dogisland (OP)
|
|
August 10, 2011, 12:53:06 PM Last edit: October 07, 2011, 08:34:36 AM by dogisland |
|
I'd like to introduce StrongCoin. http://strongcoin.com/Sign up and click on New Account to see the address generator in action. ** Warning This is A Technical Preview, Don't send Bitcoins to the addresses you create **StrongCoin is now up and running.StrongCoin is yet another wallet service (YAWS) with a difference. I'm not storing private addresses on the server except in AES encrypted form. When you go to create an address in StrongCoin you currently have 2 options. 1. Use the javascript account creator, this takes a password from you and AES encrypts the private key before sending it to the server. 2. You can create a public and private key offline, encrypt the private key and submit to StrongCoin. I'm working with the developer of VanityGen to try and make this as simple as possible. The StrongCoin server has no-way of knowing the password you used for your private key and can't decrypt your key. Also anyone that attacks our servers will not be able to access your private key as long as you've chosen a strong password. Coming Soon.1. Payments, I'm looking to create a javascript popup that will take your password, decrypt your private key and sign a payment all in the browser. Only the signed payment gets sent to the server. 2. Offline payments, I'll be offering the ability to pass through payments created offline. 3. Address book, for storing beneficiaries and their addresses. 4. Email backup. I want to send an email after each account is created (or after a group of accounts) this will have your public key and encrypted private key. Therefore if anything happens to our service you will still have access to your funds. 5. Payment and Address creation page signing. I'm looking for a way to show the user that no malicious code has been injected into the system. 6. A popup keyboard, this is hopefully circumvent key loggers by allowing the user to click enter a password. see http://www.greywyvern.com/code/javascript/keyboard7. Coming Soon - Address generation via a sentence. see https://bitcointalk.org/index.php?topic=35082.0 FeedbackI'd like to gather feedback if I may. How can I make this service better ? How can I address all the risks ? p.s. And yes it works on the Kindle browser, which is surely one of the safest environments to generate keys [/list]
|
|
|
|
matt.collier
Member
Offline
Activity: 105
Merit: 10
|
|
August 10, 2011, 01:17:59 PM |
|
Great ideas here. The Kindle angle is fantastic. The fact that the private keys are encrypted before sending to the server is of little value if a weak password is used. You or anyone in possession of the encrypted data could brute force the password, it would only be a matter of time. Could you make your Javascript work with something like the yubikey for the purpose of generating a strong password?
|
|
|
|
dogisland (OP)
|
|
August 10, 2011, 01:27:19 PM |
|
Great ideas here. The Kindle angle is fantastic. The fact that the private keys are encrypted before sending to the server is of little value if a weak password is used. You or anyone in possession of the encrypted data could brute force the password, it would only be a matter of time. Could you make your Javascript work with something like the yubikey for the purpose of generating a strong password? Thanks Matt. I've given feedback to the user about the strength of their password. i.e. It gives an estimate of how long their particular password would take to brute force. I'm not sure how 2 factor authentication would help except perhaps for logging into the system itself. But let me have a think about it.
|
|
|
|
pixelglow
Newbie
Offline
Activity: 26
Merit: 0
|
|
August 10, 2011, 01:38:24 PM |
|
Interesting idea.
If you don't know the private keys, how do you get the server to send out the payments on behalf of your clients? Are you using a custom bitcoind or the regular one? Even if you're using a custom bitcoind, at some stage your server must in possession of the private keys in order to sign the outgoing transaction? Or are your transactions even signed on the client side and passed back to your server somehow to be sent out?
|
|
|
|
dogisland (OP)
|
|
August 10, 2011, 01:42:42 PM |
|
If you don't know the private keys, how do you get the server to send out the payments on behalf of your clients? Are you using a custom bitcoind or the regular one? Even if you're using a custom bitcoind, at some stage your server must in possession of the private keys in order to sign the outgoing transaction? Or are your transactions even signed on the client side and passed back to your server somehow to be sent out?
Yes, I want to sign the transactions on the client side. I'm looking to automate the mechanism described here https://bitcointalk.org/index.php?topic=35469.0As far as I can see I won't need a patched client.
|
|
|
|
samr7
Full Member
Offline
Activity: 140
Merit: 430
Firstbits: 1samr7
|
|
August 10, 2011, 02:08:23 PM Last edit: August 10, 2011, 04:14:59 PM by samr7 |
|
The fact that the private keys are encrypted before sending to the server is of little value if a weak password is used. You or anyone in possession of the encrypted data could brute force the password, it would only be a matter of time. Could you make your Javascript work with something like the yubikey? So far, all of the large-scale attacks against bitcoin sites were not aimed at individual accounts. They were aimed at the central wallet for the site. Yubikeys will make it hard for someone to clean out your account by stealing your password. However, they won't protect you against a site-wide break that renders the site insolvent to pay back your account balance. StrongCoin, however, does not have a site-wide wallet, and keeps each account key encrypted with a separate password. An attacker that manages to steal the account database will need to break the individual passwords. Unless an attacker is targeting specific accounts with large balances known to be hosted by StrongCoin, the compute cycles will be better spent mining for bitcoins. That said, the security does heavily depend on users picking good passwords, and remembering them. The site's address generator does have a calculator that gives an estimated cracking time, so hopefully it will foster good practices. Details about the encoding scheme are here, along with a (small) password cracking challenge.
|
|
|
|
matt.collier
Member
Offline
Activity: 105
Merit: 10
|
|
August 10, 2011, 02:59:55 PM |
|
How does strongcoin.com make money or at least cover operating costs?
|
|
|
|
dogisland (OP)
|
|
August 10, 2011, 03:14:52 PM |
|
How does strongcoin.com make money or at least cover operating costs?
I'm hoping to make money from charging a fee to process payments out. I'm not sure what that will be just yet but I'll probably start around the 0.01 BTC mark. Importing keys, key storage, exporting keys and viewing balances will all be free. There may be opportunities to add value with other services such as - paper wallet pdfs. - iphone/android app. - faster payments. The benefit of this service is you're not tied down to it. At any point you can take your keys and import them into another service. So I'm determined to make this the best online wallet service.
|
|
|
|
Hawkix
|
|
August 10, 2011, 05:26:31 PM |
|
Damn! You must be able to read my mind, cos I got through this idea a few days ago, when I thought what was wrong with MyBitcoin.com. Actually, I already started to look for good ECDSA JavaScript implementation for this.
I think people definitely need a kind of "online-banking" with Bitcoin. This service, if done properly, will be a killer-app.
Some my tips (a visionary of good final site):
- make it look like online banking - allow to name your addresses - allow to set description to transactions - allow for repeating payments - let the user create his own addressbook of other people addresses - dump and allow to print nice income/outcome lists - integrate an address shortener, so you can give a link to your address to your site - add an ability to save a backup (still encrypted, of course) of the keys at your site - when paying, notify that the transaction got broadcasted and later, confirmed
|
|
|
|
dogisland (OP)
|
|
August 10, 2011, 06:54:46 PM |
|
Damn! You must be able to read my mind, cos I got through this idea a few days ago, when I thought what was wrong with MyBitcoin.com. Actually, I already started to look for good ECDSA JavaScript implementation for this.
I think people definitely need a kind of "online-banking" with Bitcoin. This service, if done properly, will be a killer-app.
Some my tips (a visionary of good final site):
- make it look like online banking - allow to name your addresses - allow to set description to transactions - allow for repeating payments - let the user create his own addressbook of other people addresses - dump and allow to print nice income/outcome lists - integrate an address shortener, so you can give a link to your address to your site - add an ability to save a backup (still encrypted, of course) of the keys at your site - when paying, notify that the transaction got broadcasted and later, confirmed
That's great feedback thanks. There's a few I hadn't though of there. And some ideas. For saving a backup I'm think of generating a PDF. A kind of paper wallet. I will incorporate a workflow loop into payments, so you'll sent, broadcast and confirmed. Repeat payments might be difficult as I won't have the the private key.
|
|
|
|
BurtW
Legendary
Offline
Activity: 2646
Merit: 1137
All paid signature campaigns should be banned.
|
|
October 02, 2011, 06:55:45 PM Last edit: October 02, 2011, 07:39:46 PM by bwagner |
|
First, I LOVE this site and idea. It is exactly what we need to get non-technical people to learn about and start using Bitcoins.
Here are a few bugs to report:
1) Import Key Function, Import Mini Key drop down - Incorrectly calculates the private key from the mini key (probably a very simple math issue).
2) Import Key Function - probably should change the action button from "Import Mini Key" to just "Import Key" since there are three different types of keys in the drop down.
3) Send payment function - Typo. "The amount ot send" should be "The amount to send"
4) Instead of charging a set fee of 0.01 BTC for your service when I transfer coins I think it would be better for you and the customer if you charged a percentage of the transfer amount - maybe up to some maximum value. Maybe 1% fee up to a maximum of 1 BTC (or whatever you decide). The reason is I may want to send some very small amounts in the future like 0.0001 BTC which I could not do with your current system since it would cost me 0.01 to send 0.0001.
5) Could you please let the customers (me) set the network transaction fee - instead of hardcoding it to 0.01 BTC? As it stands now when I transferred 1.00 BTC you took your cut (0.01) which is OK with me (but I think it should be a percentage see above) and then you hardcoded another 0.01 for the network. So it cost me 1.02 to send 1.00. Please allow us to set the network transaction fee value to anything we want, including zero.
Love your public key for transaction fees: firstbits/1strongx. How long did it take you to find it? [BTW note that firstbits/1strong is a different address!!!]
I would love to recommend this site as the easiest way to redeem physical money (physical coins, Bitbills, etc.) once you get the mini key issue fixed.
Your web site is well done, very clean and a pleasure to use. Thanks!
I was going to send you a small donation but I do not see a published donation address anywhere and I don't want to send it to firstbits/1strongx since the current balance shows exactly how many transactions have been processed through your site so far (18 at 0.01 per transaction).
|
Our family was terrorized by Homeland Security. Read all about it here: http://www.jmwagner.com/ and http://www.burtw.com/ Any donations to help us recover from the $300,000 in legal fees and forced donations to the Federal Asset Forfeiture slush fund are greatly appreciated!
|
|
|
Stephen Gornick
Legendary
Offline
Activity: 2506
Merit: 1010
|
|
October 04, 2011, 05:39:04 PM Last edit: October 04, 2011, 06:12:06 PM by Stephen Gornick |
|
5) Could you please let the customers (me) set the network transaction fee - instead of hardcoding it to 0.01 BTC? As it stands now when I transferred 1.00 BTC you took your cut (0.01) which is OK with me (but I think it should be a percentage see above) and then you hardcoded another 0.01 for the network. So it cost me 1.02 to send 1.00. Please allow us to set the network transaction fee value to anything we want, including zero. I don't know that it needs to be configurable by the user as that adds yet another variable to the mix. Like with other ewallet services, it would be nice if the network fee was included in the wallet service's fee. In my instance, without knowing that there was also a trx fee as well I kept getting an "insufficient funds" when attempting to spend all but the 0.01 StrongCoin fee and only when I finally entered an amount low enough did the transaction go through and then learned what the network fee ended up being. Additionally, it would be nice if I could pay no fee to move the funds from the imported account to another account on StrongCoin without a fee. Let's say I have a physical bitcoin and by peeling the hologram to reveal the minikey I no longer can consider that key to be secure. I might not wish to spend it right away, but I want it secured using StrongCoin. StrongCoin will eventually receive a fee when I finally do spend the funds so allowing this account-to-account transfer lets me spend a physical bitcoin without having to pay a fee to StrongCoin twice. Fee issues aside, this is an EXCELLENT service!
|
|
|
|
BurtW
Legendary
Offline
Activity: 2646
Merit: 1137
All paid signature campaigns should be banned.
|
|
October 04, 2011, 05:53:23 PM |
|
I really like the idea from the previous post: include the network fee inside your fee. For example:
Charge 1% of the transfer up to some maximum number (let's say 1BTC)
Out of this fee you send let's say 10% on to the network and keep the other 90%
These are just example numbers - you get the idea.
Also +1 on no fees for transfers within my own accounts.
You could also do a reduced fee or no fee for transfers between all of your own customers (kind of like the cell phone network's family plans) this could be used to bring in more customers.
|
Our family was terrorized by Homeland Security. Read all about it here: http://www.jmwagner.com/ and http://www.burtw.com/ Any donations to help us recover from the $300,000 in legal fees and forced donations to the Federal Asset Forfeiture slush fund are greatly appreciated!
|
|
|
dogisland (OP)
|
|
October 10, 2011, 01:59:45 PM |
|
First, I LOVE this site and idea. It is exactly what we need to get non-technical people to learn about and start using Bitcoins. 1) Import Key Function, Import Mini Key drop down - Incorrectly calculates the private key from the mini key (probably a very simple math issue).
This was fixed a few days ago. 2) Import Key Function - probably should change the action button from "Import Mini Key" to just "Import Key" since there are three different types of keys in the drop down.
Fixed. 3) Send payment function - Typo. "The amount ot send" should be "The amount to send"
Fixed, thanks for pointing this one out. 4) Instead of charging a set fee of 0.01 BTC for your service when I transfer coins I think it would be better for you and the customer if you charged a percentage of the transfer amount - maybe up to some maximum value. Maybe 1% fee up to a maximum of 1 BTC (or whatever you decide). The reason is I may want to send some very small amounts in the future like 0.0001 BTC which I could not do with your current system since it would cost me 0.01 to send 0.0001.
The fee is now 1%. Love your public key for transaction fees: firstbits/1strongx. How long did it take you to find it? [BTW note that firstbits/1strong is a different address!!!]
Thanks, it took a few days. I wanted strongfee, but the estimate was 40 years ! Additionally, it would be nice if I could pay no fee to move the funds from the imported account to another account on StrongCoin without a fee.
I'm looking into the best way to do this. As I don't have the private keys and I don't have a balance I would have to send the payment onto the network. So I would at least have to pay a fee to the miners. But perhaps I could swallow that.
|
|
|
|
BurtW
Legendary
Offline
Activity: 2646
Merit: 1137
All paid signature campaigns should be banned.
|
|
October 10, 2011, 02:21:05 PM |
|
Fantastic! I will check it out later today.
|
Our family was terrorized by Homeland Security. Read all about it here: http://www.jmwagner.com/ and http://www.burtw.com/ Any donations to help us recover from the $300,000 in legal fees and forced donations to the Federal Asset Forfeiture slush fund are greatly appreciated!
|
|
|
TTBit
Legendary
Offline
Activity: 1136
Merit: 1001
|
|
October 15, 2011, 10:20:41 PM |
|
Great service. Thank you.
I had to use chrome instead of firefox 7.0.1 to import a private key, the "import" button would not activate. Probably an adblock or ghostery issue on my side, but thought I would point it out.
Using it to hold dividend addresses for our GLBSE company.
|
good judgment comes from experience, and experience comes from bad judgment
|
|
|
Herbert
|
|
October 19, 2011, 11:25:26 AM |
|
So, are transactions supposed to work already? Around 30 minutes ago i made a payment. It is also visible in the GUI with this txid: 3b2a300ba7a65f79573b404863f37e0ebc2298312498bfe3613eff61d9faef7b But blockexplorer just keeps saying "no such transaction". Also the balance of my account is not reflecting the payment.
|
|
|
|
Andrew Vorobyov
|
|
October 19, 2011, 11:28:58 AM |
|
It did work couple of days ago for me
|
|
|
|
sneak
Newbie
Offline
Activity: 28
Merit: 0
|
|
October 19, 2011, 11:49:57 AM |
|
Anyone who thinks that doing client side crypto (here's looking at you, StrongCoin developers) adds any safety or security doesn't know how JavaScript works. I direct you to the excellent write-up on matasano.com, explaining clearly why doing crypto on the clientside is a waste of time: http://www.matasano.com/articles/javascript-cryptography/It's also worth noting that StrongCoin sources javascript from both Google -and- Twitter, enabling either of those organizations (or anyone who obtains a certificate for either of those organizations, or anyone if SSL is not used) to completely subvert this "secure" clientside crypto.
|
|
|
|
Andrew Vorobyov
|
|
October 19, 2011, 12:08:33 PM |
|
BS... 1. Nothing can be sniffed here... ( signed transaction that will be public in several minutes ) 2. Google will not change source code of JQuery on CDN just because some strongcoin is linking to it. 3. Some of the aspects of the article do not relay to our matter... (The problem is, having established a secure channel with SSL, you no longer need Javascript cryptography....)
|
|
|
|
|