Bitcoin Forum

Bitcoin => Project Development => Topic started by: jordan.dev on May 05, 2013, 07:36:29 PM


Title: Hosted Wallet Security Checklist
Post by: jordan.dev on May 05, 2013, 07:36:29 PM
I want to start a service that offers a hosted wallet, since this is an integral part of almost every Bitcoin related business business, I think it's wise to try to get a security checklist going to ensure to the best possibility the security of the user's funds, and the integrity of the business for customers and investors alike.

Basic permise of the service: webapp that connects as a client to a bitcoind server

Ps. if there is a more comprehensive guide somewhere I'd like to read it!

I'll get it started and add people's suggestions here:

Web-app
  • Ruby on Rails, though given valid expliot concerns it may have to be limited to later just a UI and nothing else. (No direct access to bitcoind wallet)
  • SSL
  • 2 Form-authentication for users

Bitcoin Wallet (Bitcoin JSON-RPC server)
  • SSL Certificate and strong password in request made from web-app to JSON RPC Server
  • Closing all firewall ports except JSONRPC on Bitcoind server
  • Bitcoind running on Ubuntu 12.04, with 1 ssh-key for shell access

Wallet Itself (security of wallet.dat, hot-wallet, cold-storage etc.)

Title: Re: Hosted Wallet Security Checklist
Post by: aantonop on May 05, 2013, 07:45:52 PM
It takes a lot more to secure a hosted wallet than what you suggest here. Is this intended to be an open source project, kinda like blockchain, only open?

If so, that's a good idea.

If you want to do this as a business, you will need a lot more experienced security people to help you or this will quickly become a capture-the-flag platform for hackers.

Title: Re: Hosted Wallet Security Checklist
Post by: jordan.dev on May 05, 2013, 07:55:13 PM
I guess I should mention that the hosted wallet isn't the core of the business - and I am not opposed to investing in talented security professionals to help secure the service in the future.

I know there are A LOT MORE than the initial list.

I wanted to start this thread as an open forum for developing a longer, more complete list of security precautions based on contributions.

As far as open source, that would be great if there was a set of known security protocols that everyone agreed were minimum MUST HAVEs to even be considered secure.

Quote from: aantonop on May 05, 2013, 07:45:52 PM
It takes a lot more to secure a hosted wallet than what you suggest here. Is this intended to be an open source project, kinda like blockchain, only open?

If so, that's a good idea.

If you want to do this as a business, you will need a lot more experienced security people to help you or this will quickly become a capture-the-flag platform for hackers.

Title: Re: Hosted Wallet Security Checklist
Post by: gweedo on May 05, 2013, 08:00:24 PM
Maybe I can license you some of my programs I use behind my scenes to make bitcoind a lot more secure on a stock bitcoind. PM me if interested.


Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines