|
Red Emerald
|
 |
March 02, 2012, 11:57:57 PM |
|
In light of the recent hackings (I'm sure i've said this before  ) I just want to add some clarity on security. 1) My Wallet is not vulnerable to hackings in the same way that happened to bitcoinica and slush. If the server root was compromised the attackers would not be able to empty any wallets as they are only stored encrypted. 2) What the attacker may be able to do is change the javascript files to intercept password overtime and then decrypt the wallets. This would only effect people who logged in during this time, but is weak point none the less. I have made a small java app to help counter this: https://github.com/zootreeves/My-Wallet-Integrity-CheckerCompiling from source is recommended but you can download here: https://github.com/downloads/zootreeves/My-Wallet-Integrity-Checker/applet.jarWhen you enter your wallet identifier it will download your My Wallet page and check: a) The DOM for any inline javascript. b) For any unrecognised external javascript file c) Prompt for the user to review any inline javascript d) Verify all local javascript files match those at https://github.com/zootreeves/blockchain.info I have a cron job on my local machine to run this script regularly and alert me of any anomalies. also note: - It is recommended you enable double encryption which would keep your wallet safe if you only logged in to check your balance. - Enabling two factor authentication protects from keyloggers on your own PC (and/or use the onscreen virtual keyboard to type in your second password). - I receive SMS alerts on SSH login or when the tomcat context reloads (which is needed to alter any js). How did you setup your server to send a text when there is an SSH login? I'd like that for a couple of my servers. |
|
|
|
|
BkkCoins
|
|
March 03, 2012, 01:59:20 AM |
|
Excellent to see that there is now a way to check the javascript. How did you setup your server to send a text when there is an SSH login? I'd like that for a couple of my servers.
The simplest way would be to add a command to your .bashrc on that account. It could also likely be done with a PAM module but I haven't researched if there is a specific one available. There is one to send OTP via SMS using PAM. Google "SMS PAM". |
|
|
|
|
|
|
BkkCoins
|
|
March 04, 2012, 01:34:17 AM |
|
Wow. That's even better! I was going to suggest a Firefox add-on but I thought it was a bit too overbearing. After all you have so much fantastic work already. I'll give this a try out now. |
|
|
|
|
BkkCoins
|
|
March 04, 2012, 02:01:23 AM |
|
I've tried this out. Installed fine. I did a brief source code review to make sure nothing looked malicious (and I didn't notice anything suspect). But when I go to the login page I get a lot of warnings in the error console. I was expecting a "Verified" message in the console (since I saw it in the code) but didn't get that. Maybe that happens only for some cases. Below is a few of the the many many warnings in the error console. It would be nice if it didn't spit out quite so many but as long as errors aren't showing can we assume it was successfully verified? Seem to be all related to bootstrap.min.css file Warning: Error in parsing value for 'background-image'. Declaration dropped.
Source File: https://blockchain.info/Resources/bootstrap.min.css
Line: 283
...
Warning: Error in parsing value for 'filter'. Declaration dropped.
Source File: https://blockchain.info/Resources/bootstrap.min.css
Line: 296
...
Warning: Unknown property 'transition'. Declaration dropped.
Source File: https://blockchain.info/Resources/bootstrap.min.css
Line: 322
|
|
|
|
|
piuk (OP)
|
|
March 04, 2012, 04:55:09 PM
Last edit: March 04, 2012, 05:08:55 PM by piuk |
|
I've tried this out. Installed fine. I did a brief source code review to make sure nothing looked malicious (and I didn't notice anything suspect). But when I go to the login page I get a lot of warnings in the error console. I was expecting a "Verified" message in the console (since I saw it in the code) but didn't get that. Maybe that happens only for some cases.
Thanks for testing it out. I think maybe when I packaged it up something must may have messed up. I have uploaded a new version if you could try that: Firefox: https://addons.mozilla.org/en-US/firefox/addon/mywalletverifier/ (Pending review) Chrome: https://chrome.google.com/webstore/detail/kcapglakfcodkajgllmkiddclghogkicSafari: https://raw.github.com/zootreeves/My-Wallet-Integrity-Checker/master/mywallet.safariextz (Pending acception into safari web gallery) I've put up some info explaining what you should see in the console here: https://blockchain.info/wallet/verifierBelow is a few of the the many many warnings in the error console. It would be nice if it didn't spit out quite so many but as long as errors aren't showing can we assume it was successfully verified?
