Blockchain.info - Bitcoin Block explorer & Currency Statistics

[ErebusBat]

Google Chrome is telling me that the wallet verifier app needs new permissions. What's the story?

I'm seeing this too. Oddly I saw the message first on a totally unrelated site.

That is because it now wants access to EVERY site and not just blockchain.info.  Not sure why, maybe piuk can enlighten us.

[HostFat]

I think that it's going to catch all bitcoin URIs ...

[piuk]

Google Chrome is telling me that the wallet verifier app needs new permissions. What's the story?

It's for a new feature which allows you to import and export keys to Bitcoin-Qt without needing to use pywallet or command line.

The problem is talking with the Bitcoind RPC server is a violation of the browser's Same origin policy and most browsers won't let you do it without special CORS HTTP headers. I made a pull request to add CORS headers to the RPC interface but the Bitcoin devs have dismissed the idea previously. As a workaround the Verifier browser extension can be used to circumvent the restrictions - as extensions have the ability to bypass the same origin policy if requested.

1) If you are not running Bitcoind-Qt there is no risk.
2) If you have not enabled the RPC server (by default it is off) there is no risk.
3) If you have the RPC server enabled the web interface will be able to talk with Bitcoin-QT so be sure the username and password is set.
4) The extension only runs on blockchain.info or www.blockchain.info.

[piuk]

Desktop sync Now Active. It can be found in [Import / Export].

It allows you to easily import keys from Bitcoin-QT if you would like to switch to My Wallet or export keys if you want to switch to the Desktop client.

However it is not recommended for everyday use if you want to keep your wallets separate as by entering your RPC username, password and wallet password you are giving the javascript full access to your Bitcoin-Qt wallet. The username and password for the Bitcoin-Qt wallet is not saved.

[LightRider]

That is wonderful and terrifying feature.

[Peter Todd]

Google Chrome is telling me that the wallet verifier app needs new permissions. What's the story?

It's for a new feature which allows you to import and export keys to Bitcoin-Qt without needing to use pywallet or command line.

The problem is talking with the Bitcoind RPC server is a violation of the browser's Same origin policy and most browsers won't let you do it without special CORS HTTP headers. I made a pull request to add CORS headers to the RPC interface but the Bitcoin devs have dismissed the idea previously. As a workaround the Verifier browser extension can be used to circumvent the restrictions - as extensions have the ability to bypass the same origin policy if requested.

1) If you are not running Bitcoind-Qt there is no risk.
2) If you have not enabled the RPC server (by default it is off) there is no risk.
3) If you have the RPC server enabled the web interface will be able to talk with Bitcoin-QT so be sure the username and password is set.
4) The extension only runs on blockchain.info or www.blockchain.info.

I really think you should use a separate extension for this.

I have no need for this feature - it is a niche use case - and I'd much rather be running a verifier with fairly limited privileges than one that in itself represents a security risk.

[piuk]

I really think the risk is minimal. But regardless it is a niche case so I have moved it to a separate extension and the verifier permissiosn have be reset to how they were previously.

Verifier:

https://chrome.google.com/webstore/detail/kcapglakfcodkajgllmkiddclghogkic

RPC Communicator:

https://chrome.google.com/webstore/detail/nknfighfndfaahebfedlkgfifjfjgbjk

As always the sources are available on https://github.com/blockchain

[HostFat]

You should add a link to the RPC Communicator in the import/export page

[piuk]

New Feature: Taint Analysis

Shows the addresses which can be connected with a particular destination address and the % of the total funds received from each address (Taint). This tool is indented to make it easier to test your mixing service and make it easier to analyse your own anonymity. Not as a tool for blacklisting bitcoins which is a terrible idea.

Examples:

Blockchain.info Donation Address

http://blockchain.info/taint/1JArS6jzE3AJ9sZ3aFij1BmTcpFGgN86hA: Largest payment received is from 122uEigTAMi7Moj4KWaboQDehjsCZaSyhy which is followed by a long series of transactions with very little mixing. At some point the funds passed through the Mt.Gox green address (1LNWw6yCxkUmkhArb2Nf2MPw6vG7u5WG7q) stopping at this transaction (http://blockchain.info/tx-index/2058561/1) which is the maximum depth of 250 outputs deep that the tool will show.

