Fair point. I was indeed supposing that Armory was getting the basic cryptography right.

Which makes it more flexible. Wallet software could apply it to every transaction from a given address, if that was desired.

Well, no. 2 factor authentication should mean two different kinds of things, such as a memorised password and a physical dongle; not one thing being an email and the other thing also an email (or web page, or whatever).

If they can fake the web page, they can fake the email addresses on it and send emails that are, or pretend to be, from it. As I said before, the gain in security seems so marginal that it is not worth changing the protocol for. (You may be realising how difficult changing the protocol is. The Bitcoin community is quite conservative.)

Both new and old approaches have the same problem, of waiting for a second contact that isn't likely to be more secure than the first contact.

I'm arguing that there is no good choice. The law of diminishing returns sets in too quickly. The benefit of, say, a 5 hour reversible period is minor - the hack can happen while you are asleep or distracted by work. The cost of having to wait 5 hours before an order is confirmed is quite high. Longer periods increase the inconvenience of waiting significantly, without increasing the security significantly. Plus there is now more complexity for vendors accepting bitcoin, and for users managing their wallet options.

My pleasure. I am still new enough to Bitcoin that I enjoy thinking and writing about it. I think many of the old hands have run out of patience with this (general) topic.

You could give the transaction an nLockTime, sign it, and send it to them. They then confirm receipt. When the nLockTime expires, they broadcast the transaction, and then dispatch your goods. If they don't confirm receipt, you create a new transaction that sends the same funds back to yourself. Then when nLockTime expires, it's too late, and the first transaction will be rejected as a double-spend.

I'm not sure how their confirming receipt is any less able to be faked than their sending you their payment address in the first place, but that's also a problem with your new protocol.

Your other scenario is someone hacking your wallet. One problem here is what do you set your reversible time to? If you set it to a short period, say 5 hours, you may not notice the hack quickly enough. If you set it for a week, the hack might happen when you are on holiday and you'll still miss it. If you set it for longer, then it becomes impractical to spend the coins normally because Overstock won't want to wait weeks for the transaction to become irreversible.

In summary, the benefits of your idea over what we already have seem too minor to be worth bothering with. You can also get forms of reversibility by using escrow agents, and you can get defence against hackers by using insured storage (eg, Elliptic Vault).

See for example, Ars Technica.

As I understand it, the approach is to install malware onto the PC that is doing the signing. This malware flushes the CPU's L3 cache, and waits, and then tries to access some code. If the code loads quickly, it means something else already used it. From this they deduce what code is running in the crypto-library, and from that they claim they can deduce the private key.

They mention needing "as few" as 200 attempts, as if each attempt extracted one bit. So if you only spend from a given address once, this attack doesn't get them very far.

I suspect it's not very practical in the real world regardless. Hopefully the libraries will be updated to negate it. We've been calling it the "SSL issue" because SSL is also vulnerable, and that's used far more widely than Bitcoin.

Address reuse is not affected by transaction malleability.

The SSL issue is a valid reason to avoid reusing addresses. (Specifically, to minimise the number of times you spend from an address - you can pay into it as many times as you want.) However, it's arguably less of a danger than key loggers. Either way, if the transaction signing is done by an offline Armory wallet, it will be difficult for an attacker to get their malware onto the same machine, and then difficult to get the leaked key information off so they can use it. Basically, this attack is another reason to use Armory offline wallets.

I don't think Armory does anything to encourage address reuse anyway. It has a checkbox for "Use an existing address for change", but it's unchecked by default.

No. Each wallet manages multiple addresses.

The wallet will create new addresses in a deterministic way, so paying-in addresses for an offline wallet will be the same as those generated by its watch-only online version. So avoiding reuse is usually as convenient as allowing it.

It can be, if you need a stable address to publish. Vanity addresses also get reused a lot. In those cases you don't much care about privacy anyway. If you need to reuse an address, feel free to do so.

Note that you can pay into an address as many times as you like without issue. It's only when you spend from it that the SSL attack comes into play, and even then it needs a lot of spends.

Privacy and security.