The verifier does not check the css (perhaps it should, i'm not sure). These are "standard" firefox css warnings, there is not much I can do about them. |
|
|
|
|
beckspace
|
|
March 04, 2012, 05:06:48 PM |
|
Brilliant! Installing now. You can't get this level of security without being open-source. |
|
|
|
|
|
BkkCoins
|
|
March 05, 2012, 12:42:56 AM |
|
Tested again and it appears to be working fine. It shows the expected console messages this time.
Super excellent. It closes a potential attack vector and makes the wallet that much better.
It also appears the source code was really cleaned up and that makes it easier to audit.
I didn't see anything suspicious.
---
Something else I was thinking about is whether MyWallet could have a maximum spend limit where an attempt to spend more could trigger a side channel verification, like maybe send an email that needs a confirmation (or other method). Of course, it would need the same confirmation to be able to change the limit.
Anyway, just thinking out loud how MyWallet could be more secure in an environment like Bitcoinica where even if your password was exposed there would be a limit to damage.
|
|
|
|
HostFat
Staff
Legendary
 Offline
Activity: 4270
Merit: 1209
I support freedom of choice
|
|
March 05, 2012, 12:59:11 AM |
|
You are really improving it  I think that you should advertising it on Facebook / Twitter / Google plus now  |
|
|
|
bitprotection
Member
Offline
Activity: 103
Merit: 10
|
|
March 05, 2012, 01:03:27 AM |
|
great website btw been using the wallet service pretty slick! |
Working on protecting the community!
|
|
|
Stephen Gornick
Legendary
Offline
Activity: 2506
Merit: 1010
|
|
March 05, 2012, 04:28:28 AM |
|
A bug report here.
When I attempt to spend the full amount in my wallet without considering the 0.0005 fee, I am presented with the dialog "Miners Fee Recommended". If I click the Add Fee button, nothing happens. This is presumably because I don't have enough in my wallet to cover the payment + fee. If I instead spend only enough so that I have 0.0005 (or more) available for the fee, the Add Fee then is accepted an I am able to proceed.
A second problem. If I have an empty wallet but attempt a new transaction using Send Money, after clicking Review Transaction I am presented with the error message: "Error getting unspent outputs. Please check your internet connection.". Is there no way to discern that the problem is not connectivity but that there are no funds?
|
|
|
|
dooglus
Legendary
Offline
Activity: 2940
Merit: 1333
|
|
March 05, 2012, 10:16:54 AM |
|
I updated it so it now shows the private keys in 'sipa format', ready for importing into the official 0.6.x client, once it's released: http://bitcoin.stackexchange.com/a/3037/659Check that it was last edited Feb 29th 2012. |
| Just-Dice | ██
██████████
██████████████████
██████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████
██████████████
██████ | Play or Invest | ██
██████████
██████████████████
██████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████
██████████████
██████ | 1% House Edge |
|
|
|
dvide
Newbie
Offline
Activity: 59
Merit: 0
|
|
March 05, 2012, 08:25:46 PM
Last edit: March 05, 2012, 08:52:17 PM by dvide |
|
Am I the only person having trouble decrypting their wallet all of a sudden? I use google authenticator, which might be related. I didn't access it for a few days and now there's an 'Error Decrypting Wallet'. The password is the same, I'm sure of that. Nobody else? EDIT: Just tried it on Firefox and it works fine. Must be some problem with Chrome 18, on the beta channel. EDIT: Or not. Now it works on Chrome too. Did you just this moment change something to fix it, piuk? |
|
|
|
|
|
|
|
piuk (OP)
|
|
March 07, 2012, 01:53:10 PM
Last edit: March 07, 2012, 02:16:11 PM by piuk |
|
You can now choose the number of confirmations for alerts  If I were to do SMS Notifications and Call for balance / spoken list of recent transactions using twilio (suggested by Stephen Gornick) 0.01 BTC per SMS 0.01 BTC per minute for balance enquiries Minimum purchase 1 BTC (100 SMS's) How many people would be interested in this? |
|
|
|
|
D.H.
