sdfgsdfgdfg (OP)
Newbie
Offline
Activity: 14
Merit: 0
|
|
April 07, 2013, 03:41:49 PM |
|
What do you think of the Blockchain Wallet?
|
|
|
|
AllergicRacoon
Newbie
Offline
Activity: 6
Merit: 0
|
|
April 07, 2013, 04:26:24 PM |
|
Best online wallet IMO, especially because you can download your keys.
|
|
|
|
whiskers75
|
|
April 07, 2013, 04:38:24 PM |
|
Personally, I love blockchain.info and don't use any other wallet. It is encrypted by default and is very secure. blockchain.info NEVER touches unencrypted keys - only your computer does. Plus - no blockchain downloads, and total address and key control!
|
|
|
|
jkroll
Newbie
Offline
Activity: 7
Merit: 0
|
|
April 07, 2013, 04:43:27 PM |
|
It is good except for if you are sending or receiving tiny amounts of money because of the fees.
|
|
|
|
whiskers75
|
|
April 07, 2013, 04:50:15 PM |
|
It is good except for if you are sending or receiving tiny amounts of money because of the fees.
Those are bitcoin tx fees. NOT blockchain.info's fault!
|
|
|
|
sdfgsdfgdfg (OP)
Newbie
Offline
Activity: 14
Merit: 0
|
|
April 08, 2013, 01:43:03 PM |
|
whiskers75, the total control might not be as total as we think. as a matter of fact the owner of the wallet does not have any security control as all. All bitcoin addresses (except for the Watch-Only) are generated by the service and managed by the service. What it means is that private and public key pairs for every address is managed by the service and can be used by the service as needed. the user can export the private key as a proof of the transaction(s) but it doesn't really have a total control over the keys.
the Watch-Only bitcoin address can be imported and used to receive bitcoins only. if one wants to send bitcoins using the Watch-Only address one has to provide the private key which implies breach of control over the private key. What do you think?
P.S. Is there any forum here dedicated to the blockchain service?
|
|
|
|
DannyHamilton
Legendary
Offline
Activity: 3486
Merit: 4851
|
|
April 08, 2013, 03:20:19 PM |
|
- snip - All bitcoin addresses (except for the Watch-Only) are generated by the service and managed by the service. What it means is that private and public key pairs for every address is managed by the service and can be used by the service as needed. the user can export the private key as a proof of the transaction(s) but it doesn't really have a total control over the keys. - snip -
You are mistaken. The bitcoin addresses are generated by the user (with javascript in their browser), and managed by the user (with javascript in their browser). The private keys are encrypted using javascript in the user's browser with the user's password before being sent to "the service". That it means is that private keys for every address are managed by the user and unknown to the service. Those private keys can be used by the user as needed, but cannot be used by the service.
|
|
|
|
sdfgsdfgdfg (OP)
Newbie
Offline
Activity: 14
Merit: 0
|
|
April 08, 2013, 03:45:14 PM |
|
Danny, you are right with regard to how its generated. I am playing Devil's Advocate in order to understand the process. Yet, just because the addresses and the keys are generated on the client (browser) side it does not imply that the client has a control of it. Bottom line is that all the information is stored on the server side; passwords, addresses, keys. And this is the breach of the security. if the service, for whatever reason, decides to take your many it can for it has the technical means to do so. in the final analysis the service keeps all the cards.
The only way to secure your coins is to receive bitcoins using the Watch-Only address (this is the only scenario in which the service does not have the private key) but even in this scenario the service can move your coins using another address. Any thoughts?
|
|
|
|
leijurv
Member
Offline
Activity: 63
Merit: 10
Vires in Numeris
|
|
April 08, 2013, 04:34:56 PM |
|
Bottom line is that all the information is stored on the server side; passwords, addresses, keys.