The privacy can be over-rated. In practice, all the inputs and one of the outputs for a given transaction probably come from the same wallet. Knowing this, an attacker can link addresses together even if they are "new". To get reliable privacy requires more knowledge and effort than is usually worthwhile. On the other hand, why make it easy for anyone?

The usual security reason given is that paying into an address only releases a hash of its public key, and paying out reveals the public key itself. Revealing the public key gives an attacker a theoretical advantage. In practice not enough to matter, but again, why make it easier?

I'd like this too. Essentially being able to use Armory as a brain-wallet.

The logic of a 51% attack not being an attack makes sense when we're talking about changes to the Bitcoin protocol, because that is a field where miners tend to be expert and have an vested interest. This logic does not apply voting as to whether coins are stolen. To establish theft ought to need days in court, evidence, a judge well-versed in law, and an attentive jury. Miners aren't going to be up for that. Their votes will based, at best, on little more than prejudice and what hearsay they may have read on the internet. (No offence, guys.)

Regulation is only one issue. Another is that part of Bitcoin's USP is that transactions are irrevocable. The mere possibility that the coins you paid me with might be taken away from me, or frozen, for any reason, would undermine the protocol even if the feature was never actually used. Therefore I confidentially expect most miners would vote against adding infrastructure to freeze coins. Even talking about it would undermine trust, if there were any chance you'd be taken seriously.

I think they will tax and regulate it, and that won't kill Bitcoin. Why should it? It doesn't kill cash. When a company pays in bitcoin, that payment will be on their books and available to auditors. Salaries paid in bitcoin will be taxed at source. It'll no more evade tax than perks like company cars do.

We'll have bitcoin credit cards, and that will be an improvement because it will be more secure. Currently to pay with a CC the information you give to the merchant is the same info they could use to steal from you. With bitcoin, making a payment does not involve giving the merchant your private key. It's better.

We'll see things like payment processors and charge backs layered on top of the core protocol. I think they'll be optional. If you want the extra consumer protection that the CC charge back system gives you, it should be you who pays for it, not the merchant.

It will be interesting to see which of the benefits of bitcoin turn out to be due to "cutting corners" on things like consumer protection, which are due to efficiencies such as re-using the internet infrastructure, and which are due to avoiding fat-cat monopolistic self-serving policies of credit card companies and banks.

It's safer to have two machines, one of which is never connected. Having one machine and unplugging it occasionally wouldn't add much safety.

Having a second, unconnected computer makes it harder for that computer ever to be infected by a keylogger; and if it is, it makes it harder for the hackers to get any information out. Whether this is over-kill depends on how much bitcoin you have. Arguably, you shouldn't hold more than you can afford to lose, in which case you may not need to bother with extreme precautions. Some people are betting big on bitcoin, and for them spending some money on a cheap notepad or similar, plus the hassle of ferrying a USB stick between devices, is worth the security.

(I've heard of people having a single PC with a dual boot to a second O/S, where the second O/S is offline. I guess that's an improvement over a single connected wallet, but without an actual air-gap I'd be concerned that the offline O/S would use the shared hard disk to communicate key-logger information to the bad guys.)

I read them as saying that's when they discovered the loss, but the loss itself might have happened earlier. Basically, they saw a lot of failed transactions, investigated and discovered the cause was transaction mutability and that it could have caused coin loss, investigated some more and realised they'd lost vastly more than those recent failed transactions.

And they don't know how the losses happened. Though they want to blame transaction mutability for the big losses, that's just a guess, and they seem aware it doesn't account for the loss of fiat money that has also happened. They mention "a variety of causes".

Does "online" mean a website? Or does "offline" mean cold storage?

I use Armory as hot storage, so I checked "other".

The usual ways. If I pay for a product in BTC, and the product doesn't get delivered, then the fact that I paid to the correct address can be proven, and proving non-delivery is the same as in non-bitcoin transactions.

For the reason I explained: because there would be restrictions on what could be done with them that wouldn't apply to non-stolen BTC. (Not now, but in a future where bitcoin is regulated by governments.)

Did you miss the point made by marcus_of_augustus : "In the realm of digital money it must be untraceable to be fungible" and anonymity being a consequence of being untraceable.

