Bitcoin Forum
December 03, 2016, 04:47:42 AM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 [2] 3 »  All
  Print  
Author Topic: Blockchain.info/wallet is the BEST Bitcoin client as-of-date.  (Read 9000 times)
memvola
Hero Member
*****
Offline Offline

Activity: 896


View Profile
February 13, 2012, 02:10:42 AM
 #21

This applies to any software that can be altered at the server level. No client protects from this.

Again, the "over-engineered" multisig makes it possible. You can use separate services and/or devices for each element. A system with two or more points of failure provides much more reliability and security than one with single point of failure.
1480740462
Hero Member
*
Offline Offline

Posts: 1480740462

View Profile Personal Message (Offline)

Ignore
1480740462
Reply with quote  #2

1480740462
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480740462
Hero Member
*
Offline Offline

Posts: 1480740462

View Profile Personal Message (Offline)

Ignore
1480740462
Reply with quote  #2

1480740462
Report to moderator
Jon
Donator
Member
*
Offline Offline

Activity: 98


No Gods; No Masters; Only You


View Profile
February 13, 2012, 02:45:24 AM
 #22

This applies to any software that can be altered at the server level. No client protects from this.

Again, the "over-engineered" multisig makes it possible. You can use separate services and/or devices for each element. A system with two or more points of failure provides much more reliability and security than one with single point of failure.


It still remains to be an overengineered solution for something that can be solved with MD5 checksums and an additional accessory.

The Communists say, equal labour entitles man to equal enjoyment. No, equal labour does not entitle you to it, but equal enjoyment alone entitles you to equal enjoyment. Enjoy, then you are entitled to enjoyment. But, if you have laboured and let the enjoyment be taken from you, then – ‘it serves you right.’ If you take the enjoyment, it is your right.
Blind
Full Member
***
Offline Offline

Activity: 235



View Profile
February 13, 2012, 02:56:08 AM
 #23

How is this any more secure than any other e-wallet that actually stores the users keys?

You are still dependent on a third-party for security.  Anyone who hacks the server can just serve different JS that records the information
entered into the client and submits it somewhere, then steal all the coins.

It seems to do this securely, one would need to be able to "pin" the code that sees the passphrase.  E.g. a browser extension rather than a web page.

Moreover, just like mybitcoin and other web-wallets, if such a thing happens, there is no way you can know if the service was really hacked or the owner is just running with the coins.

tl;dr wallet security will only come if all the code that sees the passphrase is pinned and cannot be modified easily without approval from many people (e.g. the bitcoin client itself)

+∞

http://www.matasano.com/articles/javascript-cryptography/

Government is not the solution to our problem. Government is the problem. -- Ronald Reagan
Jon
Donator
Member
*
Offline Offline

Activity: 98


No Gods; No Masters; Only You


View Profile
February 13, 2012, 03:06:49 AM
 #24

How is this any more secure than any other e-wallet that actually stores the users keys?

You are still dependent on a third-party for security.  Anyone who hacks the server can just serve different JS that records the information
entered into the client and submits it somewhere, then steal all the coins.

It seems to do this securely, one would need to be able to "pin" the code that sees the passphrase.  E.g. a browser extension rather than a web page.

Moreover, just like mybitcoin and other web-wallets, if such a thing happens, there is no way you can know if the service was really hacked or the owner is just running with the coins.

tl;dr wallet security will only come if all the code that sees the passphrase is pinned and cannot be modified easily without approval from many people (e.g. the bitcoin client itself)

+∞

http://www.matasano.com/articles/javascript-cryptography/

Javascript has serious flaws but they can be fixed. If we are going to bring Bitcoin to the end-user, we need to do it through the browser. All of Bitcoin's competitors rely soley on the browser and most users aren't going to compromise on that. They do not want to be bothered with software installations for something that has been and should remain seamless all the way through.

I think people deserve the best experience when it comes to Bitcoin. Their idea of best does not entail hobbyist level, military-grade security from back-to-front when it can't even allow the user to easily understand and manage their finances; at least not more easily than what Paypal brings them.

Over-engineered security will be the end of Bitcoin. We have to focus solely on what regular people want and not our scrupulous desires that remain stuck in a hobbyist culture.

The Communists say, equal labour entitles man to equal enjoyment. No, equal labour does not entitle you to it, but equal enjoyment alone entitles you to equal enjoyment. Enjoy, then you are entitled to enjoyment. But, if you have laboured and let the enjoyment be taken from you, then – ‘it serves you right.’ If you take the enjoyment, it is your right.
finway
Hero Member
*****
Offline Offline

Activity: 714


View Profile
February 13, 2012, 04:30:26 AM
 #25

Good choice.

D.H.
Sr. Member
****
Offline Offline

Activity: 311


Bitcoin.se site owner


View Profile WWW
February 13, 2012, 09:26:17 AM
 #26

You are contradicting yourself. You say this (which I agree with):

If we are going to bring Bitcoin to the end-user...
[...]
They do not want to be bothered with software installations...
[...]
We have to focus solely on what regular people want

But you also say this:

There's the method of not using a compromised device and not making it probable for your device to be compromised in the first place.
[...]
Maybe this wallet isn't for morons.

