Bitcoin Forum

There are many projects with bitcoin. There are many different sites such as gambling sites, trading sites, credit sites. Users send bitcoin to these sites. The bitcoin volume on the sites can be may high.

How do these sites provide bitcoin security? What are the characteristics of the servers they use? They can take security measures in a software sense. But a person working in the hosting company can play bitcoins.

What protection do these sites use for security?

That actually is an interesting question.

I would say, apart from well codes software and secure high-end servers, they use one-time deposit addresses, hot wallets. Most of the user funds are kept in cold storage, which is afaik the safest way of storing bitcoins. Many sites have also started using hardware wallets such as Trezor to keep funds safe.

Continuous instant transactions are being made on stock exchange sites. What happens when a user swaps a large amount? Such sites need automatic processing.

Of course they need automatic processing. They have custom made scripts for automatic processing, but you won't find any information on that I'd assume. What is your question here? Every site that handles bitcoins (or atleast the vast majority of them) have automatic processing on deposits and withdrawals.

You said that the sites kept bitcoins as cold storage for safety.
If bitcoins are stored as cold storage, how do users exchange, deposit and withdrawals for bitcoin.

Just use the cloud flare to protecting these sites from DDOS attack. But it seems like make the site has become unsecured caused by the packet data must be passing the cloudflare database. and Some days later with the issue on cloudflare it makes all of the bitcoin site unsecured.

I asked for a site with software and system security.
How do we protect Bitcoins from the employees of the hosting company?

Yeah, you would not except that whoever have a wallet is going to come to this forum and tell you how they are keeping a secure system, it is like giving you a key to the local bank, I am sure if they do someone out there is going to try and hack it.

As I know btc site using web based page so it will verified depend on the site

For example bitcointalk using COMODO RSA Domain Validation Secure Server CA so people worried no more when they try to access the site

The hosting company has access to all the private keys of Bitcoins in their possession or vault hence they can employ any form of security so that such information will be protected by the appropriate financial officers in order not to leak to ordinary employees who might unethically try something funny. I know that will be kept at the top level of management but the method of protection might differ from company to company.

I do not know about it, because there are an awful lot of companies or sites that use this type of security. But for sure they are using a very strong security and it has a vulnerability that's hard enough when the hackers did not find loopholes via Hardware Security. Because as nice and perfect a system, if a hacker manages to take over the system hardware will surely crumble and successfully exploited. So, you need not worry for security against sites that already have many customers. For they will surely give the best security
 

You need to secure your website from many things such as bots, DDoS, hackers or malware. Even some small websites that don't matter much are getting these types of attacks, so it's pretty common to have a good security no matter what website you're running. You probably need to pay a subscription to companies that offer you such services, but for Bitcoin websites you need extra security for the money that's being stored and so on, so that no hacker has access to any resource.

I don't have private keys on the webserver.

Some people use deterministic keys on the server but I don't even do that.

I generate keys on a non-connected PC using my own algorithm involving a seed and a salt, sign the addresses with libsodium, and then upload to a database the server fetches from.

The server then verifies the signature (so it knows a hacker didn't inject the address, never happened to me but...) before offering it as a payment address.


(hexsk is hex signing key, m is message - which in this case is the base58 address, I can there verify on the web app with the libsodium php PECL module)