To go back to you original question and take a different direction:
Let's imagine that he protocol required every bitcoin address to be registered to a verified real-world name. Completely non-anonymous. Then everyone could tell, from the block-chain, where you spent your money. They'd know which supermarkets you used, whether you frequented pubs and off-licences, how much you spent at the chemist, whether you paid for porn. They could infer a lot more, such as whether you likely had a mistress across town. It would be a massive invasion of privacy.

I doubt a public block-chain would be acceptable to most people if it weren't anonymous.

I'm not disagreeing. Just elaborating on marcus_of_augustus point about fungibility and traceability.

It costs money to mine, so there needs to be some compensation specifically for miners.

One reason is that it allows permissionless innovation. Another is that it strips out a lot of the overheads. A third is that it decentralises. A (related) fourth is that it reduces the need to trust institutions. It reduces the power of governments and banks, and that's good, because power corrupts.

Mostly I see it as the next monetary system. I think crypto-currencies will be successful, and that Bitcoin is the crypto-currency most likely to "win". I'm aware of non-monetary applications, but they just don't seem as pressingly important.

Suppose instead that if you steal 2 BTC from me, that I can report the theft and get those coins black-listed, meaning they cannot be converted into pounds sterling (my jurisdiction): then those coins become worth a bit less. Even more so if Britain shares its blacklist with Europe and America. We can imagine a world in which most miners are required to refuse to accept transactions involving blacklisted coins, and where the "dark" miners that accept them also charge higher transaction fees.

That is the kind of evolution of Bitcoin that some governments seem to think is desirable for purposes of preventing money laundering. That is, to make it harder for wrong-doers to profit from their crimes. They may legislate to that end, and require miners and exchanges within their jurisdiction to conform. It would mean bitcoin would be less fungible.

They will get the mining revenue. If you accept that some people will mine for profit, surely it makes sense that others will mine for profit and to help secure the network?

The more honest people mine, the harder it is for dishonest people to get a significant fraction of the network. I think (and hope) we'll return to the original vision of a large number of miners, each with a small fraction of the network; but instead of the myriad miners being fan boys early adopters running mining rigs in their bedrooms, they will be corporations and governments. And this will happen because as those corporations and governments increasingly depend on Bitcoin, they will also look into mining and see it as a strategic need as well as a potential profit centre and good public relations.

The earlier post mentioned 20%. That to me seemed like a large percentage. Where-as if just 1% of miners are fraudulent, then the chances of a successful double-spend become quite low, compared to the meagre profit from ripping off the kind of merchants that would accept zero-confirmation transactions, and the cost of setting up the mining farm, and the damage to reputation when you get caught. I think we can get to a situation where it's irrational to try. I appreciate that doesn't mean no-one will, but it will be extremely rare.

I also appreciate you are saying that some merchants have such low tolerance for the risk that even "extremely rare" won't be good enough for them.

Do you not think large retailers might mitigate that risk by becoming miners themselves? If Bitcoin succeeds, I would expect many entities to be willing to devote some resources to mining, to make it harder for others to control a sizeable fraction of the network. With that goal, they don't need to make a profit, although any mining income will help defray the costs.

When you talk about a customer having an account with a retailer, that's not the same as a customer owning bitcoin. The account with a retailer is part of a "formal banking, brokerage, or business relationship established to provide for regular services, dealings, and other financial transactions" with that retailer. Bitcoin is more like cash. It's not a relationship with any one individual or institution. You might as well say dollars are an account you have with the American government and/or its people.

If you are saying I might have an account with my retailer that I settle in bitcoin, then I agree, but I suspect you are not saying that.

If they can take cash, and have an internet connection, they can take bitcoin. Bitcoin has many advantages over cash for the retailer and the customer. It has some caveats, but those can be managed. Loyalty cards and retail accounts will be layered on top of that, for those that find them convenient.

He's right, though; no-where on the weaknesses page does it say it is only listing a subset of weaknesses. It's not a comprehensive list, which is what people want to see.

See https://en.bitcoin.it/wiki/Weaknesses and https://en.bitcoin.it/wiki/Double-spending.