Regular people aren't interested in computers so they don't know how to keep it safe, and they shouldn't have to bother with it. You said it yourself, "they do not want to be bothered with software installations". How do you expect them to keep their computer safe if they shouldn't even be bothered with installing software?

www.bitcoin.se - Forum, nyheter och information på svenska! (Forum, news and information in Swedish)
minimalB
Donator
Hero Member
*
Offline Offline

Activity: 627


View Profile
February 13, 2012, 11:41:04 AM
 #27

How do i quickly enter 30+ character address into this thing? Manually? Should seller send me an email so i can copy/paste it?

It looks impractical to me as a mobile phone wallet without QR reading ability.
Jon
Donator
Member
*
Offline Offline

Activity: 98


No Gods; No Masters; Only You


View Profile
February 13, 2012, 11:47:41 AM
 #28

You are contradicting yourself. You say this (which I agree with):

If we are going to bring Bitcoin to the end-user...
[...]
They do not want to be bothered with software installations...
[...]
We have to focus solely on what regular people want

But you also say this:

There's the method of not using a compromised device and not making it probable for your device to be compromised in the first place.
[...]
Maybe this wallet isn't for morons.

Regular people aren't interested in computers so they don't know how to keep it safe, and they shouldn't have to bother with it. You said it yourself, "they do not want to be bothered with software installations". How do you expect them to keep their computer safe if they shouldn't even be bothered with installing software?


You make things safe without requiring software installations. No contradiction.

The Communists say, equal labour entitles man to equal enjoyment. No, equal labour does not entitle you to it, but equal enjoyment alone entitles you to equal enjoyment. Enjoy, then you are entitled to enjoyment. But, if you have laboured and let the enjoyment be taken from you, then – ‘it serves you right.’ If you take the enjoyment, it is your right.
Jon
Donator
Member
*
Offline Offline

Activity: 98


No Gods; No Masters; Only You


View Profile
February 13, 2012, 11:48:40 AM
 #29

How do i quickly enter 30+ character address into this thing? Manually? Should seller send me an email so i can copy/paste it?

It looks impractical to me as a mobile phone wallet without QR reading ability.


It gives you the ability to use a simple identifier. Again, the software has interface issues.

The Communists say, equal labour entitles man to equal enjoyment. No, equal labour does not entitle you to it, but equal enjoyment alone entitles you to equal enjoyment. Enjoy, then you are entitled to enjoyment. But, if you have laboured and let the enjoyment be taken from you, then – ‘it serves you right.’ If you take the enjoyment, it is your right.
D.H.
Sr. Member
****
Offline Offline

Activity: 311


Bitcoin.se site owner


View Profile WWW
February 13, 2012, 12:26:17 PM
 #30

You are contradicting yourself. You say this (which I agree with):

If we are going to bring Bitcoin to the end-user...
[...]
They do not want to be bothered with software installations...
[...]
We have to focus solely on what regular people want

But you also say this:

There's the method of not using a compromised device and not making it probable for your device to be compromised in the first place.
[...]
Maybe this wallet isn't for morons.

Regular people aren't interested in computers so they don't know how to keep it safe, and they shouldn't have to bother with it. You said it yourself, "they do not want to be bothered with software installations". How do you expect them to keep their computer safe if they shouldn't even be bothered with installing software?


You make things safe without requiring software installations. No contradiction.

That's not my point. My point is that people who don't want to bother with installing software are the same people that don't want to bother with keeping their computer safe. They want it to just work. Like I want my car to just work.

So you help them with one thing but not with the other.

www.bitcoin.se - Forum, nyheter och information på svenska! (Forum, news and information in Swedish)
piuk
Hero Member
*****
Offline Offline

Activity: 910



View Profile WWW
February 13, 2012, 07:13:00 PM
 #31

How is this any more secure than any other e-wallet that actually stores the users keys?

Because full server hacks are less common than database leaks. To have any significant effect the hacker's malicious code would have to go unnoticed for an extended period of time and it would only effect users who logged in with both their main password and second password during this time. You also can't make your own backup incase the operator ever goes AWOL. I'm not saying it is infallible, but it is better than storing keys.


The first point about TLS doesn't apply, all content is sent over SSL. Also a secure key store is also not needed.

Yes the runtime is malleable but it as not as easy to inject malicious js as that article suggests. Very little user provided data is printed on My Wallet pages and it is checked at multiple points for validity. Anyone is more than welcome to review our server side code for XSS vulnerabilities (https://raw.github.com/zootreeves/blockchain.info/master/WalletServlet.java). The site is vulnerable to malicious browser extensions, if any are discovered I will act accordingly.

The RNG uses the native window.crypto extension if available and is seeded with every mouse click and key press. I am dubious whether this can actually be exploited in practice.

