best ewallet

[heavyb]

Now that MyBitcoin.com has  been shown to be a thief, what is the best and most trustworthy ewallet? Anyone have reviews on bit-bank.org?


thanks

[1713997242]

1713997242

[BCEmporium]

Can't vouch for them, but at least bit-bank charges a withdraw fee. - this is actually a good thing towards legibility, "free for all" (as mybitcoin was) is suspicious unless you believe there's such thing as a free lunch.

[jackjack]

"free for all" (as mybitcoin was) is suspicious

[Stephen Gornick]

Now that MyBitcoin.com has  been shown to be a thief, what is the best and most trustworthy ewallet?

No reviews, but a list of known ewallets:
 - http://en.bitcoin.it/wiki/Category:EWallets

[evoorhees]

I've had nothing but great experiences with Instawallet.org.  It's very fast and convenient, BUT you must be sure to bookmark or copy your special URL, because that is your password. I'm amazed how quickly transactions show up there after sending coins to the address.

[BCEmporium]

I've had nothing but great experiences with Instawallet.org.  It's very fast and convenient, BUT you must be sure to bookmark or copy your special URL, because that is your password. I'm amazed how quickly transactions show up there after sending coins to the address.

Except their way is 100% unsafe, don't even know why in hell they use https if the request url is the password... use it for spare change, but keep in mind it's way too unsafe.

[Littleshop]

Is there a reason not to use Tradehill for something like this?  Don't they now have fixed addresses available?  

I do not recommend putting substantial amounts of bitcoin anywhere but on your own properly secured computer.  Once you are talking about an amount of money that would really hurt you to loose, you need to think about offline only storage and multiple secured backups.  

Hint:  a Windows computer is not secure unless it is OFF.  (not just offline, I mean turned off, no power)

  

[Rassah]

I'd say at this point, of all the choices, your best one is probably MtGox. Not only have they been through security test hell, and came out on the other side with better security in place, but they've also shown that they, as a company, are willing to take a personal loss to make their users whole again.

[Littleshop]

I'd say at this point, of all the choices, your best one is probably MtGox. Not only have they been through security test hell, and came out on the other side with better security in place, but they've also shown that they, as a company, are willing to take a personal loss to make their users whole again.

Agreed, add mtgox to my recommendation.  Also with both companies you can pay for two factor authentication as well. 

[jackjack]

I'd say at this point, of all the choices, your best one is probably MtGox. Not only have they been through security test hell, and came out on the other side with better security in place, but they've also shown that they, as a company, are willing to take a personal loss to make their users whole again.

Agreed
It's even more worth it if you had the Yubikey for free

[westkybitcoins]

I use Instawallet. Jav hasn't run off with my money, and I haven't been hacked. I trust it with A FEW bitcoins.

(I also like the way the site operates, including the fact that there's no password to slow you down. Yeah, it may be less safe, but since you shouldn't be trusting an online site with the bulk of your bitcoins anyway, it doesn't impact my risk assessment much.)

[mrb]

Except their way is 100% unsafe, don't even know why in hell they use https if the request url is the password...

If the InstaWallet page contains no link to / does not redirect to third party sites, then the URL is safe and cannot leak via a Referer header. HTTPS is a perfectly fine solution in this case.
See https://www.owasp.org/index.php/OWASP_Application_Security_FAQ#What_is_all_this_about_.22referrer_logs.22.2C_and_sensitive_URLs.3F

[Binford 6100]

why do you have such a resistance against having an older pc at home, accessible through a logmein (works from a browser)  to have a bitcoin client running at a desktop you fully control?

as it is at home, you can make weekly backups to usb stick, you can spend coins any time as it is always up to date with the blockchain, your wallet is yous (you control the keys and can spend what's yours)

it comes at the cost of an older pc and electricity. if it's an old notebook, the power consumption is like 60 watt and if you only run the OS + bitcoin + keep it behind a firewall at home it could be pretty much safe.

not recommending any web wallet, i've been using mybitcoin myself but majority of my coins were at home (split offline usb wallet and a similar notebook + logmein.com web accessible "web" wallet)

[markm]

Apparently there are people who do not want their home accessible from the net / do not want at-home to actually be really on the net, for whatever reasons, it doesn't matter what their reasons are, they are their reasons.

