Bitcoin Forum
June 19, 2019, 04:18:53 AM *
News: Latest Bitcoin Core release: 0.18.0 [Torrent] (New!)
 
   Home   Help Search Login Register More  
Poll
Question: Your Blockchain Wallet Experience?
Good - 25 (92.6%)
Bad - 2 (7.4%)
Total Voters: 27

Pages: [1] 2 »  All
  Print  
Author Topic: Blockchain Wallet Review  (Read 11747 times)
sdfgsdfgdfg
Newbie
*
Offline Offline

Activity: 14
Merit: 0



View Profile
April 07, 2013, 03:41:49 PM
 #1

What do you think of the Blockchain Wallet?
1560917933
Hero Member
*
Offline Offline

Posts: 1560917933

View Profile Personal Message (Offline)

Ignore
1560917933
Reply with quote  #2

1560917933
Report to moderator
1560917933
Hero Member
*
Offline Offline

Posts: 1560917933

View Profile Personal Message (Offline)

Ignore
1560917933
Reply with quote  #2

1560917933
Report to moderator

0% MINING FEES FOR THE NEXT MONTH. GET PAID IN BTC, ETH, XMR or RVN.

www.cudominer.com Learn More
Easily run CudoOS from a USB flash drive.
Designed for rigs. Manage your mining remotely from Cudo Console.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1560917933
Hero Member
*
Offline Offline

Posts: 1560917933

View Profile Personal Message (Offline)

Ignore
1560917933
Reply with quote  #2

1560917933
Report to moderator
AllergicRacoon
Newbie
*
Offline Offline

Activity: 6
Merit: 0


View Profile
April 07, 2013, 04:26:24 PM
 #2

Best online wallet IMO, especially because you can download your keys.
whiskers75
Hero Member
*****
Offline Offline

Activity: 658
Merit: 500


Doesn't use these forums that often.


View Profile
April 07, 2013, 04:38:24 PM
 #3

Personally, I love blockchain.info and don't use any other wallet. Smiley
It is encrypted by default and is very secure.
blockchain.info NEVER touches unencrypted keys - only your computer does.
Plus - no blockchain downloads, and total address and key control! Cheesy

Elastic.pw Elastic - The Decentralized Supercomputer
ELASTIC ANNOUNCEMENT THREAD | ELASTIC SLACK | ELASTIC FORUM
jkroll
Newbie
*
Offline Offline

Activity: 7
Merit: 0


View Profile
April 07, 2013, 04:43:27 PM
 #4

It is good except for if you are sending or receiving tiny amounts of money because of the fees.
whiskers75
Hero Member
*****
Offline Offline

Activity: 658
Merit: 500


Doesn't use these forums that often.


View Profile
April 07, 2013, 04:50:15 PM
 #5

It is good except for if you are sending or receiving tiny amounts of money because of the fees.
Those are bitcoin tx fees.
NOT blockchain.info's fault! Smiley

Elastic.pw Elastic - The Decentralized Supercomputer
ELASTIC ANNOUNCEMENT THREAD | ELASTIC SLACK | ELASTIC FORUM
sdfgsdfgdfg
Newbie
*
Offline Offline

Activity: 14
Merit: 0



View Profile
April 08, 2013, 01:43:03 PM
 #6

whiskers75, the total control might not be as total as we think. as a matter of fact the owner of the wallet does not have any security control as all. All bitcoin addresses (except for the Watch-Only) are generated by the service and managed by the service. What it means is that private and public key pairs for every address is managed by the service and can be used by the service as needed. the user can export the private key as a proof of the transaction(s) but it doesn't really have a total control over the keys.

the Watch-Only bitcoin address can be imported and used to receive bitcoins only. if one wants to send bitcoins using the Watch-Only address one has to provide the private key which implies breach of control over the private key. What do you think?

P.S. Is there any forum here dedicated to the blockchain service?
DannyHamilton
Legendary
*
Offline Offline

Activity: 2198
Merit: 1405



View Profile
April 08, 2013, 03:20:19 PM
 #7

- snip -
All bitcoin addresses (except for the Watch-Only) are generated by the service and managed by the service. What it means is that private and public key pairs for every address is managed by the service and can be used by the service as needed. the user can export the private key as a proof of the transaction(s) but it doesn't really have a total control over the keys.
- snip -

You are mistaken.  The bitcoin addresses are generated by the user (with javascript in their browser), and managed by the user (with javascript in their browser).  The private keys are encrypted using javascript in the user's browser with the user's password before being sent to "the service".  That it means is that private keys for every address are managed by the user and unknown to the service.  Those private keys can be used by the user as needed, but cannot be used by the service.

sdfgsdfgdfg
Newbie
*
Offline Offline

Activity: 14
Merit: 0



View Profile
April 08, 2013, 03:45:14 PM
 #8

Danny, you are right with regard to how its generated. I am playing Devil's Advocate in order to understand the process. Yet, just because the addresses and the keys are generated on the client (browser) side it does not imply that the client has a control of it. Bottom line is that all the information is stored on the server side; passwords, addresses, keys. And this is the breach of the security. if the service, for whatever reason, decides to take your many it can for it has the technical means to do so. in the final analysis the service keeps all the cards.

