|
piuk (OP)
|
 |
December 15, 2011, 10:49:07 AM
Last edit: December 15, 2011, 11:16:51 AM by piuk |
|
Can you add support for Duo Security? It's a pretty neat service. Looks like a good product but they really need to rethink their pricing strategy. Even at the small number of users My Wallet has at the moment it would be nearly $1000/month. I'll investigate the possibly of changing API key every request but I imagine this is against their TOS. At some point i will add email and skype as options since they are free. Next feature I'm really craving is QR codes. Any plans for them on the receiving addresses?
Yep QR codes are already on my todo list. This is cool, but seems a little bit dangerous for this application. What happens if you lose your yubikey or drop it in the toilet? Can you order a duplicate Yubikey as a backup? With mtgox it's a bit different…if you lose your key, you can always verify your identity and get them to restore your access to your account.
I had thought about encrypting wallets with the yubikey identity token but decided against it for the reasons you mention. The wallet is only encrypted with your password so you can email us and have the yubikey authentication removed (This must be from the email that is associated with your account). And am I understanding this correctly: the private key is stored encrypted on the servers and the encryption is handled by my browser? So if someone were to steal acquire the data they would not be able to spend my coins?
Yes your wallet would still be secure. I'm operating under the assumption here that a wallet encrypted with a 10 character AES password will take a significant amount of time to brute force, certainly enough time for you to move your coins to different addresses. I've been trying this out and it's working great. Nice interface and versatility.
I've kept an encrypted backup of the wallet locally but I have a question. If your site vanishes is there some tool (prefer linux) or process documented that can read the wallet.json.aes file format and decrypt it so we can get to our keys?
Wait a minute - I just saw that you now charge a 1% fee on outgoing transactions. Is that new? I thought a few days ago it was a free wallet and you were thinking about advertising for support?
You should be able to use AES Crypt on linux http://hungrycoder.xenexbd.com/tutorial/how-to-install-aes-crypt-in-linux-to-encrypt-and-decrypt-your-files.html. Yes the service has a 1% transaction fee for all outgoing transactions, I changed this a few days ago. The site would not be sustainable from advertising alone and if the site is profitable then I have more time to implement new features and better security. |
|
|
|
|
|
|
|
|
|
|
|
|
In order to get the maximum amount of activity points possible, you just need to post once per day on average. Skipping days is OK as long as you maintain the average.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
|
|
|
DeepBit
Donator
Hero Member
 Offline
Activity: 532
Merit: 501
We have cookies
|
|
December 15, 2011, 11:10:31 AM |
|
The wallet is only encrypted with your password so you can email us and have the yubikey authentication removed (This must be from the email that is associated with your account). Are you sure that you can reliably check if the sender's address is not forged ? |
Welcome to my bitcoin mining pool: https://deepbit.net ~ 3600 GH/s, Both payment schemes, instant payout, no invalid blocks ! Coming soon: ICBIT Trading platform |
|
|
|
BkkCoins
|
|
December 15, 2011, 11:49:49 AM |
|
Good enough. I'm not sure why you chose that instead of something far more standard like GnuPG ( cmd: gpg wallet.json.gpg to decrypt) but since it's only in the event that your site is gone it's not critical. Maybe an option to save a backup in gpg format would be nice. Then a user doesn't have to d/l and compile code to decrypt as gpg is usually installed on linux desktops by default. (Ah, I suspect the reason was availability of suitable client JS code.) Yes the service has a 1% transaction fee for all outgoing transactions, I changed this a few days ago. The site would not be sustainable from advertising alone and if the site is profitable then I have more time to implement new features and better security.
I understand. But it's a shame as soon Bitcoin will cost as much as using Paypal when you add in multiple fees at different steps. |
|
|
|
|
BkkCoins
|
|
December 15, 2011, 02:43:22 PM
Last edit: December 15, 2011, 03:48:39 PM by BkkCoins |
|
There seems to be a bug in the wallet export functions. I tried both the unencrypted and PDF options (which output the same value). The private key that is exported is invalid.
I checked it on bitaddress.org (which states it not a valid private key) and importing on Mt.Gox which gets confused and reports a different address that has no value, or if repeated, that it has already been used.