You can also create a watch only wallet and scan your private keys from a paper wallet in "offline mode", in this case you are protected from any malicious javascript and do not need to trust blockchain.info at all.

How do i quickly enter 30+ character address into this thing? Manually? Should seller send me an email so i can copy/paste it?

You can enter the firstbits which are typically 5-6 characters. Native iPhone app will be available soon.

BkkCoins
Hero Member
*****
Offline Offline

Activity: 784


firstbits:1MinerQ


View Profile WWW
February 14, 2012, 02:44:27 AM
 #32

It would be good if there were a way to sign the JS code and have the browser verify it upon every download. If the signing key is kept offline then even a server compromise would not allow altering the JS code maliciously.

This would not even need to be verifiable by all users. Even a few capable users would be enough to  detect and notify quickly. I don't know if there is browser add-ons for signed code checking but seems like there should be.

memvola
Hero Member
*****
Offline Offline

Activity: 896


View Profile
February 14, 2012, 08:26:57 AM
 #33

This would not even need to be verifiable by all users.

You could do it yourself, for instance. Just curl and diff, if false then remote shut down server and alert admin. I'm sure it's already in place, that's why this sort of attack wouldn't affect the server for a long period. If the server is compromised though, the program can stay dormant until a juicy account is online. Potentially the attack wouldn't be worth it.

Still, these are patches to the security concerns we already know of. That's why an elegant and general solution is necessary.
DiThi
Full Member
***
Offline Offline

Activity: 157

Firstbits: 1dithi


View Profile
February 14, 2012, 08:51:43 AM
 #34

I think the best client is Electrum. It's simple, easy, fast and best of all: it's very easy for me to modify the code to suit my needs. I've modified it to send transactions from any address I want just by having the private key, sending the change to the same address and without needing to import it.

After Electrum, the best one is blockchain.info, I agree. I suggest piuk to add a bigger button for entering the wallet. Each time I want to enter I find a bit difficult to find wallet, then login. Also, when you type the pseudonym in the login field and go to the password field, the login field should change automatically instead me needing to press the button, waiting and then type the password.

Edit: I agree with BitcoinSpinner also being great! I've done half of my transactions to date with it!

Edit 2: My 100th post! Woo!

1DiThiTXZpNmmoGF2dTfSku3EWGsWHCjwt
Jan
Legendary
*
Offline Offline

Activity: 1042



View Profile
February 14, 2012, 12:31:56 PM
 #35

The best client depends on your use case. IMO there is no silver bullet.
More and more people use their smart devices more than their ordinary computer, and being able to pay (small) amounts with a few clicks is very appealing.
BitcoinSpinner was designed for this purpose, and has some nice features related to this discussion:
  • You decide when to update the software
  • Back up once and for all using a QR-code
  • Ready for use right after installation
  • Private key never leaves device
  • Server cannot spend your coins


Mycelium let's you hold your private keys private.
realnowhereman
Hero Member
*****
Offline Offline

Activity: 504



View Profile
February 14, 2012, 12:42:15 PM
 #36

The best client depends on your use case. IMO there is no silver bullet.
More and more people use their smart devices more than their ordinary computer, and being able to pay (small) amounts with a few clicks is very appealing.
BitcoinSpinner was designed for this purpose, and has some nice features related to this discussion:
  • You decide when to update the software
  • Back up once and for all using a QR-code
  • Ready for use right after installation
  • Private key never leaves device
  • Server cannot spend your coins

This is certainly true at present BitcoinSpinner is a masterpiece of simplicity and is what I give to anyone I'm showingn bitcoins to.

But I think if you're looking for where your competition will come from it is if blockchain.info releases an android client (assuming all the features from the website carry over).

1AAZ4xBHbiCr96nsZJ8jtPkSzsg1CqhwDa
gnar1ta$
Donator
Hero Member
*
Offline Offline

Activity: 756


View Profile
February 14, 2012, 06:21:51 PM
 #37

Good thing I printed my keys  Wink

Losing hundreds of Bitcoins with the best scammers in the business - BFL, Avalon, KNC, HashFast.
ThomasV
Legendary
*
Offline Offline

Activity: 1722



View Profile WWW
February 16, 2012, 08:32:13 AM
 #38

I think the best client is Electrum. It's simple, easy, fast and best of all: it's very easy for me to modify the code to suit my needs. I've modified it to send transactions from any address I want just by having the private key, sending the change to the same address and without needing to import it.

hey, thanks a lot! I appreciate that!

Electrum: the convenience of a web wallet, without the risks
minimalB
Donator
Hero Member
*
Offline Offline

Activity: 627


View Profile
March 30, 2012, 02:23:00 PM
 #39

Native iPhone app will be available soon.
Since android App is already out, i guess we are close!!!
Omni
Jr. Member
*
Offline Offline

Activity: 42


View Profile
March 30, 2012, 10:44:34 PM
 #40

Agreed bro.. its solid!
Pages: « 1 [2] 3 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!