> also the timing metadata of connecting the node. Devil is in the details. In general its just not true that QR codes solve everything. Thats just an outdated narrative.

<s​pirobel:kernal.eu> and the origin of this is: 2014-2016 western fintech people when they hear about wechat and how china uses QR codes everywhere

"an important milestone to decouple the wallet from apps and encourage new innovation" - what milestone? encourages innovation how?

<s​pirobel:kernal.eu> If you look at the development of ethereum for example: there is a clear change in pace once web3.js and metamask gain adoption

<s​pirobel:kernal.eu> other ecosystems like sol included that paradigm from the beginning.

<s​pirobel:kernal.eu> The innovation and growth in new apps would not be possible without this

<s​pirobel:kernal.eu> and every app leads to more users and makes the ecosystem more sticky

"ask why this technology is so wide spread" - I dont see cypherpunks using browser wallets. the only people i know entertaining browser wallets also entertain having a CEX hold their coin. they're usually speculators don't actually care about self custody, decentralization, or anything important.

so i wouldn't call that "widespread"

<w​oodser:monero.social> a wallet as a browser plugin makes sense to me for some use cases

<s​pirobel:kernal.eu> that is not true. Defi is inherently cypherpunk and anti CEX. Even dark wallet was a browser wallet. It is one of the quintessential cypherpunk projects in the bitcoin sphere

<w​oodser:monero.social> of course not to be confused with a web wallet. it's a local wallet running as a browser plugin, to be able to interact with websites

"Can lead to a bad outcome." -- what is the bad outcome you're solving with a browser wallet?

<s​pirobel:kernal.eu> the bad outcome is that identities accidentally end up non compartmentalized. Next to multisig this is another core focus that has to be done right

spirobel can you give an example where using a native monero wallet with qr codes linked identities?

woodser what's the use case?

<w​oodser:monero.social> one is convenience, to be able to sign transactions directly from a browser extension without opening a separate app your mobile device

<s​pirobel:kernal.eu> I can just describe the current situation. Cake wallet is a wildly used wallet that people commonly use with remote nodes. It makes me uncomfortable that people scan qr codes while browsing with the tor browser. lets just leave it at that.

<w​oodser:monero.social> I can also see a website using a browser plugin to coordinate creating a maintaining a multisig wallet, which wouldn't be possible with your external application or mobile phone

"app leads to more users and makes the ecosystem more sticky" the wallet is more sticky how?

<w​oodser:monero.social> I can also see a website using a browser plugin to coordinate creating and maintaining a multisig wallet, which wouldn't be possible with your external application or mobile phone

<w​oodser:monero.social> one is convenience, to be able to sign transactions directly from a browser extension without opening a separate app or your mobile device

<w​oodser:monero.social> I can also see a website using a browser plugin to coordinate creating and maintaining a multisig wallet with good UX, which wouldn't be possible with your external application or mobile phone

<s​iren:kernal.eu> Not sure about the exact planned workflow, but currently the multisig experience is ass. We gave up on monero multisig in Monero Konferenco. We're using Metamask and safe.global for multisig.

spirobel it makes you uncomfortable that people commonly enter an address and amount into their wallet? what's uncomfortable about that?

woodser yes a website can coordinate that but that does not require a browser extension does it? the APIs are exposed and anything can consume them. how's that require a browser plugin? also, isn't multi-sig about to change greatly with CARROT (and become easier to use)? so the native multi-sig route becomes easier.

<s​iren:kernal.eu> That's because we are really behind. The pushback from all these "security experts" isn't helping either xD

the conveniene is not needing to get that address and amount into a separate application, but i don't know that's worth the expensive and potential vulnerabilities.

<w​oodser:monero.social> without a browser plugin, the user has to manually copy and paste snippets of text and input them into an external program to access those apis for a self-hosted wallet. it would be much better UX if all of that is transparent to the user, which a browser plugin would enable

woodser that's assuming coordination APIs don't exist. The same way the website needs to place the data that needs to be signed on the website in a format that the browser extension will recognize, it could also be exposed in APIs that a native application can understand.

so not seeing where the requirement of a browser wallet is, for multi-sig to exist

<w​oodser:monero.social> it would still require manual interaction, to copy that text into a native application, and monero's multisig requires multiple round trips at least currently

i am seeing the "convenience" point. i just don't' know that it's worth it

<w​oodser:monero.social> so the user would need to copy the text, paste into external application, get a result, copy that text back into the website, etc

335ɱ

for not having to get text into a separate application

native applications can also expose in understandable UX what the constuction of multi-sig wallets and transactions are.

<w​oodser:monero.social> the idea is to avoid having the user interact with cypertext at all, which is poor UX, and especially problematic in monero's multisig due to the back and forth requirements, repeated for each transaction, so it's not even a one time / direction thing

woodser haveno uses multisig, and the user is never exposed to the cyphertext. this is what i mean. in the same way that a website would be hiding the multi-sig process from the user by using this browser extension, is the same way they'd hide the cyphertext by using a native application.

<w​oodser:monero.social> you’d have to create a dedicated native application for each use case then, whereas a browser extension makes this a programmable component from any website

well an protocol would have to be established for the coordination. the same way that a format will have to be established that this browser extension understands. there's not much difference.

<r​4v3r23:monero.social> your using a defunct bitcoin wallet from like 2014 ad the basis of your arguement?

<r​4v3r23:monero.social> and then literalyl complain about qr codes being old lmao

<r​4v3r23:monero.social> monero is not defi - its digital cash

<r​4v3r23:monero.social> stop tryin fit it into boxes it doesnt belong

<r​4v3r23:monero.social> including "mass adoption"

<r​4v3r23:monero.social> no one will use it

<r​4v3r23:monero.social> exactly, the entire proposal is fluff

<r​4v3r23:monero.social> LMFAO 335 xmr to solve copy/paste???

<r​4v3r23:monero.social> and what protection do you have against address swapping or phishing?

<r​4v3r23:monero.social> no one copy/pastes addresses - scanning a qr is much simpler than anything spirobel is propesing here

<r​4v3r23:monero.social> theres no problem here to fix

<s​yntheticbird:monero.social> > no one copy/pastes addresses

<s​yntheticbird:monero.social> I in fact, copy paste addresses

<r​4v3r23:monero.social> then youre a hipster

<r​4v3r23:monero.social> must be a monerujo user

<o​frnxmr:xmr.mx> Xmrbazaar does multisig in the browser tho(?)

<o​frnxmr:xmr.mx> I copy paste addresses.. sometimes. But a browser wallet wouldn't solve thst, bcuz those addresses are coming from DMs.

<o​frnxmr:xmr.mx> When i make payments to merchants, i usually just click the "oay in wallet" button.

<o​frnxmr:xmr.mx> when i deposit to bsx, i scan a qr code. When i withdraw from bsx, i still have to copy/paste my non-desktop wallet address in

repo.getmonero.org isn't sending out confirmation emails for account creation cc: plowsof

<o​frnxmr:xmr.mx> Wooder, i meant to reply to this

<o​frnxmr:xmr.mx> norrin, thats normal

<o​frnxmr:xmr.mx> Send plowsof a dm with your email addr

<s​yntheticbird:monero.social> I in fact, copy paste addresses <<>> meow

<3​21bob321:monero.social> Censored

<w​oodser:monero.social> looks like xmrbazaar creates the multisig wallet by downloading the full wallet code to your device to do the multisig dance, which is another way to do it

<s​yntheticbird:monero.social> # Wooder

<w​oodser:monero.social> same way rino wallet worked

I have no wallet on my phone

<s​yntheticbird:monero.social> 28 seconds to send a message fuck monero.social

<3​21bob321:monero.social> Yeah

<3​21bob321:monero.social> Go slow today

matrix people should be used to this by now

Checking NorrinRadd

ok

<o​frnxmr:xmr.mx> Honestly no idea, because its proprietary

<w​oodser:monero.social> from their terms: "A 2-of-3 multisig wallet is generated in the user’s browser (via Monero JavaScript)"

<w​oodser:monero.social> that's cool, didn't know they were using that

Done.NorrinRadd

<r​4v3r23:monero.social> is nioc a bot

that would be n1oc :)

Revuo Monero Issue 233: March 23 - 30, 2025. revuo-xmr.com/weekly/issue-233

<1​23bob123:matrix.org> Fun fact plowsof, nioc is coin backwards

😮

<a​remor:matrix.org> There’s a thotbot in here also

Android just updated with quick share using a qr code

The future is here \o/

If a key to the proposed browser wallet is using multisig, does it make sense to wait until FCMP++ and Carrot are here as multisig is changing with them?

Alpha testnet coming soon^tm

<o​frnxmr:xmr.mx> Says in proposal that its going to he implementing FROST multisig (which is, i presume, the same as fcmp++)

<o​frnxmr:xmr.mx> Thats milestone 3 tho

Thx

<o​frnxmr:xmr.mx> Dont thank me, idk wtf i'm talking about. AI hallucination

It needs to be tested on the real deal which is not yet real

ofrnAI