Hi,
I basically joined to get feedback on an issue that has already been raised by someone else on this forum, but has not been answered yet.
The link with the inquiry:
https://bitcointalk.org/index.php?topic=331043.msg3551051#msg3551051The inquiry itself:
How secure is blockchain.info's wallet extension for Chrome?
Blockchain.info offers a Chrome extension for it's "My wallet". This should eliminate the problem of potentially compromised javascript because the "full javascript bitcoin client is included in the browser extension" (quote from their site). This sounds good and I get the feeling that using the Chrome extension adds another security layer. But I'm not sure how I can verify that the extension itself is not compromised. Has anyone reviewed the code for this? Is there a way to make sure the installed extension actually is safe?More info from Blockchain:
https://blockchain.info/wallet/verifier"My Wallet works differently than traditional hosted bitcoin wallets as the bitcoin client runs within your own browser. This means, in theory, if blockchain.info was hacked your wallet would still be safe. However there is a weakness in that the server could be altered to serve modified javascript which could intercept your password or bitcoin addresses.
The chrome browser extension eliminates this problem. The full javascript bitcoin client is included in the browser extension so it is no longer necessary to download any javascript from our servers. The result is a client which has all of the benefits of a web wallet service but requires very little trust to be placed in any 3rd party."I'm interested in a user-friendly interface to interact with my Bitcoins, but I'm also heavily interested (as should anyone!) in security. It seems their Chrome extension implementation solves the only/main security issue that their regular non-extension website-based service has, which as Blockchain states above, is that their server "could be altered to serve modified javascript which could intercept your password or bitcoin addresses".
But then again, this depends on the Chrome extension. So, to reiterate as the other poster asked, has their extension been verified to be safe without bugs? Is it open-source?
--
On a related issue, Blockchain.info describes their security, as follows:
https://blockchain.info/wallet/ways-to-accessSpecifically, their web client (the most popular mode of access) is described like this:
Web Interface
The web interface uses javascript running in your browser to encrypt your wallet and create transactions independently from the server. However the code is downloaded from the server each time the page is opened and it is therefore possible for the server potentially to alter the behavior of the client to act maliciously. The web interface therefore requires the most trust in Blockchain's server security.
good - Server cannot spend your coins.
good - Backup your wallet locally.
bad - Server can modify the behavior of the client.
bad - Server can lie about transactions.Does anyone know if the Chrome extension solves both the 'bad' issues, or only the one about the server being able to modify the behavior of the client, if hacked?
If it solves both 'bad' issues listed, does this mean truly infallible security? If not, any other tips?
I think Bitcoin is great, but security should be the number 1 focus. Too many people in the population are computer illiterate or newbish, and if Bitcoin is to enter the mainstream and gain trust, the security issue must be resolved, so people can feel safe having Bitcoins.
If this chrome browser extension can be truly safe, then it will go a huge way! It took me 5 seconds to download/install the extension from the Chrome store, which is highly used by millions of Chrome users already. This means it's highly accessibly by non-savvy users (definitely more accessible than downloading a separate standalone app), and easier to use (you must admit most Bitcoin wallet apps have terrible user interfaces, at least compared to the slick Blockchain.info wallet UI).
Thanks!
