Topic: Alternative clients, risks, pros, cons, security? (Read 1280 times)

Full node clients (Bitcoin-QT / Armory) download the full block chain. They are slower, but they also play a key role, which includes securing lightweight clients.

Lightweight clients (Bitcoin Wallet for Android, Multibit, and soon Hive) use SPV (simplified payment verification), these are also decentralized and only download specific parts of the block chain.
https://en.bitcoin.it/wiki/Thin_Client_Security#Simplified_Payment_Verification_.28SPV.29

Server-trusting clients ( Electrum / Mycelium ), these wallets connect to a remote server that handle the block chain for them, but the wallet is still controlled by the user. Electrum also lets users create their own servers.

Web wallets ( coinbase, BIPS ), are like banks for Bitcoin. They have 100% control over your wallet and must secure all of their users' funds. One huge difference, however, is that there is no security standard / insurance yet, so they still don't provide the basic protections all banks are required to provide.

Hybrid wallets ( blockchain.info ), Hybrid wallets usually are web wallets (no software) for which the private keys are generated locally in your browser, and encrypted before they are stored on the remote server. It's easier to compromise users' wallets by attacking this service than a software wallet, but it's still harder than usual web wallets.

@OP (Don't want to qoute the whole long post to answer only 1 question) The Bitcoin wallet for Android is a lightweight client. I think it only checks the parts of the blockchain that are associated with your addresses. However, don't qoute me on that, there might be someone who might know more about the software.

I use MultiBit and am very satisfied. I could not imagine going back to the default client.


When will someone come out with a multi-coin wallet? One that can hold BTC, LTC, etc.
I'm tired of switching between all the different clients! 

The standard client gets much more attention, because there are more developers and users.

With lightweight clients there is always a chance that the parts that were cut out to make the implementation lighter had some sort of use. One example for this is address reuse.  Blockchain.info, for example, sends the change back to the original address. So each spending results in a signature with the same private key. In general, this is fine because each signing also involves a random number. If the RNG is broken (which happened to android devices recently), two random numbers can be very similar. This in turn makes it possible to calculate the private key from two signatures that used the same private key.

Yes, those are some odd circumstances. I'm not saying lightweight clients are bad, but I also would not keep too much money in them.

I too have this question.
Plus I would also like to know how to best secure the Multibit wallet, beacuse I dont have a spare computer to store offline wallet.

Many questions. I'll get started answering with what I have some experience with.



Armory interfaces with bitcoind from Bitcoin-Qt, so for that purpose it is like running Bitcoin-Qt, which means storing the full chain and requiring plenty of memory. On top of that, Armory adds additional security features like deterministic wallets and offline signing of transactions. In its current version it is a huge memory hog (you need about 8GB memory), which will be addressed in the next version.

Offline means that you have the option to sign a transaction on a seperate client. To use this feature, you create the transaction on the online client (which has bitcoind running and the full blockchain) by entering recipient and amount. This transaction is then saved to USB stick and can be copied to the offline computer. The idea here is to have a seperate computer, which was never connected to the internet. On this computer the private key was generated and never leaves it. Therefore an adversary would need to physically access the computer and know the passphrase to use the key. After copying the transaction to the offline computer, reviewing it, and signing it, it is again copied to the online computer (via USB stick), to be broadcast to the network. Note that the offline computer does not need a running bitcoind or the blockchain and, therefore, has low system requirements.

I'm having trouble understanding what are the security implications of using a light weight client?  Can somebody help clarify or point me to some good reading on the topic?

What I really don't understand are the various warnings given on bitcoin.org for different clients.  Why do some third party clients get a warning and others don't?


OK this is obvious and straight forward.


What would be the risks of using a "lightweight client" versus the standard client?


Is it as secure as the original?  I guess needless to say you must store the blockchain locally if it works offline?



Why doesn't this have a warning like the clients below?  Obviously it cannot store the block chain on a phone.  How does it work then?  How can it not rely on any central service?  If it's possible to make a lightweight client that doesn't need a lot of storage or a central service then why are people making clients that rely on central services?