Best practices for exchange / website operators?

kasimir

newbie

Activity: 19

Merit: 0

The last link seems the most promising, but I'm really thinking about something that has a lot more theory / analysis behind it. I guess I'm more familiar with a technical report / academic paper style, but I mean something that a group of people spend 3-6 months researching, culminating in a "best practices" paper or report. It would probably be something around 30 pages long...

(The last link (the only remotely applicable one), for example, doesn't even make sense from the first point: an AES-256 key being generated from a "salt" just shows a lack of understanding of crypto.)

Edit: Things changed since I started writing this! When I say "last post", I'm referencing "Secure Transaction Handling for an Exchange". The post "Proposal for Security Standards for Bitcoin Exchanges" has the same issues.

Edit: Thanks for this collection of links! Certainly answers my question about what's out there well

I still feel there's a need for such a report. Is anyone interested / think this would be helpful as well?

Stephen Gornick

legendary

Activity: 2506

Merit: 1010

Quote from: kasimir on September 09, 2012, 09:51:34 AM

is there a best-practices guide or something for exchange / website operators?

Well, not any statistical methods but some relevant sources of information:

- http://bitcoinarmory.com/index.php/using-offline-wallets-in-armory
- http://en.bitcoin.it/wiki/How_to_set_up_a_secure_offline_savings_wallet

Improving Offline Wallets (i.e. cold-storage)
- https://bitcointalksearch.org/topic/improving-offline-wallets-ie-cold-storage-68482

Well, technically, this would be a statistic:

Quote

Bitcoins Stolen From Me In My Lifetime: 0 - Casascius

Handle a Wasp and you will not get stung! Practice Safe Bitcoin
- https://bitcointalksearch.org/topic/handle-a-wasp-and-you-will-not-get-stung-practice-safe-bitcoin-105824

Other related:

Two-person cold storage using the raw transactions API
- https://bitcointalksearch.org/topic/two-person-cold-storage-using-the-raw-transactions-api-94959

Proposal for safe blockchain storage pools (for exchanges, using multisig)
- https://bitcointalksearch.org/topic/proposal-for-safe-blockchain-storage-pools-for-exchanges-using-multisig-96391

Proposal for Security Standards for Bitcoin Exchanges
- https://bitcointalksearch.org/topic/proposal-for-security-standards-for-bitcoin-exchanges-95745

Double signed wallet with a patternlock
- https://bitcointalksearch.org/topic/alpha-double-signed-wallet-with-a-patternlock-107074

Secure Transaction Handling for an Exchange
- https://bitcointalksearch.org/topic/secure-transaction-handling-for-an-exchange-106420

[Edit: edited list of links.]

kasimir

newbie

Activity: 19

Merit: 0

Given the recent strings of cold/hot wallets not being implemented correctly resulting in massive losses for all sorts of websites, is there a best-practices guide or something for exchange / website operators? Something maybe with a formal analysis behind it demonstrating some degree of correctness? It seems like if some group put something like this together, and people actually followed it, the overall bitcoin community could raise the bar significantly for the attackers.

I mean something like: statistical methods for determining when to halt upon suspicious transactions, architecture for crypto systems and placement of the cold / hot wallets, Linux / BSD lock-down techniques for the cold wallet server, to keep away from VPS / non-dedicated servers for the cold wallet, protocol description for cold wallet interactions, etc. It really doesn't seem like these should be trade secrets!

I haven't done a literature search to see what's out there, so I'd love to hear if such an article exists

If not, I think it would be good for people who really know their stuff to put something like this together.

Topic: Best practices for exchange / website operators? (Read 643 times)