What if a watching only wallet gets compromised....

[leemar]

..... are you vulnerable to someone brute forcing the password encryption on the watching only wallet.dat file (if that is a thing).  Or is that not sufficient to steal funds?

[goatpig]

..... are you vulnerable to someone brute forcing the password encryption on the watching only wallet.dat file (if that is a thing)

It isn't a thing. WO wallets cannot currently be encrypted, and they only carry public data.

wallet.dat is Bitcoin Core's wallet format, which Armory does not use nor depend upon. Loosing Core's wallet.dat is an issue, as those carry private keys.

Armory's .watching_only.wallet files only carry public data. Compromising this file will leak your privacy. Any attacker can also choose to swap addresses in that file for his, so that you would serve his addresses instead of yours to receive payment.

Armory checks the consistency of all public data in wallets at start to prevent this sort of attack vectors (and data corruption in general, never know when a disk/stick of ram might fail).

[leemar]

Thanks goatpig.

So to confirm. What would be leaked, and how are they able to create substitute addresses without the seed?

[goatpig]

What would be leaked

All public keys and attached addresses that the wallet can have + any comments you left in there.

and how are they able to create substitute addresses without the seed?

The whole idea is to not use the wallet's deterministic chain. That would not benefit the attacker.

Replacing one of the addresses on the chain with the expectation the user will just trust content of the wallet is where the attack surface lies. Armory mitigates that threat by making sure all public data it reads from wallet files are derived from the wallet's public root key before it gets to sit in the RAM. It will also angrily warn you about inconsistencies if it finds any (it will literally harass you every run until you fix the wallet).

The new wallet format will introduce an even more robust approach on this regard.

[leemar]

Thanks for the explanation on that attack vector, very helpful.

All public keys and attached addresses that the wallet can have + any comments you left in there.

At the risk of sounding really dumb, does the fact that the hacker can match the public key to the addresses in the wallet  make a brute force attack on existing address balances more likely?

[goatpig]

At the risk of sounding really dumb, does the fact that the hacker can match the public key to the addresses in the wallet  make a brute force attack on existing address balances more likely?

What you are talking about is trying to brute force the private key from the public key (something you can't really consider if you only got the hash of the public key, in the case of addresses). If such an attack vector was credible, the network would have changed curve.

[achow101]

Thanks for the explanation on that attack vector, very helpful.

All public keys and attached addresses that the wallet can have + any comments you left in there.

At the risk of sounding really dumb, does the fact that the hacker can match the public key to the addresses in the wallet  make a brute force attack on existing address balances more likely?

No. The point of a public key is to be public and shared with others without revealing the private key. The address is derived from the public key so it too can be shared. If it were possible to derive the private key from the public key, then the entirety of Bitcoin would be broken and there would be a massive problem not just with Armory but with Bitcoin itself.

All that would happen if someone got your watching only wallet is that he would be able to see every single transaction you make. At worst it is just a privacy leak for you.

[leemar]

Thanks guys.  

Good luck with the ongoing work goatpig, it is much appreciated.

Let us know if you are taking donations yet.