Thus we basically have to be able to provide a way they can store data on third party servers and we should do it without those third parties being trustable. It is mind-boggling how many employees of how many huge corporations seemingly do not succumb to amazing amounts of temptation but relying upon an apparent rarity of villains is pretty much just a variety of "security by obscurity" thus should probably be avoided.

So we need something where the user's own hand-held device (or possibly their actual hand itself by some kind of clever counting on their fingers if they cannot rely upon some kind of glorified pocket-calculator to do it) can sign things in a way the third parties cannot fake or duplicate or counterfeit etc.

The wallet should therefore probably be thought of as totally separate from the "keyring" of "private keys". It should present to the user a transaction ready to be signed but be totally unable to sign it itself in lieu of the user or as an agent of the user. It can hold the transaction records maybe if privacy of those is not a concern. The actual coins reside on many many computers all over the world, the p2p network, so all the user (and NOT some other user such as a "wallet provider") should need is one or more private keys, or a way of re-creating (from mnemonics or algorithmically) a sufficient collection of private keys to sign transactions proposed by the "online wallet".

We shouldn't even call it a wallet, that leads to bad thinking. We should think of it as a transaction ledger and/or transaction processing tool. The blockchain is the real wallet, as in, the container in which the actual money resides. The thing the user uses should be keyring, and maybe the "online wallet" service could be regarded as at least partly a "public-key ring".

Open transactions could so nearly do this if only it used the math it claims it should be using instead of some apparently kiddie mockup version or "insufficient for real use" version of the math it claims it should be using. Darn, so close...

-MarkM-

[Binford 6100]

@markm as long as the enduser does not have a copy of his/hers keyring (private keys), s/he is not in control of the bitcoins.

no matter how you want to prevent the wallet operator from signing for you any outgoing transactions, as long as the ewallet operator has the only copy of the keys, you're vulnerable to the loss of such wallet.

just for the record, obvious note:
wallet is just a collection of private keys + addresses derived from those keys + data on available balances
to reconstruct a wallet and spend available bitcoins only the keys are needed.

that's why imo those keys should be kept privately (at own hardware and offline for bigger amounts)
if i cant' have my keys at home, how to proceed?

[markm]

Carry a private-key keyring.

I think the term wallet is becoming misleading, because the wallet.dat file does not actually contain any coins. To do it's job it needs to contain your public keys so it can 24/7 monotor your balance so as to send you any email alerts you might want based on transactions or balance, and so as you limit how long you need wait for it to re-balance in the event it somehow got out of touch with the live blockchain, and so it can show correctly all your transactions and balances with a minimum of delay when you un-minimise it / choose to view it.

If it loses its live connection it starts to get out of date, and build up a larger and larger backlog of how long it will take it to catch up.

But, at least if it is not on hardware you control and secure yourself, it should not have your private keys. Those should be on a private keyring that you and and it does not have and never gets.

Conceivably you might give it a private key occassionally, for it to expend and destroy, but to minimise the number of private keys you need to lug around or remember how to generate or carry a generation/memory tool for, it might be better that it never sees your private keys, instead it hands to you any transactions that need to be signed with a private key and you sign them, by counting on your fingers or rubbing your asic coder/decoder ring or whatever. So all it seems is that you validly signed, not they key you used to sign.

Maybe check-book (not cheque-book) might maybe work, in the sense of a book-keeping record in which you record transactions so as to "balance the check-book". Ultimately what you balance it against is the block-chain, which is partly a kind of p2p "distributed wallet", or a huge "communal wallet" in which every "locks" their own coins so that other users of that vast distributed wallet cannot spend each other's coins without somehow getting hold of a key from someone else's private-key keyring.