The only way to secure your coins is to receive bitcoins using the Watch-Only address (this is the only scenario in which the service does not have the private key) but even in this scenario the service can move your coins using another address. Any thoughts?
leijurv
Member
**
Offline Offline

Activity: 63
Merit: 10


Vires in Numeris


View Profile WWW
April 08, 2013, 04:34:56 PM
 #9

Bottom line is that all the information is stored on the server side; passwords, addresses, keys.

Actually, no. The server doesn't store the password. You download the encrypted file containing the addresses and private keys and decrypt it with JavaScript when you enter in your password. The server never has the unencrypted version.

Firstbits 1Leijurv. Or, if you like cats, Firstbits 1Kittens and 1catcat as well. If you're a chemist, also 1Helium, 1Erbium, 1Copper, 1Cerium, and 1Nickel. If you like numbers, 123four, 12234,  12three.
Keybase and onename user: leijurv.
sdfgsdfgdfg
Newbie
*
Offline Offline

Activity: 14
Merit: 0



View Profile
April 08, 2013, 05:09:41 PM
 #10

Quote
The server doesn't store the password. You download the encrypted file containing the addresses and private keys and decrypt it with JavaScript.....

are you referring to the main or secondary password. Because, the service does have the main password if for anything it has it for log in verification. Unless, I am missing the point here. what i think of login into the blockchain service is actually decryption of wallet information on the client side. is it the case? it's easy to verify it; disconnect your computer for the internet prior to typing the password. I will give it a try. will let you know.

The secondary password is optional so i don't understand how the encryption/decryption with the secondary password could be done if an user has not generated the option seconder password.
mrfixit
Newbie
*
Offline Offline

Activity: 2
Merit: 0


View Profile
April 08, 2013, 05:18:16 PM
 #11

Quote
The server doesn't store the password. You download the encrypted file containing the addresses and private keys and decrypt it with JavaScript.....

are you referring to the main or secondary password. Because, the service does have the main password if for anything it has it for log in verification. Unless, I am missing the point here. what i think of login into the blockchain service is actually decryption of wallet information on the client side. is it the case? it's easy to verify it; disconnect your computer for the internet prior to typing the password. I will give it a try. will let you know.

The secondary password is optional so i don't understand how the encryption/decryption with the secondary password could be done if an user has not generated the option seconder password.

I haven't looked to be sure, but most reputable places that care about security to not store plaintext passwords, so I would imagine that Blockchain does not have your main password. Typically, they'll store a hash (or salted hash) of your password. Your password can be bruteforced (so a longer password will make it more secure) but the original password is likely not stored as plaintext and thus not retrievable without bruteforcing. I'm not sure how they go about dealing with two-factor authentication though.
sdfgsdfgdfg
Newbie
*
Offline Offline

Activity: 14
Merit: 0



View Profile
April 08, 2013, 05:32:54 PM
 #12

Quote
I'm not sure how they go about dealing with two-factor authentication though.....

I just tested it. Unfortunately, i have 2 step verification so the client side has to connect to the service to verify the verification code. Therefore, i failed to open to wallet while my system was disconnected for the web.
DannyHamilton
Legendary
*
Offline Offline

Activity: 2198
Merit: 1405



View Profile
April 08, 2013, 07:01:00 PM
 #13

Quote
The server doesn't store the password. You download the encrypted file containing the addresses and private keys and decrypt it with JavaScript.....
- snip -
the service does have the main password if for anything it has it for log in verification.
- snip -
I haven't looked to be sure, but most reputable places that care about security to not store plaintext passwords,
- snip -

Correct.  Blockchain.info does not have your password.  If you lose your password and call them, they will be unable to "reset" it or to tell you what it is.  Your bitcoins will be lost until you can remember what your password is.

For login verification, your password is salted and hashed in the bowser, and this hash is sent to (and stored on) the server.  Since the hash is not reversible, it is not possible for the service to access your bitcoins.