I'm not pasting the private key here as it has a few coins on it. But the public address that checks out in block explorer as having 5 BTC on it is: 13PsqCwzX3zuTQaLeNwEKB7FWHE2NLyM6r
I also generated a new address and checked it's private key value on bitaddress.org and get a similar invalid key message. In this case the key has no value and is
FnPRAHpS5asqHEEQRMAcUhNVzVm4Zxqx2KozVH3jgNrw
Something fishy going on there. This obviously isn't SIPA format, or Hex.
Possibly base64 but doesn't get accepted as that format.
Currently, if your site went down there would be no way to recover the monies in our wallet.
Edit: I see now on the export page you can choose format. But the default base58 is not outputing valid base58 values. eg. the one above should start with 5 but does not. I just tested the base64 option and that seems to be giving values acceptable to bitaddress.org and once converted to base58 on bitaddress.org the value works in MtGox to recover the coins.
|
|
|
|
|
piuk (OP)
|
|
December 15, 2011, 03:53:54 PM
Last edit: December 15, 2011, 04:06:23 PM by piuk |
|
There seems to be a bug in the wallet export functions. I tried both the unencrypted and PDF options (which output the same value). The private key that is exported is invalid.
I checked it on bitaddress.org (which states it not a valid private key) and importing on Mt.Gox which gets confused and reports a different address that has no value, or if repeated, that it has already been used.
I'm not pasting the private key here as it has a few coins on it. But the public address that checks out in block explorer as having 5 BTC on it is: 13PsqCwzX3zuTQaLeNwEKB7FWHE2NLyM6r
I also generated a new address and checked it's private key value on bitaddress.org and get a similar invalid key message. In this case the key has no value and is
FnPRAHpS5asqHEEQRMAcUhNVzVm4Zxqx2KozVH3jgNrw
Something fishy going on there. This obviously isn't SIPA format, or Hex.
Possibly base64 but doesn't get accepted as that format.
Currently, if your site went down there would be no way to recover the monies in our wallet.
The private keys are in base58 format, which bitaddress.org or Mt.gox don't seem to support. I've added an option to the export panel so you can choose the private key format:  I was able to then import my keys into Mt.gox and bitaddress using Hex format, both sometimes has trouble with base64 (possibly issues with their auto detection code?) Hope that helps. Edit: Wallet Import Format always starts with a 5, base58 encoding on it's own does not. |
|
|
|
gnar1ta$
Donator
Hero Member
Offline
Activity: 798
Merit: 500
|
|
December 15, 2011, 04:10:31 PM |
|
Is there anything in the software preventing someone who has lost account access, from lost login info or lost yubikey, from importing their private keys into another account? Assuming they have backed up their private keys in another place.
|
Losing hundreds of Bitcoins with the best scammers in the business - BFL, Avalon, KNC, HashFast.
|
|
|
|
BkkCoins
|
|
December 15, 2011, 04:12:51 PM |
|
I did have success trying base64 but MtGox wouldn't accept that. Converting it on bitaddress.org to base58 and then redeeming on MtGox worked for me.
I think these other sites use SIPA and not simple base58 - I gather there is some chksum added but don't know the details of that. I just recall one time reading a post on the bitaddress thread that there was something like that involved.
---
Answering question just posted above - it's impossible for the wallet software here to somehow prevent a private key from being used elsewhere. So you (or anyone) can always take the private key and import it and gain access to the funds.
I just tested that by importing my key into MtGox and I'm waiting on the confirmations on my balance being added to my MtGox BTC balance. The wallet here shows the transactions (because it gets them from the blockchain) but it has no control over the transaction content. In this example MtGox created the transaction and set the values.
|
|
|
|
|
piuk (OP)
|
|
December 15, 2011, 04:24:44 PM |
|
Is there anything in the software preventing someone who has lost account access, from lost login info or lost yubikey, from importing their private keys into another account? Assuming they have backed up their private keys in another place.