-MarkM-

[Binford 6100]

Carry a private-key keyring.

I think the term wallet is becoming misleading, because the wallet.dat file does not actually contain any coins.

yes, coins 'live' in the blockchain. but we got used to wallet referring to the collection of keys/addresses/balance_info. the private keys that can sign transactions are the real issue. getting back to the proposal of carrying the keyring with the 'bitcoin holder' we somehow deviate from the current design of an ewallet, requiring only a password and username, doing the rest of the work for user.

a webservice monitoring incomming transactions for a given set of addresses is not an ewallet imo. it's a step in good direction, keeping keys separated from the service operator, it would enable reporting on current available balance and it would prevent the service operator from unauthorized spending and no damage would be done, if the service disappears.

I have, however, no idea how the average non-tech user could carry a keyring around yet alone upload a specific key to sign a spending / sending transaction. it would be safe at the cost of the user who to manage keys by himself (mainly maintaining a key/address pool & backup activities). to avoind the extra work on user side is probably why people choose ewallets in the first place.

[markm]

I have, however, no idea how the average non-tech user could carry a keyring around yet alone upload a specific key to sign a spending / sending transaction. it would be safe at the cost of the user who to manage keys by himself (mainly maintaining a key/address pool & backup activities). to avoind the extra work on user side is probably why people choose ewallets in the first place.

That merely means you are not currently the entrepeneur or developer currently most likely to bring a killer solution to market.

It might well be technologically feasible to construct a nice big gaudy pair of rings which "mate" with each other so that they act like one of those password dongles MtGox is issuing on the one hand and one's own private personal thing-that-the-password-activates on the other.

You could maybe even use them as wedding rings, so only when you and your spouse are togther and plug your rings into each other will the combination work as a voice-recogniser that parses your voice commands - or, okay, maybe initially your morse code commands or your personal private code you make up commands, or becomes able to read the bar-codes on your cufflinks and shirtbuttons, or whatever, so as to sign a transaction proposed to you for signing by the blockchain-and-transaction-services provider.

In principle it is not particularly complicated unless the user wants to make it complicated.

You could have resin or silicone or whatever personal to you refillable/rewritable cents, dimes, quarters, you could have your own personal paper money in your physical wallet you rub your ring over, you could even have a crucifix you have to say a certain private prayer to, whatever. That can get very personal. You could have entire lego sets that kids can use to build family money-machines that can charge any brick or construct of bricks with any amount up to the family balance.

You could even have a laptop or somesuch - a portable device, miniaturised to whatever extent you personally feel the expense of such miniaturisation justifies, that runs your own personal Open Transactions server.

Probably best would be to do ergonomics studies, finding out specific handwaves or finger-motions or verbal or nonverbal utterances or manipulations of fetishes such as pieces of paper or disks of metal, various people think they would like to use to convey to sensors of some kind how much if anything to pay to who or what.

Some people might not worry about lead pipe attacks some might not worry about wireless digital intrusion attacks some might not care much what happens to the trivial amounts of funds they actually move about with during a single daytrip. So solutions will have to vary according to the user's perceptions and preferences.

-MarkM-

(The best solution might simply be to create so much affluence, for all, that no-one will care about a few grand here and there being purloined by kids or the street-performers known as pickpockets who enliven some interesting tourist spots and so on, figuring hey, its purpose is to maximise the forward creature-days of healthy life for all living things on spaceship earth...)

[heavyb]

I had been using mybitcoin, but luckily had nothing in there when this recent wipe out went. I downloaded the client and send .01 btc to my client on my home computer yesterday, and it still has not arrived. Does trade hill use dwolla?

Thanks for all the input!

[bitcon]

funny how after all the hacking and jacking, people are still eager to put their wallets out there into cyberspace.