Actually, no. The server doesn't store the password. You download the encrypted file containing the addresses and private keys and decrypt it with JavaScript when you enter in your password. The server never has the unencrypted version.
|
Firstbits 1Leijurv. Or, if you like cats, Firstbits 1Kittens and 1catcat as well. If you're a chemist, also 1Helium, 1Erbium, 1Copper, 1Cerium, and 1Nickel. If you like numbers, 123four, 12234, 12three. Keybase and onename user: leijurv.
|
|
|
sdfgsdfgdfg (OP)
Newbie
Offline
Activity: 14
Merit: 0
|
|
April 08, 2013, 05:09:41 PM |
|
The server doesn't store the password. You download the encrypted file containing the addresses and private keys and decrypt it with JavaScript..... are you referring to the main or secondary password. Because, the service does have the main password if for anything it has it for log in verification. Unless, I am missing the point here. what i think of login into the blockchain service is actually decryption of wallet information on the client side. is it the case? it's easy to verify it; disconnect your computer for the internet prior to typing the password. I will give it a try. will let you know. The secondary password is optional so i don't understand how the encryption/decryption with the secondary password could be done if an user has not generated the option seconder password.
|
|
|
|
mrfixit
Newbie
Offline
Activity: 2
Merit: 0
|
|
April 08, 2013, 05:18:16 PM |
|
The server doesn't store the password. You download the encrypted file containing the addresses and private keys and decrypt it with JavaScript..... are you referring to the main or secondary password. Because, the service does have the main password if for anything it has it for log in verification. Unless, I am missing the point here. what i think of login into the blockchain service is actually decryption of wallet information on the client side. is it the case? it's easy to verify it; disconnect your computer for the internet prior to typing the password. I will give it a try. will let you know. The secondary password is optional so i don't understand how the encryption/decryption with the secondary password could be done if an user has not generated the option seconder password. I haven't looked to be sure, but most reputable places that care about security to not store plaintext passwords, so I would imagine that Blockchain does not have your main password. Typically, they'll store a hash (or salted hash) of your password. Your password can be bruteforced (so a longer password will make it more secure) but the original password is likely not stored as plaintext and thus not retrievable without bruteforcing. I'm not sure how they go about dealing with two-factor authentication though.
|
|
|
|
sdfgsdfgdfg (OP)
Newbie
Offline
Activity: 14
Merit: 0
|
|
April 08, 2013, 05:32:54 PM |
|
I'm not sure how they go about dealing with two-factor authentication though..... I just tested it. Unfortunately, i have 2 step verification so the client side has to connect to the service to verify the verification code. Therefore, i failed to open to wallet while my system was disconnected for the web.
|
|
|
|
DannyHamilton
Legendary
Offline
Activity: 3486
Merit: 4851
|
|
April 08, 2013, 07:01:00 PM |
|
The server doesn't store the password. You download the encrypted file containing the addresses and private keys and decrypt it with JavaScript..... - snip - the service does have the main password if for anything it has it for log in verification. - snip - I haven't looked to be sure, but most reputable places that care about security to not store plaintext passwords, - snip - Correct. Blockchain.info does not have your password. If you lose your password and call them, they will be unable to "reset" it or to tell you what it is. Your bitcoins will be lost until you can remember what your password is. For login verification, your password is salted and hashed in the bowser, and this hash is sent to (and stored on) the server. Since the hash is not reversible, it is not possible for the service to access your bitcoins. Yes, a dictionary attack is possible if you don't use a complex enough password, but that is also true if you use something other than blockchain.info and store an encrypted backup of your wallet somewhere that someone else gains access to.
