Bitcoin Forum
December 04, 2016, 02:25:18 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 [3]  All
  Print  
Author Topic: You think you don't need to trust blockchain.info ? Think again  (Read 13422 times)
hazek
Legendary
*
Offline Offline

Activity: 1078


View Profile
August 29, 2012, 10:38:36 AM
 #41

When I goto https://blockchain.info/wallet/ my wallet verifier extension gives the below message?

https://chrome.google.com/webstore/detail/kcapglakfcodkajgllmkiddclghogkic

Message: "*** Serious Error - Javascript inconsistencies found. Maybe malicious - Do not Login! Please contact support@pi.uk.com"

Since I switched back to firefox I haven't seen this massage yet but when I used chrome I did see this from time to time and usually if I refreshed the site the message went away. I know there's an explanation for this but I forgot what it is..

My personality type: INTJ - please forgive my weaknesses (Not naturally in tune with others feelings; may be insensitive at times, tend to respond to conflict with logic and reason, tend to believe I'm always right)

If however you enjoyed my post: 15j781DjuJeVsZgYbDVt2NZsGrWKRWFHpp
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
thanke
Member
**
Offline Offline

Activity: 104


View Profile
December 06, 2012, 07:53:03 PM
 #42

Why does blockchain's mywallet use a JS wallet and a browser plugin to verify it? Why not simply a browser plugin like lastpass? Wouldn't that be more secure?
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218


Gerald Davis


View Profile
December 06, 2012, 07:56:54 PM
 #43

Why does blockchain's mywallet use a JS wallet and a browser plugin to verify it? Why not simply a browser plugin like lastpass? Wouldn't that be more secure?

The advantage of having the encryption and signing done in javascript is the source is available.  Can you make a browser plugin in javascript?  If so then it likely isn't any more secure but it certainly isn't any less secure.  If the browser plugin is running opaque code then it is significantly less secure than using javascript.
Vitalik Buterin
Sr. Member
****
Offline Offline

Activity: 331


View Profile
December 07, 2012, 06:21:46 PM
 #44


Basically, that means that blockchain.info, strongcoin.com, {insert client-side JS wallet here} is inherently less safe than a standalone client, and not much safer than a hosted wallet.


Even if your claims on security are completely correct, I still somewhat disagree. The single worst disaster relating to hosted Bitcoin wallets that we have had in 2012, Bitcoinica, was not due to malicious action - it was due to inaction and a bad default. Of course, the thefts did precipitate the whole debacle, but the money that was actually stolen is only about a third of the sum that account holders actually had, and the reason why the other two thirds still haven't been returned is because the money sat in Bitcoinica's wallet and so when Patrick et al simply sat on the money for two months by default that money was not accessible to users. With a Blockchain-like setup (obviously a strictly blockchain-like setup can't really be used for a Bitcoinica-like application, as it needs access to the money to operate, but that's beside the point here), the default would instead have been for users to be able to instantly access and recover their funds from a backup. It's not inaction, but active theft, that would be the threshold required for customers to actually lose any money - a threshold which, if you break and are caught, will likely lead to you going to jail.

Argumentum ad lunam: the fallacy that because Bitcoin's price is rising really fast the currency must be a speculative bubble and/or Ponzi scheme.
hazek
Legendary
*
Offline Offline

Activity: 1078


View Profile
December 08, 2012, 03:28:19 PM
 #45

FYI the entire discussion in this thread will with the arrival of hardware wallets soon be irrelevant. I hope that even blockchain.info will make use of them.

My personality type: INTJ - please forgive my weaknesses (Not naturally in tune with others feelings; may be insensitive at times, tend to respond to conflict with logic and reason, tend to believe I'm always right)

If however you enjoyed my post: 15j781DjuJeVsZgYbDVt2NZsGrWKRWFHpp
Red Emerald
Hero Member
*****
Offline Offline

Activity: 742



View Profile WWW
December 08, 2012, 07:40:42 PM
 #46

FYI the entire discussion in this thread will with the arrival of hardware wallets soon be irrelevant. I hope that even blockchain.info will make use of them.
OMG YES

SirWilliam
Full Member
***
Offline Offline

Activity: 227


View Profile
April 17, 2013, 12:05:53 PM
 #47

This is true for all wallets that advertise in-browser cryptography.

They are all vulnerable to code-poisoning when the central server gets compromised.

To properly do javascript cryptography you need to publish a signed browser extension that therefore doesn't get served dynamically and therefore is invulnerable to server-side code-poisoning.

Basically, that means that blockchain.info, strongcoin.com, {insert client-side JS wallet here} is inherently less safe than a standalone client, and not much safer than a hosted wallet.

Thoughts welcome !

Sorry to dredge up an old conversation, especially when I obviously don't understand what is being said as well as any of the posters in this thread, but I had a question about the security issue discussed. here.

Would the dangers you discuss, server-side poisoning, dishonest site owner using any of the methods you discuss, etc., still apply in the case of someone who carried out the procedure of creating a wach-only address by logging in, disconnecting internet, creating the address in private browsing mode, printing out the paper wallet for the new address, deleting all traces in the browser, then logging in and importing the new address as a new watch only address?

I mean to say that if this procedure was done so that the address and private key were created offline and then if the user NEVER sent bitcoins out of that address, therefore never entering the private key for the transaction, would the site owner or someone who poisoined the code still be able to derive the private key in some way? I mean if a user had a watch only address in their wallet and never even entered the private key to send coins then how could the private key be captured?

Thanks for any responses!
jubalix
Legendary
*
Offline Offline

Activity: 1330


View Profile
April 17, 2013, 02:47:04 PM
 #48

I installed that javascipt checker mywallet 1.9 that tells me if the JS has had something injected into it....does this help much?Huh


This is true for all wallets that advertise in-browser cryptography.

They are all vulnerable to code-poisoning when the central server gets compromised.

To properly do javascript cryptography you need to publish a signed browser extension that therefore doesn't get served dynamically and therefore is invulnerable to server-side code-poisoning.

Basically, that means that blockchain.info, strongcoin.com, {insert client-side JS wallet here} is inherently less safe than a standalone client, and not much safer than a hosted wallet.

Thoughts welcome !

::CoinWatch:: watch your PPC/BTC/LTC addresses and get a running balance, no QT, no private keys, no passwords, no logins no, sign ups.
hamiltino
Hero Member
*****
Offline Offline

Activity: 644


P2P The Planet!


View Profile
October 31, 2013, 03:34:53 PM
 #49

Switched over from blockchain.info wallet to an offiline wallet.

I sleep better.

stacking coin
piuk
Hero Member
*****
Offline Offline

Activity: 910



View Profile WWW
October 31, 2013, 08:37:42 PM
 #50

Since this old thread has been necro'd I might as well post an update.

Fully packaged browser extensions are now available for Chrome and Firefox, which addresses the concern in the original post:

Info:

https://blockchain.info/wallet/browser-extension

Chrome:

https://chrome.google.com/webstore/detail/blockchain/glaohkkooicollgefkkmndjcbblominl

Firefox:

https://addons.mozilla.org/en-US/firefox/addon/my-wallet/

Pages: « 1 2 [3]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!