Mining address:

http://blockchain.info/taint/16QAc9cG4Aoim3ATkhNtvqxJKFUg7seZvU for address http://blockchain.info/address/16QAc9cG4Aoim3ATkhNtvqxJKFUg7seZvU

Shows 100% taint for each address as the coins have never been mixed and the entire amount can be trace back to the generation address 16LiX6VnHLSCwRG7CT3WqzFh8jXoRAiu1b

Stolen Funds Analysis

http://blockchain.info/taint/1QL18jvRWvw8dn3mrveNYbkWWZQ7ea3CoB is 7% tainted by the Bitcoinica hack transaction. If you view the address http://blockchain.info/address/1QL18jvRWvw8dn3mrveNYbkWWZQ7ea3CoB?show_adv=true you can see there is one outgoing transaction to 1Ph5K2kz18mhUZYEtpsALWcwK9qZ41nDpR and 16TS4y4J2Eh8nVseGuYjPkGtqSpRBMurmH. However because that transaction uses inputs from a lot of different sources neither of those address will show taint from the Bitcoinica funds anymore. The funds have been sufficiently mixed that a link can no longer be made (it could will more in depth analysis but it would be very weak).
 
More anonymity tools coming for My Wallet users soon.

You should add a link to the RPC Communicator in the import/export page

Link is up now. Even small changes to the site like that require a web server restart some I'm trying to deploy updates less often.

[hazek]

May I suggest you rename it to trail analysis or something else. Taint has unfortunately become a pretty loaded word and will probably give the wrong idea to quite a few people.

[k]

agree with hazek, try to avoid calling it taint analysis.
Maybe coin history/origin analysis or something else.

[Red Emerald]

agree with hazek, try to avoid calling it taint analysis.
Maybe coin history/origin analysis or something else.

+1

So something weird is going on with my vanity address.

http://blockchain.info/taint/11235813yoNV9F45KjwRiBYnYFufMunTj8

Apparently there is only a 5.7942159848% that this address is connected to itself. That seems wrong.

Also I think you have a typo here: "The more "taint" the worse the stronger the link that remains."

[ErebusBat]

New Feature: Taint Analysis

Seriously cool!

[unclescrooge]

Not as a tool for blacklisting bitcoins which is a terrible idea.

+1

Very very bad idea.

All coins are eventually tainted. As all the dollars bills anyway

[ErebusBat]

Anyone know off hand which address the coins in the genesis block were paid to?  That would be interesting.

[Red Emerald]

Anyone know off hand which address the coins in the genesis block were paid to?  That would be interesting.

http://blockchain.info/address/1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa

The wiki says they can't actually be spent, though it doesn't go into the details of why.

[piuk]

May I suggest you rename it to trail analysis or something else. Taint has unfortunately become a pretty loaded word and will probably give the wrong idea to quite a few people.

Taint is already a word i've heard mentioned a few times when discussing coin origins. Maybe Source Analysis.

Apparently there is only a 5.7942159848% that this address is connected to itself. That seems wrong.

I tweaked the algorithm a bit and not it correctly(?) shows 1HZY2Bks6HjTXFxXSj8ivhWCnkosypiUxR as the top source address.

The branch column attempts to colour code related transactions and if numbered shows the number of unique root branches that address has appeared in. By unique branches I mean descendants of transactions which directly pay into to the address. Anything with a count > 0 usually indicates a stronger relationship with the target address.

For example My Address: http://blockchain.info/taint/1A8JiWcwvpY7tAopUkSnGuEYHmzGYfZPiq shows branch counts > 0 for these addresses.






These are addresses I also commonly use for testing and such and are in the same wallet. It does also show a high branch count for Deppbit (1VayNert3x1KzbpzMGt2qdqrAThiRovi8) which you will find to be true of many addresses as a large % of coins tend to originate from deepbit. Also the top ip is listed as 127.0.0.1 because I use My Wallet to make transactions so they are broadcast from localhost.

Anyone know off hand which address the coins in the genesis block were paid to?  That would be interesting.

http://blockchain.info/address/1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa

The wiki says they can't actually be spent, though it doesn't go into the details of why.

The genesis transaction will be rather interesting as it has no history. It would be interesting to do an analysis on the first few thousand generation transactions, at least some of them must have moved.


P.S. Thank you to the recent donators.

[Jan]

How about calling it traceroute? Resembles the unix command for tracing IP router hops.

[hazek]

May I suggest you rename it to trail analysis or something else. Taint has unfortunately become a pretty loaded word and will probably give the wrong idea to quite a few people.

Taint is already a word i've heard mentioned a few times when discussing coin origins. Maybe Source Analysis.

Excellent choice, I like it a lot!

[rjk]

Please please please.... Even if you don't make any other changes, could you add this note to the chart of the network hash distribution?:

"The "Unknown" section does not represent a single entity."

That would prevent many topics about the network being taken over by some mystery miner or something from being started in the first place.