|
|
|
|
sdfgsdfgdfg (OP)
Newbie
Offline
Activity: 14
Merit: 0
|
|
April 08, 2013, 08:17:55 PM |
|
thanks Danny, now it makes sense
|
|
|
|
DannyHamilton
Legendary
Offline
Activity: 3486
Merit: 4851
|
|
April 08, 2013, 09:18:57 PM |
|
thanks Danny, now it makes sense
Now it's important to understand that the javascript that is served up could be modified to capture the password and send it to the service provider. Since the code is public, hopefully there are enough eyes on it that this would be quickly noticed and reported so everyone would know to stop using the service, but there is no guarantee that you wouldn't use the service before you heard the warning. There is a browser plug-in that can be installed to monitor the javascript and make sure that it isn't sending the password, but it might be possible to trick users into updating the plug-in to a version that fails to properly monitor the password. Again, this would likely be noticed rather quickly, but perhaps not before you fall victim to such a scam. Of course the same scam could be perpetrated with any software that generates the private key and address for you. You could be tricked into installing an update to whatever software you might choose to use that could generate the pairs in an insecure way. At some point you either need to know how to validate the code you are running yourself, or you have to trust a community to monitor the code and warn you if/when they discover a security issue.
|
|
|
|
sdfgsdfgdfg (OP)
Newbie
Offline
Activity: 14
Merit: 0
|
|
April 09, 2013, 03:50:59 PM |
|
Danny, I have actually found an interesting article in the bitcoin magazine related to the brain wallet in general but in particular the second part of the article related to the issue in question, making secure transaction, which is: go offline while generating transactions; http://bitcoinmagazine.com/brain-wallets-the-what-and-the-how/what really picked my interest was the offline transactions section at the end of the article. there is a set of instruction related to the blockchain service offline transaction. what is unclear to me is the 3rd item of the instructions that states the following "Log in from a secure computer in offline mode, making sure to use private browsing mode (incognito mode in Chrome). When the system asks you to turn off your internet connection, do so." My question is: what does it mean to 'log in offline mode'? log into what? the browse? computer? blockchain server? and if so how?
|
|
|
|
DannyHamilton
Legendary
Offline
Activity: 3486
Merit: 4851
|
|
April 09, 2013, 03:57:16 PM |
|
"Log in from a secure computer in offline mode, making sure to use private browsing mode (incognito mode in Chrome). When the system asks you to turn off your internet connection, do so." My question is: what does it mean to 'log in offline mode'? log into what? the browse? computer? blockchain server? and if so how? I don't understand that instruction. It doesn't make sense to me.
|
|
|
|
btcminer021
Member
Offline
Activity: 98
Merit: 10
Mine hard!
|
|
April 09, 2013, 03:57:49 PM |
|
Danny, I think you've just about covered every possible scenario. Well done! https://blockchain.info/wallet/ (If anyone was looking for the link)
|
|
|
|
dancupid
|
|
April 09, 2013, 03:59:57 PM |
|
thanks Danny, now it makes sense
Now it's important to understand that the javascript that is served up could be modified to capture the password and send it to the service provider. Since the code is public, hopefully there are enough eyes on it that this would be quickly noticed and reported so everyone would know to stop using the service, but there is no guarantee that you wouldn't use the service before you heard the warning. There is a browser plug-in that can be installed to monitor the javascript and make sure that it isn't sending the password, but it might be possible to trick users into updating the plug-in to a version that fails to properly monitor the password. Again, this would likely be noticed rather quickly, but perhaps not before you fall victim to such a scam. Of course the same scam could be perpetrated with any software that generates the private key and address for you. You could be tricked into installing an update to whatever software you might choose to use that could generate the pairs in an insecure way. At some point you either need to know how to validate the code you are running yourself, or you have to trust a community to monitor the code and warn you if/when they discover a security issue. You can pre-download the javascript (in Firefox and chrome) as an add-on, and log in from there: https://addons.mozilla.org/en-US/firefox/addon/my-wallet/Surprisingly only 180 users have downloaded this.
|
|
|
|
sdfgsdfgdfg (OP)
Newbie
Offline
Activity: 14
Merit: 0
|
|
April 09, 2013, 06:20:19 PM |
|
There is 'My Wallet Verifier' extension for chrome but no 'My Wallet' to be found.
|
|
|
|
|