Bitcoin Forum

I'd like to introduce StrongCoin. http://strongcoin.com/

Sign up and click on New Account to see the address generator in action.

** Warning This is A Technical Preview, Don't send Bitcoins to the addresses you create **
StrongCoin is now up and running.

StrongCoin is yet another wallet service (YAWS) with a difference. I'm not storing private addresses on the server except in AES encrypted form.

When you go to create an address in StrongCoin you currently have 2 options.

1. Use the javascript account creator, this takes a password from you and AES encrypts the private key before sending it to the server.

2. You can create a public and private key offline, encrypt the private key and submit to StrongCoin. I'm working with the developer of VanityGen to try and make this as simple as possible.


The StrongCoin server has no-way of knowing the password you used for your private key and can't decrypt your key. Also anyone that attacks our servers will not be able to access your private key as long as you've chosen a strong password.

Coming Soon.

1. Payments, I'm looking to create a javascript popup that will take your password, decrypt your private key and sign a payment all in the browser. Only the signed payment gets sent to the server.

2. Offline payments, I'll be offering the ability to pass through payments created offline.

3. Address book, for storing beneficiaries and their addresses.

4. Email backup. I want to send an email after each account is created (or after a group of accounts) this will have your public key and encrypted private key. Therefore if anything happens to our service you will still have access to your funds.

5. Payment and Address creation page signing. I'm looking for a way to show the user that no malicious code has been injected into the system.

6. A popup keyboard, this is hopefully circumvent key loggers by allowing the user to click enter a password. see http://www.greywyvern.com/code/javascript/keyboard

7. Coming Soon - Address generation via a sentence. see https://bitcointalk.org/index.php?topic=35082.0


Feedback

I'd like to gather feedback if I may.

How can I make this service better ? How can I address all the risks ?

p.s. And yes it works on the Kindle browser, which is surely one of the safest environments to generate keys :)[/list]

Great ideas here.  The Kindle angle is fantastic.

The fact that the private keys are encrypted before sending to the server is of little value if a weak password is used.  You or anyone in possession of the encrypted data could brute force the password, it would only be a matter of time.

Could you make your Javascript work with something like the yubikey (http://www.yubico.com/) for the purpose of generating a strong password?

Thanks Matt.

I've given feedback to the user about the strength of their password. i.e. It gives an estimate of how long their particular password would take to brute force.

I'm not sure how 2 factor authentication would help except perhaps for logging into the system itself. But let me have a think about it.

Interesting idea.

If you don't know the private keys, how do you get the server to send out the payments on behalf of your clients? Are you using a custom bitcoind or the regular one? Even if you're using a custom bitcoind, at some stage your server must in possession of the private keys in order to sign the outgoing transaction? Or are your transactions even signed on the client side and passed back to your server somehow to be sent out?

Yes, I want to sign the transactions on the client side. I'm looking to automate the mechanism described here https://bitcointalk.org/index.php?topic=35469.0

As far as I can see I won't need a patched client.

So far, all of the large-scale attacks against bitcoin sites were not aimed at individual accounts.  They were aimed at the central wallet for the site.  Yubikeys will make it hard for someone to clean out your account by stealing your password.  However, they won't protect you against a site-wide break that renders the site insolvent to pay back your account balance.

StrongCoin, however, does not have a site-wide wallet, and keeps each account key encrypted with a separate password.  An attacker that manages to steal the account database will need to break the individual passwords.  Unless an attacker is targeting specific accounts with large balances known to be hosted by StrongCoin, the compute cycles will be better spent mining for bitcoins.

That said, the security does heavily depend on users picking good passwords, and remembering them.  The site's address generator does have a calculator that gives an estimated cracking time, so hopefully it will foster good practices.

Details about the encoding scheme are here (https://bitcointalk.org/index.php?topic=36195.0), along with a (small) password cracking challenge.

How does strongcoin.com make money or at least cover operating costs?

I'm hoping to make money from charging a fee to process payments out. I'm not sure what that will be just yet but I'll probably start around the 0.01 BTC mark.

Importing keys, key storage, exporting keys and viewing balances will all be free.

There may be opportunities to add value with other services such as

- paper wallet pdfs.
- iphone/android app.
- faster payments.

The benefit of this service is you're not tied down to it. At any point you can take your keys and import them into another service. So I'm determined to make this the best online wallet service.

Damn! You must be able to read my mind, cos I got through this idea a few days ago, when I thought what was wrong with MyBitcoin.com. Actually, I already started to look for good ECDSA JavaScript implementation for this.

I think people definitely need a kind of "online-banking" with Bitcoin. This service, if done properly, will be a killer-app.

Some my tips (a visionary of good final site):

- make it look like online banking
- allow to name your addresses
- allow to set description to transactions
- allow for repeating payments
- let the user create his own addressbook of other people addresses
- dump and allow to print nice income/outcome lists
- integrate an address shortener, so you can give a link to your address to your site
- add an ability to save a backup (still encrypted, of course) of the keys at your site
- when paying, notify that the transaction got broadcasted and later, confirmed

That's great feedback thanks.

There's a few I hadn't though of there. And some ideas.

For saving a backup I'm think of generating a PDF. A kind of paper wallet.
I will incorporate a workflow loop into payments, so you'll sent, broadcast and confirmed.
Repeat payments might be difficult as I won't have the the private key.

First, I LOVE this site and idea.  It is exactly what we need to get non-technical people to learn about and start using Bitcoins.

Here are a few bugs to report:

1) Import Key Function, Import Mini Key drop down - Incorrectly calculates the private key from the mini key (probably a very simple math issue).

2) Import Key Function - probably should change the action button from "Import Mini Key" to just "Import Key" since there are three different types of keys in the drop down.

3) Send payment function - Typo.  "The amount ot send" should be "The amount to send"

4) Instead of charging a set fee of 0.01 BTC for your service when I transfer coins I think it would be better for you and the customer if you charged a percentage of the transfer amount - maybe up to some maximum value.  Maybe 1% fee up to a maximum of 1 BTC (or whatever you decide).  The reason is I may want to send some very small amounts in the future like 0.0001 BTC which I could not do with your current system since it would cost me 0.01 to send 0.0001.

5) Could you please let the customers (me) set the network transaction fee - instead of hardcoding it to 0.01 BTC?  As it stands now when I transferred 1.00 BTC you took your cut (0.01) which is OK with me (but I think it should be a percentage see above) and then you hardcoded another 0.01 for the network.  So it cost me 1.02 to send 1.00.  Please allow us to set the network transaction fee value to anything we want, including zero.

Love your public key for transaction fees:  firstbits/1strongx.  How long did it take you to find it?  [BTW note that firstbits/1strong is a different address!!!]

I would love to recommend this site as the easiest way to redeem physical money (physical coins, Bitbills, etc.) once you get the mini key issue fixed.

Your web site is well done, very clean and a pleasure to use.  Thanks!

I was going to send you a small donation but I do not see a published donation address anywhere and I don't want to send it to firstbits/1strongx since the current balance shows exactly how many transactions have been processed through your site so far (18 at 0.01 per transaction).

I don't know that it needs to be configurable by the user as that adds yet another variable to the mix.  Like with other ewallet services, it would be nice if the network fee was included in the wallet service's fee.  

In my instance, without knowing that there was also a trx fee as well I kept getting an "insufficient funds" when attempting to spend all but the 0.01 StrongCoin fee and only when I finally entered an amount low enough did the transaction go through and then learned what the network fee ended up being.

Additionally, it would be nice if I could pay no fee to move the funds from the imported account to another account on StrongCoin without a fee.  Let's say I have a physical bitcoin and by peeling the hologram to reveal the minikey I no longer can consider that key to be secure.  I might not wish to spend it right away, but I want it secured using StrongCoin.  StrongCoin will eventually receive a fee when I finally do spend the funds so allowing this account-to-account transfer lets me spend a physical bitcoin without having to pay a fee to StrongCoin twice.

Fee issues aside, this is an EXCELLENT service!

I really like the idea from the previous post:  include the network fee inside your fee.  For example:

Charge 1% of the transfer up to some maximum number (let's say 1BTC)

Out of this fee you send let's say 10% on to the network and keep the other 90%

These are just example numbers - you get the idea.

Also +1 on no fees for transfers within my own accounts.

You could also do a reduced fee or no fee for transfers between all of your own customers (kind of like the cell phone network's family plans) this could be used to bring in more customers.

This was fixed a few days ago.


Fixed.


Fixed, thanks for pointing this one out.


The fee is now 1%.


Thanks, it took a few days. I wanted strongfee, but the estimate was 40 years !


I'm looking into the best way to do this. As I don't have the private keys and I don't have a balance I would have to send the payment onto the network. So I would at least have to pay a fee to the miners. But perhaps I could swallow that.

Fantastic!  I will check it out later today.

Great service. Thank you.

I had to use chrome instead of firefox 7.0.1 to import a private key, the "import" button would not activate. Probably an adblock or ghostery issue on my side, but thought I would point it out.

Using it to hold dividend addresses for our GLBSE company.

So, are transactions supposed to work already?
Around 30 minutes ago i made a payment. It is also visible in the GUI with this txid: 3b2a300ba7a65f79573b404863f37e0ebc2298312498bfe3613eff61d9faef7b
But blockexplorer just keeps saying "no such transaction". Also the balance of my account is not reflecting the payment.

It did work couple of days ago for me

Anyone who thinks that doing client side crypto (here's looking at you, StrongCoin developers) adds any safety or security doesn't know how JavaScript works.

I direct you to the excellent write-up on matasano.com, explaining clearly why doing crypto on the clientside is a waste of time:

http://www.matasano.com/articles/javascript-cryptography/

It's also worth noting that StrongCoin sources javascript from both Google -and- Twitter, enabling either of those organizations (or anyone who obtains a certificate for either of those organizations, or anyone if SSL is not used) to completely subvert this "secure" clientside crypto.

BS...
1. Nothing can be sniffed here... ( signed transaction that will be public in several minutes )
2. Google will not change source code of JQuery on CDN just because some strongcoin is linking to it.
3. Some of the aspects of the article do not relay to our matter... (The problem is, having established a secure channel with SSL, you no longer need Javascript cryptography....)

Okay, now transaction is through! But it took quite some time to show up...

It's a killer!!! No block chain hassles... no wallet.dat problems... accessible from mobile.....  I will be doing my version of it soon.... Good luck guys!...

Hi Peter,

Typically you would see you account balance update after the transaction has been picked up by a block. (10 mins max).

I have an issue at the moment where if someone makes 2 payments in succession before the first payment hiots a block then it acts as a double spend.

This is due to the nature of the way I have 1 key pair for each account. I'm going to add a fix to the GUI that will allow multiple payments in 1 transaction.

I'm also going to add code that will re-try a transaction if it doesn't get into a block.

Here is a typical transaction at http://blockexplorer.com/tx/62ab321ced852b835615d0a16dd5cea661b6741a37a5f96657a2a9474a4332e0

I asked to send 0.25 BTC to http://bitlotto.com to enter into the next bitlotto drawing.  You can see my account 1BurtWEejbnKeBRsvcydJvsNztB1bXV5iQ started with 2.49 BTC and you can see the 0.25 going to 123MZyiPrNPRuwxTMcTGhp9EAixrNETqDV (the address for the Dec 7 drawing) and also 0.0025 going to 1STRonGxnFTeJiA7pgyneKknR29AwBM77 (the strongcoin commission address).  0.0025 was paid to the miners and remainder goes back into 1BurtWEejbnKeBRsvcydJvsNztB1bXV5iQ

So 2.49(start) - 0.25(bitlotto) - 0.0025(strongcoin) - 0.0025(miners) = 2.235(remaining)

So the commission and fee are deducted on top of your request.

Burt

I was one of your customers that reported the payment rejection scenario and because if it I have a couple of rejected transactions in my transaction record.  Could you please provide for a way for me to delete these rejected transactions?  Also I am very concerned that any new retry code NOT retry these transactions as I no longer wish them to be transmitted (they are over a month old).  So please allow me to delete them or please delete them yourself from the database before you implement any retry code that may retry them.

I won't be re-trying old transactions and I'll add a delete transaction link. That will hopefully be ready this week.

Yes, it is added on top of the amount you want to pay. I'll make this more clear by providing a total as well as a fee field.

This is brilliant.  The community has been waiting a long time for a service like StrongCoin.

http://www.thebitcointrader.com/2011/11/bitcoins-killer-app-is-here.html

This is so awesome.  I'm telling everyone about it.  How do I clear out a wallet though?  For example, say I have 100btc, I can't withdraw 100, i have to do 99.0099 or something.

Every good question has an answer in it..  :D

StrongCoin represents the future of online ewallets, especially for merchants. It is the bitcoin version of Hushmail for secure messaging which has been using java-based key gen and hashing for over 12 years.  http://www.hushmail.com/about/technology/how-it-works/

Also, see the Hush Encryption Engine White Paper http://www.hushmail.com/about/technology/

Why is strongcoin so slow when it comes to sending multiple transactions at once?  I heard on the lending forum that the first tx gets broadcast and the other ones have to wait.
(sorry for thread necro..)

I just got a kindle.  Loading strongcoin.com works although the browser is slow.