Yes, a dictionary attack is possible if you don't use a complex enough password, but that is also true if you use something other than blockchain.info and store an encrypted backup of your wallet somewhere that someone else gains access to.

sdfgsdfgdfg
Newbie
*
Offline Offline

Activity: 14
Merit: 0



View Profile
April 08, 2013, 08:17:55 PM
 #14

thanks Danny, now it makes sense
DannyHamilton
Legendary
*
Offline Offline

Activity: 2198
Merit: 1405



View Profile
April 08, 2013, 09:18:57 PM
 #15

thanks Danny, now it makes sense

Now it's important to understand that the javascript that is served up could be modified to capture the password and send it to the service provider.  Since the code is public, hopefully there are enough eyes on it that this would be quickly noticed and reported so everyone would know to stop using the service, but there is no guarantee that you wouldn't use the service before you heard the warning.

There is a browser plug-in that can be installed to monitor the javascript and make sure that it isn't sending the password, but it might be possible to trick users into updating the plug-in to a version that fails to properly monitor the password.  Again, this would likely be noticed rather quickly, but perhaps not before you fall victim to such a scam.

Of course the same scam could be perpetrated with any software that generates the private key and address for you.  You could be tricked into installing an update to whatever software you might choose to use that could generate the pairs in an insecure way.  At some point you either need to know how to validate the code you are running yourself, or you have to trust a community to monitor the code and warn you if/when they discover a security issue.

sdfgsdfgdfg
Newbie
*
Offline Offline

Activity: 14
Merit: 0



View Profile
April 09, 2013, 03:50:59 PM
 #16

Danny,

I have actually found an interesting article in the bitcoin magazine related to the brain wallet in general but in particular the second part of the article related to the issue in question, making secure transaction, which is: go offline while generating transactions; http://bitcoinmagazine.com/brain-wallets-the-what-and-the-how/

what really picked my interest was the offline transactions section at the end of the article. there is a set of instruction related to the blockchain service offline transaction.

what is unclear to me is the 3rd item of the instructions that states the following

 
Quote
"Log in from a secure computer in offline mode, making sure to use private browsing mode (incognito mode in Chrome). When the system asks you to turn off your internet connection, do so."

My question is: what does it mean to 'log in offline mode'? log into what? the browse? computer? blockchain server? and if so how?
DannyHamilton
Legendary
*
Offline Offline

Activity: 2198
Merit: 1405



View Profile
April 09, 2013, 03:57:16 PM
 #17


Quote
"Log in from a secure computer in offline mode, making sure to use private browsing mode (incognito mode in Chrome). When the system asks you to turn off your internet connection, do so."

My question is: what does it mean to 'log in offline mode'? log into what? the browse? computer? blockchain server? and if so how?

I don't understand that instruction.  It doesn't make sense to me.

btcminer021
Member
**
Offline Offline

Activity: 98
Merit: 10


Mine hard!


View Profile
April 09, 2013, 03:57:49 PM
 #18

Danny, I think you've just about covered every possible scenario. Well done!

https://blockchain.info/wallet/ (If anyone was looking for the link)

▲▼▲▼▲▼▲▼  No.1 Bitcoin Binary Options and Double Dice  ▲▼▲▼▲▼▲▼
████████████████████████████████  sec◔nds trade  ████████████████████████████████
↑↓ Instant Bets ↑↓ Flexible 1~720 minutes Expiry time ↑↓ Highest Reward 190% ↑↓ 16 Assets [btc, forex, gold, 1% edge double dice] ↑↓
dancupid
Hero Member
*****
Offline Offline

Activity: 955
Merit: 1000



View Profile
April 09, 2013, 03:59:57 PM
 #19

thanks Danny, now it makes sense

Now it's important to understand that the javascript that is served up could be modified to capture the password and send it to the service provider.  Since the code is public, hopefully there are enough eyes on it that this would be quickly noticed and reported so everyone would know to stop using the service, but there is no guarantee that you wouldn't use the service before you heard the warning.

There is a browser plug-in that can be installed to monitor the javascript and make sure that it isn't sending the password, but it might be possible to trick users into updating the plug-in to a version that fails to properly monitor the password.  Again, this would likely be noticed rather quickly, but perhaps not before you fall victim to such a scam.

Of course the same scam could be perpetrated with any software that generates the private key and address for you.  You could be tricked into installing an update to whatever software you might choose to use that could generate the pairs in an insecure way.  At some point you either need to know how to validate the code you are running yourself, or you have to trust a community to monitor the code and warn you if/when they discover a security issue.

You can pre-download the javascript (in Firefox and chrome) as an add-on, and log in from there:

https://addons.mozilla.org/en-US/firefox/addon/my-wallet/

Surprisingly only 180 users have downloaded this.
sdfgsdfgdfg
Newbie
*
Offline Offline

Activity: 14
Merit: 0



View Profile
April 09, 2013, 06:20:19 PM
 #20

There is 'My Wallet Verifier' extension for chrome but no 'My Wallet' to be found.
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!