Sorry, I didn't mean to offend you. I have no doubt you know all that, but since the post will probably be read by other people, I wrote it in a more detailed manner, so they could know what we are talking about

Hello,

I would like to report a possible security hole in the current scheme of things.

The idea to use only 'url with secret' for logging in is neat but not entirely safe because the web server uses plain http with no encryption.

Let's say you open the site for the first time and it gives you secret like http://minefield.bitcoinlab.org/?secret=fngrOdO23tDOTuPW
Then you deposit some btc.
If someone is sniffing the traffic it is fairly easy to extract the GET /?secret=fngrOdO23tDOTuPW string from the HTTP request. Then he needs simply to open the site with that secret and he can withdraw the btc to address of his choice.

I can mention two solutions.

1/ get a https certificate and the run the website over ssl/tls. This will resolve the sniffing problem since all traffic would be encrypted.

2/ Make withdraw only possible to addresses from which deposits were received. But on second thought this is not very secure either. A hacker could break into your account, deposit minimal amount of btc and after the deposit is confirmed (and the sending address accepted as viable for withdraw) the hacker request the whole amount to his address.

Best~

I hope that would be useful

Some people remember in their heads a long pass phrase which is the seed for their wallet. From that seed all their private/public keys can be generated. In this way the private keys are stored nowhere in the network, nor on your local machine. The needed private keys are generated from the seed each time you need them.

Thanks
I wonder if it would be too hard to teach my grandma to use bitcoin wallet

need to post something about the http://minefield.bitcoinlab.org
I think there is a security flaw

Hello and Freedom for All !