Author

Topic: Bitcoin APIs and the dangers of revealing your private key. (Read 806 times)

legendary
Activity: 1498
Merit: 1000
Always follow this rule: Sign your transactions on your own device and your own device only


Exactly why I built my api not ever handle private keys for users, we have protect them from themselves and teach them the correct way.
member
Activity: 100
Merit: 10
Always follow this rule: Sign your transactions on your own device and your own device only
legendary
Activity: 1498
Merit: 1000
I wasn't going to post this until tomorrow but a certain publication decided to put a spotlight on a service that is using bad practices and I wanted to show why certain business that understand the protocol are unique and not just trying to be only first movers.

Quote
Don’t trust apis with your bitcoin private keys! It was brought to our attention that competitors of ours have built in functions to sign transactions for you, as long as you supplied the private key. I will not name them as this would take away from our post. I believe this extremely dangerous and a complete disregard for user’s safety. We take security extremely serious in our api and even if users don’t understand the protocol as well as us, we want to protect them from themselves.

Anytime a private key is exposed and sent over the internet unencrypted or even encrypted, it is dangerous and the private key should be treated as a compromised key. That means it should never be used again for any transactions. If a malicious actor got to that private key they could easily craft a transaction that could be confirmed before your intended transaction. It isn’t worth the risk, we understand that this is easier and probably more attractive but also bad standard practices for bitcoins.

This why I promote cold storage wallets, anytime I talk to anyone looking to use our api. Cold storage wallets are not something users learn about until it is usually too late but we need to change that.

https://apicoin.io/blog/2014/05/01/dont-trust-apis/
Jump to: