Bitcoin Forum
December 08, 2016, 08:12:58 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: « 1 ... 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 [117] 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 »
  Print  
Author Topic: Blockchain.info - Bitcoin Block explorer & Currency Statistics  (Read 414574 times)
John (John K.)
Global Troll-buster and
Legendary
*
Offline Offline

Activity: 1092


Will read PM's. Have more time lately


View Profile
April 24, 2013, 03:41:33 PM
 #2321

Missing "Refresh" and "Logoff" GUI buttons that were in the top right corner previously. Is it just me, or something changed in the GUI?

What, no one else lost Refresh/Logoff buttons, just me? I'm on Chrome, and cleared my browser data recently. Now my buttons disappeared, and I miss them!

I lose the buttons regularly on my small netbook when I use blockchain.info to push tx's through MyWallet. I'm running Chrome too.

My BTC Tip Jar: 1Pgvfy19uwtYe5o9dg3zZsAjgCPt3XZqz9 , GPG ID: B3AAEEB0 ,OTC ID: johnthedong
Escrow service is available on a case by case basis! (PM Me to verify I'm the escrow!)

Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481184778
Hero Member
*
Offline Offline

Posts: 1481184778

View Profile Personal Message (Offline)

Ignore
1481184778
Reply with quote  #2

1481184778
Report to moderator
1481184778
Hero Member
*
Offline Offline

Posts: 1481184778

View Profile Personal Message (Offline)

Ignore
1481184778
Reply with quote  #2

1481184778
Report to moderator
1481184778
Hero Member
*
Offline Offline

Posts: 1481184778

View Profile Personal Message (Offline)

Ignore
1481184778
Reply with quote  #2

1481184778
Report to moderator
Newar
Legendary
*
Offline Offline

Activity: 1162


https://gliph.me/hUF


View Profile
April 24, 2013, 04:21:17 PM
 #2322

I just looked on my phone using iExplorer and didn't see anything, can anyone else (Ben) confirm or deny how this actually works?
I found the file as described here: http://www.reddit.com/r/Bitcoin/comments/1czrua/just_lost_160_btc_from_address_managed_with/c9ljtlk
but can not open it (phone editor, laptop editor)

OTC rating | GPG keyid 1DC91318EE785FDE | Gliph: lightning bicycle tree music | Mycelium, a swift & secure Bitcoin client for Android | LocalBitcoins
ErebusBat
Hero Member
*****
Offline Offline

Activity: 560

I am the one who knocks


View Profile
April 24, 2013, 07:29:56 PM
 #2323

I just looked on my phone using iExplorer and didn't see anything, can anyone else (Ben) confirm or deny how this actually works?
I found the file as described here: http://www.reddit.com/r/Bitcoin/comments/1czrua/just_lost_160_btc_from_address_managed_with/c9ljtlk
but can not open it (phone editor, laptop editor)
Well i have an iPhone so that would be why I couldn't find it Wink  

I am pretty sure that the iPhone version uses the keychain, which should be sufficiently strong.

EDIT:  This post: http://www.reddit.com/r/Bitcoin/comments/1czrua/just_lost_160_btc_from_address_managed_with/c9luqfy claims that the plist is stored at /var/mobile/Library/Preferences/com.rainydayapps.Blockchain.plist although that file does not exist on my device :/ so who knows.

░▒▓█ Coinroll.it - 1% House Edge Dice Game █▓▒░ • Coinroll Thread • *FREE* 100 BTC Raffle

Signup for CEX.io BitFury exchange and get GHS Instantly!  Don't wait for shipping, mine NOW!
willphase
Hero Member
*****
Offline Offline

Activity: 770


View Profile
April 24, 2013, 07:36:49 PM
 #2324

it should be no surprise that the blockchain apps store credentials to access your wallet on the mobile device ... how else would you be able to view the wallet and make payments?

Piuk, the developer, makes the perfectly reasonable assumption that if he stores the data in the OS recommended storage mechanism (for android, this is /data/data/<app> location, which is only readable by the app) then that should be safe.  If people go ahead and install custom ROMs (with publically available signing keys!), backing up their data using Titanium Backup to their sdcard (readable by any app), or running apps that request root, then they are taking the risk that the files will be read and used to access the wallet - just as if you installed some random stuff on your PC and then used bitcoin-qt to decrypt your wallet, you would be at risk.

My recommendations stand, that you should use a very long, unique, passphrase, turn on 2FA.  If you feel that your keys have been compromised in the past by using the app on a rooted device, or backing up your keys somewhere that might have been compromised (e.g. the email containing your aes file) then I recommend setting up a new wallet with a secure passphrase and 2FA and sending all your coins there.

Will

Stephen Gornick
Legendary
*
Offline Offline

Activity: 2002



View Profile
April 24, 2013, 08:18:09 PM
 #2325

Changes to Alias Resolving

When a wallet is accessed using an alias if the browser does not already have the wallet identifier saved or have an authorised login session email authorisation will now be required.

I'm not sure this is working.  On a new browser with no cookies or other local storage (Chrome in icognito mode) I enter my alias for Identifier.  The page is reloaded and the ID field remains blank.  Then in another tab I go to Blockchain.info/wallet and there is my identifier.   So the challenge is defeated somehow.

willphase
Hero Member
*****
Offline Offline

Activity: 770


View Profile
April 24, 2013, 08:49:21 PM
 #2326

I'm not sure this is working.  On a new browser with no cookies or other local storage (Chrome in icognito mode) I enter my alias for Identifier.  The page is reloaded and the ID field remains blank.  Then in another tab I go to Blockchain.info/wallet and there is my identifier.   So the challenge is defeated somehow.

I am also seeing this behavior.  Tested from a completely fresh IP/browser/computer in incognito mode with all local storage/cookies deleted

Will

Newar
Legendary
*
Offline Offline

Activity: 1162


https://gliph.me/hUF


View Profile
April 25, 2013, 02:11:14 AM
 #2327

it should be no surprise that the blockchain apps store credentials to access your wallet on the mobile device ... how else would you be able to view the wallet and make payments?
Yes, but in plaintext? Are there no better options?

OTC rating | GPG keyid 1DC91318EE785FDE | Gliph: lightning bicycle tree music | Mycelium, a swift & secure Bitcoin client for Android | LocalBitcoins
ErebusBat
Hero Member
*****
Offline Offline

Activity: 560

I am the one who knocks


View Profile
April 25, 2013, 12:20:48 PM
 #2328

it should be no surprise that the blockchain apps store credentials to access your wallet on the mobile device ... how else would you be able to view the wallet and make payments?
Yes, but in plaintext? Are there no better options?
Even encrypting it with a static key would be (slightly) better.

░▒▓█ Coinroll.it - 1% House Edge Dice Game █▓▒░ • Coinroll Thread • *FREE* 100 BTC Raffle

Signup for CEX.io BitFury exchange and get GHS Instantly!  Don't wait for shipping, mine NOW!
piuk
Hero Member
*****
Offline Offline

Activity: 910



View Profile WWW
April 25, 2013, 01:33:58 PM
 #2329

Piuk, can you comment on the Amazon S3 backup regime for deleted private keys - i.e. if I were to upload a private key and then later on delete it - are old copies of the encrypted wallet file still stored on S3 - and if so, for how long?

The last 50 backups are kept, so if you update the wallet 50 times old ones will start getting removed. However If you are deleting the key for security reasons you should assume the backup is kept for ever and instead use a new private key generated offline.

Missing "Refresh" and "Logoff" GUI buttons that were in the top right corner previously. Is it just me, or something changed in the GUI?

This should be fixed now, you may need to clear your cache.

I was just suggested to pay a 0.005 fee by the blockchain app. The app is really great however I really miss the option to enter a specific fee. The choice right now seems to be to either not pay anything or to pay what the app suggests..

For the android app? A number of people have requested this, my opinion is with the mobile app you want to send as quickly and easily as possible and so should need to alter the fee. I'm sure I can add a settings option for it but I don't want to add it to the send form.

How does Blockchain.info calculate a transaction fee? I've made a 2420-byte transaction and paid 0.0015 BTC, I thought 0.0005 is the norm for Bitcoin network (for now).

The transaction is larger than standard, it has calculated 0.0005 BTC per KB and rounded up. (see fee changes below).

I like this change - but blockchain.info assumes my email is secure. I don't think this is a great assumption.

Question: Shouldn't 2-factor authentication be sufficient here? If I have the right identifier and I pass the 2-factor check *then* you can send me the encrypted wallet?

It assumes it is at least semi secure but you of course still need the password(s) and 2FA details to actually login. 2FA should be sufficient but not everyone has it enabled, this is mandatory.

...Also given the recent scandal with Instawallet URLs being searchable via Google - can you send a one-time-alias URL rather than the real identifier?

This is possible but would take a fair bit of restructuring. Might be better to require every browser to authenticate themselves via email even if they have access to the identifier, depends how annoying it gets have to respond to all the Authorise login attempt emails.


I'm not sure this is working.  On a new browser with no cookies or other local storage (Chrome in icognito mode) I enter my alias for Identifier.  The page is reloaded and the ID field remains blank.  Then in another tab I go to Blockchain.info/wallet and there is my identifier.   So the challenge is defeated somehow.

Fix now thanks Stephen, same with the other bug regarding the corrupted transaction.

I just looked on my phone using iExplorer and didn't see anything, can anyone else (Ben) confirm or deny how this actually works?

Yes the main passwords on both mobile apps are stored plain text but sandboxed. If the phone is rooted malicious apps will able to break the sandbox and read the password.

The second password is stored in memory while the app is running but never saved locally.

Possible solutions are:

1) Never remember the password. Depending on how long the password is it would get extremely annoying having to type it in every time the app is launched.
2) Encrypt/Obfuscate the password with information stored locally. Solves the shock factor of "Ah my password is in plain text" but would be easily circumvented by anyone with technical knowhow.
3) Pin protection with server side help. A random password is generated when the app is installed the user's password is encrypted with this and uploaded to blockchain.info. The encrypted password can then be retrieved from blockchain.info by providing a pin and decrypted locally. It is a decent solution but at the moment the users password is never uploaded to blockchain in any form and this violates that rule.

Feedback appreciated.


-------

Changes

- When the transaction fee policy is set to "Frugal" in account settings the base fee has been lowered to 0.0001 BTC.
- There is now the ability to block TOR exit nodes from accessing a wallet. If you are a TOR user you can of course continue to use your wallet without problem but don't enable this option.
- Double encryption now supports any custom defined number of pbkdf2 rounds. However there is no option to adjust this yet as when the rounds are increased over 1000 there is significant noticeable lag when decrypting the wallet and creating transactions, the decryption routines need to be made none blocking with a progress indicator.


 

hazek
Legendary
*
Offline Offline

Activity: 1078


View Profile
April 25, 2013, 02:16:54 PM
 #2330

I was just suggested to pay a 0.005 fee by the blockchain app. The app is really great however I really miss the option to enter a specific fee. The choice right now seems to be to either not pay anything or to pay what the app suggests..

For the android app? A number of people have requested this, my opinion is with the mobile app you want to send as quickly and easily as possible and so should need to alter the fee. I'm sure I can add a settings option for it but I don't want to add it to the send form.

Yes, for the app, and yes that would be great. I mean it's pretty unacceptable to have the choice of either no fee or 0.005 fee when sending 0.007BTC..

My personality type: INTJ - please forgive my weaknesses (Not naturally in tune with others feelings; may be insensitive at times, tend to respond to conflict with logic and reason, tend to believe I'm always right)

If however you enjoyed my post: 15j781DjuJeVsZgYbDVt2NZsGrWKRWFHpp
ErebusBat
Hero Member
*****
Offline Offline

Activity: 560

I am the one who knocks


View Profile
April 25, 2013, 04:00:44 PM
 #2331

I just looked on my phone using iExplorer and didn't see anything, can anyone else (Ben) confirm or deny how this actually works?

Yes the main passwords on both mobile apps are stored plain text but sandboxed. If the phone is rooted malicious apps will able to break the sandbox and read the password.

The second password is stored in memory while the app is running but never saved locally.
Can you tell us the file paths?  I would like to do some testing to see if/when  I can access it (phone locked, unlocked, etc).

░▒▓█ Coinroll.it - 1% House Edge Dice Game █▓▒░ • Coinroll Thread • *FREE* 100 BTC Raffle

Signup for CEX.io BitFury exchange and get GHS Instantly!  Don't wait for shipping, mine NOW!
willphase
Hero Member
*****
Offline Offline

Activity: 770


View Profile
April 25, 2013, 06:24:38 PM
 #2332

Can you tell us the file paths?  I would like to do some testing to see if/when  I can access it (phone locked, unlocked, etc).

Android OS protects each app's data, so unless your phone is rooted, you're not going to be able to access this file.  The only way to access it on a non-rooted device is to use the android toolchain to backup your phone e.g.

Code:
adb backup piuk.blockchain.android

don't do this, by the way - storing your keys or a method of getting to your keys on more devices (even inside an encrypted backup) is a really bad idea.

Will

Gaff
Jr. Member
*
Offline Offline

Activity: 48


View Profile
April 25, 2013, 06:37:10 PM
 #2333

Thanks for replying to the feedback - much appreciated!


I like this change - but blockchain.info assumes my email is secure. I don't think this is a great assumption.

Question: Shouldn't 2-factor authentication be sufficient here? If I have the right identifier and I pass the 2-factor check *then* you can send me the encrypted wallet?

It assumes it is at least semi secure but you of course still need the password(s) and 2FA details to actually login. 2FA should be sufficient but not everyone has it enabled, this is mandatory.


Could you explain a bit more about how this works? At one point exactly does 2FA get checked? Before the encrypted wallet is sent to the browser?


...Also given the recent scandal with Instawallet URLs being searchable via Google - can you send a one-time-alias URL rather than the real identifier?

This is possible but would take a fair bit of restructuring. Might be better to require every browser to authenticate themselves via email even if they have access to the identifier, depends how annoying it gets have to respond to all the Authorise login attempt emails.
 

I appreciate a one-time-alias is work, I'd be willing to contribute towards a bounty for this. Perhaps as an interim you could offer browser-always-authenticates as a per-account option?

Possible solutions [to Android app wallets] are: [...]

How about no passwords are stored but the user chooses which private keys are available on Android? I'd be happy to have a special wallet with only a few coins for use on Android, and read-only views of the rest of my balances.





zebedee
Donator
Hero Member
*
Offline Offline

Activity: 666



View Profile
April 26, 2013, 12:20:31 AM
 #2334

I just looked on my phone using iExplorer and didn't see anything, can anyone else (Ben) confirm or deny how this actually works?

Yes the main passwords on both mobile apps are stored plain text but sandboxed. If the phone is rooted malicious apps will able to break the sandbox and read the password.

The second password is stored in memory while the app is running but never saved locally.

Possible solutions are:

1) Never remember the password. Depending on how long the password is it would get extremely annoying having to type it in every time the app is launched.
2) Encrypt/Obfuscate the password with information stored locally. Solves the shock factor of "Ah my password is in plain text" but would be easily circumvented by anyone with technical knowhow.
3) Pin protection with server side help. A random password is generated when the app is installed the user's password is encrypted with this and uploaded to blockchain.info. The encrypted password can then be retrieved from blockchain.info by providing a pin and decrypted locally. It is a decent solution but at the moment the users password is never uploaded to blockchain in any form and this violates that rule.

Feedback appreciated.

Why not do the standard / obvious thing?  You must have SHA256 in the code already.  So rather than storing plaintext password, store SHA256(password)?  Plaintext should never be stored, always (salted) hashes.
BurtW
Legendary
*
Offline Offline

Activity: 1792

All paid signature campaigns should be banned.


View Profile WWW
April 26, 2013, 05:41:57 AM
 #2335

Why not do the standard / obvious thing?  You must have SHA256 in the code already.  So rather than storing plaintext password, store SHA256(password)?  Plaintext should never be stored, always (salted) hashes.

From what I understand this password is used by the device to access your account.  Having the hash of the password would not help the device access the account.

Our family was terrorized by Homeland Security.  Read all about it here:  http://www.jmwagner.com/ and http://www.burtw.com/  Any donations to help us recover from the $300,000 in legal fees and forced donations to the Federal Asset Forfeiture slush fund are greatly appreciated!
M25
Newbie
*
Offline Offline

Activity: 29



View Profile
April 26, 2013, 01:27:51 PM
 #2336

Just getting a white void below "Wallet Home   My Transactions    Send Money    Receive Money    Import / Export" tabs... no way to log in, and clicking those tabs does nothing.

That's with Javascript disabled. With it enabled, it's exactly the same, but a warning flashes up "For security reasons please disable Java".
zebedee
Donator
Hero Member
*
Offline Offline

Activity: 666



View Profile
April 26, 2013, 01:34:12 PM
 #2337

Why not do the standard / obvious thing?  You must have SHA256 in the code already.  So rather than storing plaintext password, store SHA256(password)?  Plaintext should never be stored, always (salted) hashes.

From what I understand this password is used by the device to access your account.  Having the hash of the password would not help the device access the account.
Well that sounds like a suboptimal setup then?
jamesg
VIP
Legendary
*
Offline Offline

Activity: 1330


AKA: gigavps


View Profile
April 26, 2013, 02:34:09 PM
 #2338

HELP!!!

Everytime I go to my wallet page I get notified that an illegal imbedded object has been found and the popup states that I should not continue!!

WTF is going on with blockchain.info?
piuk
Hero Member
*****
Offline Offline

Activity: 910



View Profile WWW
April 26, 2013, 03:12:07 PM
 #2339

HELP!!!

Everytime I go to my wallet page I get notified that an illegal imbedded object has been found and the popup states that I should not continue!!

WTF is going on with blockchain.info?

Apologies this was a problem cause by me. The error should be fixed now if you reload the page a few times.

Also please remove the verifier and use one of the packaged browser extensions http://blockchain.info/wallet/chrome-extension

jamesg
VIP
Legendary
*
Offline Offline

Activity: 1330


AKA: gigavps


View Profile
April 26, 2013, 03:16:04 PM
 #2340

HELP!!!

Everytime I go to my wallet page I get notified that an illegal imbedded object has been found and the popup states that I should not continue!!

WTF is going on with blockchain.info?

Apologies this was a problem cause by me. The error should be fixed now if you reload the page a few times.

Also please remove the verifier and use one of the packaged browser extensions http://blockchain.info/wallet/chrome-extension

Whew....  Undecided

Thanks for clearing that up. I was beginning to get worried that they site was compromised.
Pages: « 1 ... 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 [117] 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 »
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!