|
|
March 07, 2012, 02:42:34 PM |
|
Small bug report. Total bitcoins in circulation in the realtime API is not correct (or I don't know how to interpret the number). I don't think that this is a new problem, it might always have been like this. |
www.bitcoin.se - Forum, nyheter och information på svenska! (Forum, news and information in Swedish)
|
|
|
|
BkkCoins
|
|
March 08, 2012, 01:36:30 AM |
|
If I were to do SMS Notifications and Call for balance / spoken list of recent transactions using twilio (suggested by Stephen Gornick) 0.01 BTC per SMS 0.01 BTC per minute for balance enquiries Minimum purchase 1 BTC (100 SMS's) How many people would be interested in this? This seems reasonable. I wouldn't be able to use it since I'm in Thailand and Twilio currently only supports SMS within US, Canada and UK (as far as I can make out). They do have an International SMS Beta though and if you sign up then they allow sending to 600 carriers worldwide for the same cost (for now, I'm sure costs will change after the testing). Their site says "currently Intl SMS is cost prohibitive" but that's clearly untrue as I've used Clickatell several times for SMS to Thailand. All that said, I would do so little volume that even if you had Intl support the actual SMS income would be tiny. I think 1 BTC minimum is a bit high for this reason. I could see it being years to use that much credit and so wouldn't want to just throw that BTC away unless it was something I'd actually need vs. just a neat thing to play with. |
|
|
|
Stephen Gornick
Legendary
Offline
Activity: 2506
Merit: 1010
|
|
March 08, 2012, 02:17:35 AM |
|
0.01 BTC per SMS
Is this being offered primarily to serve those who cannot just receive an e-mail at their mobile phone's e-mail address (which gets delivered as a text message)? e.g., 3456789012@tmomail.net for T-Mobile? Or is this a different alert? |
|
|
|
gnar1ta$
Donator
Hero Member
Offline
Activity: 798
Merit: 500
|
|
March 08, 2012, 04:19:41 AM |
|
I would be happy to pay the fee, and receive a simple SMS and an ad supported email.
|
Losing hundreds of Bitcoins with the best scammers in the business - BFL, Avalon, KNC, HashFast.
|
|
|
|
piuk (OP)
|
|
March 08, 2012, 12:51:15 PM
Last edit: March 08, 2012, 02:19:12 PM by piuk |
|
Small bug report. Total bitcoins in circulation in the realtime API is not correct (or I don't know how to interpret the number). I don't think that this is a new problem, it might always have been like this. Thanks, I'll take a look. Is this being offered primarily to serve those who cannot just receive an e-mail at their mobile phone's e-mail address (which gets delivered as a text message)? e.g., 3456789012@tmomail.net for T-Mobile? Yes for those providers who don't offer this service and for those who want immediate notifications, without the email to sms delay. If I were to do SMS Notifications and Call for balance / spoken list of recent transactions using twilio (suggested by Stephen Gornick) 0.01 BTC per SMS 0.01 BTC per minute for balance enquiries Minimum purchase 1 BTC (100 SMS's) How many people would be interested in this? This seems reasonable. I wouldn't be able to use it since I'm in Thailand and Twilio currently only supports SMS within US, Canada and UK (as far as I can make out). They do have an International SMS Beta though and if you sign up then they allow sending to 600 carriers worldwide for the same cost (for now, I'm sure costs will change after the testing). Their site says "currently Intl SMS is cost prohibitive" but that's clearly untrue as I've used Clickatell several times for SMS to Thailand. I'll apply for the international beta and see what they say. Clickatell seems quite expensive and the API isn't quite as good. I would be happy to pay the fee, and receive a simple SMS and an ad supported email.
At least that would be one customer ---------------- The site reached 5k wallets yesterday, that means... New disclaimer: https://blockchain.info/disclaimer and privacy policy https://blockchain.info/privacyDisclaimer may seems a little harsh, but I want to make it clear that the Site is not a bank. It is an Interface Only - I don't care what wallets are stored or transactions made through the site but equally will not be held liable for them. This is part of the reason I removed the transaction fees. Uptime has been much better recently.  |
|
|
|
|