Nothing stopping you doing this. However currently if you try and import an encrypted JSON backup the password must be the same as on the old account or instead decrypt it using other software and import the plaintext JSON. I think these other sites use SIPA and not simple base58 - I gather there is some chksum added but don't know the details of that. I just recall one time reading a post on the bitaddress thread that there was something like that involved.
Yes the default format has no checksum. I didn't really see the need for a checksum as if you miss type the private key it's immediately obvious as the address is different. it's impossible for the wallet software here to somehow prevent a private key from being used elsewhere.
Maybe it might be possible for the wallet to keep a pre signed transaction moving all coins to a backup address. Then if an 'authorised' transaction is made it could attempt to quickly push out this transaction and prevent the other ones from going through. Just an idea, don't know how well it would work in practice. |
|
|
|
|
piuk (OP)
|
|
December 15, 2011, 11:49:11 PM |
|
The site now supports two factor authentication via email (Yubikey is still recommended if you have one). Also the server side wallet code is now available at https://github.com/zootreeves/blockchain.info/blob/master/WalletServlet.java please review it if you are able and have the time. Are you sure that you can reliably check if the sender's address is not forged ?
To combat this you can now add a "Secret Phrase" to your account, this can be a phrase or word of your choosing and can be provided to help prove your identity. This service is not automated and so lost yubikeys//emails will be reviewed on a case by case basis. The sentence doesn't have to be exact, as long as can recall it partially. I've put up a page explaining a bit more about security etc. |
|
|
|
julz
Legendary
Offline
Activity: 1092
Merit: 1001
|
|
December 16, 2011, 01:03:04 AM |
|
The site now supports two factor authentication via email (Yubikey is still recommended if you have one). Also the server side wallet code is now available at https://github.com/zootreeves/blockchain.info/blob/master/WalletServlet.java please review it if you are able and have the time. Are you sure that you can reliably check if the sender's address is not forged ?
To combat this you can now add a "Secret Phrase" to your account, this can be a phrase or word of your choosing and can be provided to help prove your identity. This service is not automated and so lost yubikeys//emails will be reviewed on a case by case basis. The sentence doesn't have to be exact, as long as can recall it partially. I've put up a page explaining a bit more about security etc. I don't see why there would be a problem using email address recovery, unless someone is silly enough to have used the same password for their email system. The standard way of verifying an email address is not forged is surely to send a code to it, and ask for it back if the action is approved. |
@electricwings BM-GtyD5exuDJ2kvEbr41XchkC8x9hPxdFd
|
|
|
DeepBit
Donator
Hero Member
Offline
Activity: 532
Merit: 501
We have cookies
|
|
December 16, 2011, 03:36:26 PM |
|
You have two separate stats for "BTCGuild" and "BTC Guild" :)
|
Welcome to my bitcoin mining pool: https://deepbit.net ~ 3600 GH/s, Both payment schemes, instant payout, no invalid blocks ! Coming soon: ICBIT Trading platform |
|
|
|
piuk (OP)
|
|
December 16, 2011, 06:21:41 PM |
|
You have two separate stats for "BTCGuild" and "BTC Guild"  Should be fixed. Still having trouble connecting to your server Slush. I don't see why there would be a problem using email address recovery, unless someone is silly enough to have used the same password for their email system.
The standard way of verifying an email address is not forged is surely to send a code to it, and ask for it back if the action is approved.
There's the possibility your email could be compromised, but your yubikey still safe. Can't hurt anyway. P.S. Can anyone get http://www.webqr.com/ working? I would like to add it but it doesn't work with my webcam. |
|
|
|
DeepBit
Donator
Hero Member
Offline
Activity: 532
Merit: 501
We have cookies
|
|
December 18, 2011, 02:31:01 AM |
|
|
Welcome to my bitcoin mining pool: https://deepbit.net ~ 3600 GH/s, Both payment schemes, instant payout, no invalid blocks ! Coming soon: ICBIT Trading platform |
|
|
|
|
proudhon
Legendary
Offline
Activity: 2198
Merit: 1311
|
|
December 18, 2011, 08:51:18 PM |
|
|
Bitcoin Fact: the price of bitcoin will not be greater than $70k for more than 25 consecutive days at any point in the rest of recorded human history.
|
|
|
julz
Legendary
Offline
Activity: 1092
Merit: 1001
|
|
December 19, 2011, 01:49:36 AM |
|
Great to see the new QR code support.
