Technically, it does run offline. If you pop open your developer console, you'll notice it isn't making any requests. All of the wallet generation is done on client side, no public address or private key ever touches our server. After the page loads, it'll still work with no internet connection.
I think both IE and Firefox has an "all in one" archive format for a webpage that includes all the external files and can run directly from the single file.
That would be a neat alternative.
But I think they built a website for the traffic, not to give away their work.
This can run offline if you download all the files, as all the computation is done client-side.
However due to the use of require.js (http://requirejs.org) the script files aren't directly linked from the main page. You need to grab the following files, put them in their respective directories locally, and then edit the main page so all the src and href attributes are relative rather than absolute to root (e.g. src="js/lib/require.min.js"):
And there you have it, a nifty offline wallet generator without the risks of running code that could change unexpectedly (especially as there is no https version so greater risk of MITM).
I agree with the other comment that says that the only good wallet generator is one that runs off line but even if you wanted to use an online one this site isn't even secured with HTTPS no way I would trust this for anything.
If you watch your browser you can see if it does or doesn't. You only need trust your browser at that point.
If you don't trust your browser, you can monitor network activity as the OS level. Should provide a pretty good assurance.
That said, I still wouldn't use it without (a) a private browser window, (b) taking the machine offline, and (c) killing the browser before going back online. Unfortunately, I don't think most people who will use this will do such a thing.
(And I'm still not sure I'd trust it for any really serious work.)
I assumed it didn't, if it did that would be even worse. The problem assuming you trust the creators of that site is that since the connection is unsecured the javascript could be modified for a compromised version w/o you knowing. Even if you watch your connection like a hawk and make sure it doesn't send any data out it could generate a key that might look random but is really based on some shared secret only the attacker knows.
- no link to a Github repo where I can download it
- no randomization function to seed the generator
Additionally, I think best practices should dictate none of these paper wallet generators should display their functionality while they are connected to the Internet. All of us have a duty to build software that is secure and has clear intent. Users get confused easily.
As an aside, I gave the retired couple next door a paper wallet last night for letting me borrow their printer. I put $10 on it for ink. The husband is an ameuter astronomer and used to code, so he's technical. The wife said she's been watching for news about Bitcoin. She said that she heard something about "that mount place" and hoped they were OK. I told her to get some popcorn.
Why does this matter? You'll need to get the code somehow, and once its on your machine, it doesn't make any requests. You can take a look at the code to find out if its malicious or not.
You can still verify that it's not communicating. Browser (and/or OS tools) will show that easily.
What you can't verify easily (without inspecting the source through your browser) is that the keys its giving you are brand new. Figuring that's a bit more involved--and you'd have to do that every time you load the page. Which really kills the ease of using a website.
