Bitcoin Forum
December 12, 2024, 09:16:11 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Bitcoin APIs and the dangers of revealing your private key.  (Read 805 times)
gweedo (OP)
Legendary
*
Offline Offline

Activity: 1498
Merit: 1000


View Profile
May 02, 2014, 03:14:36 AM
Last edit: May 02, 2014, 03:34:06 AM by gweedo
 #1

I wasn't going to post this until tomorrow but a certain publication decided to put a spotlight on a service that is using bad practices and I wanted to show why certain business that understand the protocol are unique and not just trying to be only first movers.

Quote
Don’t trust apis with your bitcoin private keys! It was brought to our attention that competitors of ours have built in functions to sign transactions for you, as long as you supplied the private key. I will not name them as this would take away from our post. I believe this extremely dangerous and a complete disregard for user’s safety. We take security extremely serious in our api and even if users don’t understand the protocol as well as us, we want to protect them from themselves.

Anytime a private key is exposed and sent over the internet unencrypted or even encrypted, it is dangerous and the private key should be treated as a compromised key. That means it should never be used again for any transactions. If a malicious actor got to that private key they could easily craft a transaction that could be confirmed before your intended transaction. It isn’t worth the risk, we understand that this is easier and probably more attractive but also bad standard practices for bitcoins.

This why I promote cold storage wallets, anytime I talk to anyone looking to use our api. Cold storage wallets are not something users learn about until it is usually too late but we need to change that.

https://apicoin.io/blog/2014/05/01/dont-trust-apis/
bountygiver
Member
**
Offline Offline

Activity: 100
Merit: 10


View Profile
May 03, 2014, 12:28:02 AM
 #2

Always follow this rule: Sign your transactions on your own device and your own device only

12dXW87Hhz3gUsXDDCB8rjJPsWdQzjwnm6
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!