It worked fine on an iPhone and windows pc.. but QR code popup didn't display the image on a friend's android device.
minor point on the popup.. it might be nice if the popup could be 'pinned'.. at the moment it only works as a mouse hover-over, so you can't copy/drag the QR code or get the path to the image.
It would also be nice to have an address shortener such as btc.to available next to each address.
(at least for the 'receive money' page - but would be even better if the 'send money' page would accept btc.to addresses too)
usecase e.g standing near someone's pc with a mobile phone - want to tell them the address to send BTC, but they don't have a camera and you don't want to have to send an email or get them to attempt to type the whole address string.
(also for payment instruction via voice call)
It's easy enough to just go to your favourite shortening service when you're on a desktop machine - but a bit of a hassle when on a mobile device.
|
@electricwings BM-GtyD5exuDJ2kvEbr41XchkC8x9hPxdFd
|
|
|
netrin
Sr. Member
Offline
Activity: 322
Merit: 251
FirstBits: 168Bc
|
|
December 19, 2011, 02:26:54 AM |
|
It would also be nice to have an address shortener such as btc.to available next to each address.
(at least for the 'receive money' page - but would be even better if the 'send money' page would accept btc.to addresses too)
The firstbits are an ideal (theoretically) unambiguous shortener... provided the address has been seen by the network. For public addresses not yet publicly seen by the network, perhaps Puik could add a temporary otherwise invalid code. The first 8 characters of an address are typically unambiguous (sans vanity codes), something like 1eDj5Efw000 (zero zero zero) might produce a collision list page? |
|
|
|
dvide
Newbie
Offline
Activity: 59
Merit: 0
|
|
December 19, 2011, 06:31:15 AM |
|
Not that I want to give anybody any ideas, but can't people easily remove the 1% fee from the output of a transaction, given the way the transaction is constructed and signed on the client side? Like use a greasemonkey script or something that does it automatically? Are you just hoping that people won't do that, or is actually not possible somehow?
|
|
|
|
|
julz
Legendary
Offline
Activity: 1092
Merit: 1001
|
|
December 19, 2011, 06:57:45 AM |
|
Not that I want to give anybody any ideas, but can't people easily remove the 1% fee from the output of a transaction, given the way the transaction is constructed and signed on the client side? Like use a greasemonkey script or something that does it automatically? Are you just hoping that people won't do that, or is actually not possible somehow?
I don't know if it can be worked around - but I wish it were only 1%. It's 1% or 0.01 BTC ... so for sub 1BTC amounts it's quite a high cut. I'd hoped to use it as part of a demo to people about how easy it is to shuffle around money using Bitcoin. Looks like I'll have to use amounts in the order of a few BTC rather than 0.x BTC so that it's not eaten up so quickly by fees. |
@electricwings BM-GtyD5exuDJ2kvEbr41XchkC8x9hPxdFd
|
|
|
notme
Legendary
Offline
Activity: 1904
Merit: 1002
|
|
December 19, 2011, 07:01:50 AM |
|
Not that I want to give anybody any ideas, but can't people easily remove the 1% fee from the output of a transaction, given the way the transaction is constructed and signed on the client side? Like use a greasemonkey script or something that does it automatically? Are you just hoping that people won't do that, or is actually not possible somehow?
I don't know if it can be worked around - but I wish it were only 1%. It's 1% or 0.01 BTC ... so for sub 1BTC amounts it's quite a high cut. I'd hoped to use it as part of a demo to people about how easy it is to shuffle around money using Bitcoin. Looks like I'll have to use amounts in the order of a few BTC rather than 0.x BTC so that it's not eaten up so quickly by fees. If it's 1% of 0.01 BTC, 1 BTC is the equilibrium. Send more than that and you pay MORE in fees. Yes, it's less by percentage, but you're still spending more BTC on fees. If you are minimizing fees on demo transactions it doesn't matter the amount as long as it is 1 BTC or less, you will pay the 0.01 BTC minimum. |
|
|
|
|
