Bitcoin Forum

An internet forum is probably not the place to ask that reason prevail, but haven't we flogged some dead horses enough? Allegations of child sexual abuse? Really, is that what this has come to?

Some really interesting, juicy stuff is happening with Bitcoin (ATM's, the lightning speed at which Bit-Pay resolved the question of donations, the javascript work being done by Stefan Thomas and so on).

It would speak volumes to the maturity of this forum, and of the Bitcoin community at large, if we could concentrate on those.

bump

Reason is useless against trolls.

Bitcoin-Charity also made their first actual cash donation to Medecins sans Frontieres (http://www.bitcoin-charity.com/donation-tracking/), which I think is good news.

I totally agree, but don't you think creating new threads about all this scandal is just fueling the fire? The people who do not already know about it will be going to search what the hell is going on and then it's just more muck-spreading.
The best thing to do is ignore it and the kids will get bored.

A bunch of trolls are monopolyzing the forum...

What is Stefan Thomas doing with JS?

Inquiring minds want to know!

I understand he's working on an online wallet, with encryption, that you'll be able to access from your handheld device and will be secure. Really, really cool stuff. www.bitcoinjs.org

On the subject of Webcoin, I'll just leave this here (http://www.matasano.com/articles/javascript-cryptography/).

Have you sent this to Stefan, elggawf? He does seem to know what he's talking about, and you seem to think this could be a potential problem. I'm sure you two (and the rest of us by extension) could only benefit from the discussion.

He's on here in the forums as well, if you can't find him, I could try and give it a go.

Cheers,

Good to see a bit of sanity here  ;D

I'll go cancel my order for paranoia meds on silkroad  ;)

IBB's First Official dividends payout :)

https://bitcointalk.org/index.php?topic=21732.msg489254#msg489254 (https://bitcointalk.org/index.php?topic=21732.msg489254#msg489254)

Nah, I haven't. I just saw that the other day, and the Bitcoin JS thing this morning. I don't fully comprehend the security issues they're talking about, but basically as I understand it if someone can MITM the wallet site, then they can just send backdoored javascript for the crypto and the javascript crypto advantage disappears.

I'm not sure it even applies to the wallet site as it's implemented by Stefan (nor do I particularly care), but I just thought it might make for interesting, non-sordid conversation. :)

Hey Elggawf:

I forwarded that article to Stefan on another thread, and he replied pretty quickly. I have to admit most of this is beyond my comprehension, as I'm not a programmer, but I decided to copy it here (and perhaps even send you his reply privately) so that you can go through it and see if there are chinks in the armour, so to speak.

Here's what he said:

The main point of the article is that if the server sent you the JavaScript, you're already trusting the server, so you might as well do the crypto stuff server side and use SSL for transmission.

Browser-based crypto is by no means our end goal, but rather a stepping stone. Here are some of the things I am working on or predicting:

Downloadable bundles. There is no reason you can't take the HTML/JS from bitcoinjs-gui, package it up as an AIR or xulrunner app and have people download and install it. It would then have the same properties as regular Bitcoin with respect to software delivery.

Software security device. If you have more than a few bitcents you can install a piece of software that moves your keys and the crypto outside of the browser. If you initiate a transaction within Webcoin or another client, the locally installed software will pop up a window showing the details of the transaction pending your final confirmation.

Building a dedicated software security device will also pave the way for:

Hardware security device. For even larger amounts no measure of software security will be sufficient. A hardware device with a display and internal signing would definitely by a major step forward.

Split key signing. Half your key is on your device, the other half is at a wallet hosting service. The service could offer any kind of verification you want: Yubikey, SMS, phone call, whatever. You'd probably set a daily limit. Under the limit you don't need any special verification. Note that you could have both keys as physical backups, so you wouldn't be dependent on the hosting service if they decide to randomly disappear one day.

Also I want to point out that the only part of BitcoinJS that this criticism affects at all is Webcoin. I know some folks are working on various native clients that use our server APIs, but could be implemented in Java, Objective-C, C#, etc.

Thanks for that response, I'll read it after lunch.

Update: Yeah, it's about what I figured he'd say, it sounds like he knows what he's doing - at least much more than I do. I would guess (extremely uneducated) that as long as the Webcoin stuff is delivered over HTTPS, that probably most of the article I posted really doesn't apply to Webcoin.

Then again though, I really gotta stress that I'm by no means an expert in that field.

This looks like a great idea but in practise I wouldn't trust it for handling any transactions or wallet data. Block exploring and stats would be aided greatly by this but on the security side of things this seems very susceptable to hacking and man-in-the-middle attacks.

Would you trust it as a way to hold the small amounts that you may use in day to day life? In other words, do you see it as being on a similar level of security as instawallet? Perhaps higher?

I haven't read into instawallet. If it was more convienient then I may store 0.5BTC or so. But in reality I can make payments just as easily with the official bitcoin client already, which is much more secure as it's not (browser delivered) JavaScript, so I'd just use that for peace of mind. I can see why it has advantages but I personally prefer security over usability.


EDIT: although saying that, there's nothing to stop someone injecting JavaScript into my browser via a MitM attack regardless of whether I'm using a bitcoinJS based site or not, so yes I think I would probably use it for micro payments.