Blockchain.info - where are the private keys?

foxkyu

hero member

Activity: 938

Merit: 1000

Quote from: mikewirth on February 23, 2015, 02:07:30 PM

Quote from: TrianglePythagoras on February 23, 2015, 12:09:24 PM

Browser plugins? Flip shit. I go crazy installing random plug ins

I know right? Every time I see: "do you want to install xxxxx plugin?" all I see is: "would you like to send naked pictures of your famous wife to TMZ?" How can you trust ANY plugin? They all are trying to get your keys.

so the problem is in your browser plugin
just delete unused plugin, that's very dangerous..
if you still see that message try to install another browser
btw, can you tell me what plugin? so i will be more carefull

mikewirth

sr. member

Activity: 532

Merit: 250

Quote from: TrianglePythagoras on February 23, 2015, 12:09:24 PM

Browser plugins? Flip shit. I go crazy installing random plug ins

I know right? Every time I see: "do you want to install xxxxx plugin?" all I see is: "would you like to send naked pictures of your famous wife to TMZ?" How can you trust ANY plugin? They all are trying to get your keys.

TrianglePythagoras

sr. member

Activity: 274

Merit: 250

Browser plugins? Flip shit. I go crazy installing random plug ins

instagibbs

member

Activity: 114

Merit: 12

Quote from: mikewirth on February 23, 2015, 11:00:45 AM

So if they keep private keys (in encrypted form), why haven't they been hacked. It seems like they'd have a shitload of keys and after someone got those they'd have very little trouble 'guessing' passwords against them. Are you sure they keep private keys in their database? Seems like a very big target to me.

You're 100% right. bc.info is not a safe wallet. Javascript/password based wallets are dangerous, and bc.info doesn't have a great track record.

DannyHamilton

legendary

Activity: 3416

Merit: 4658

Quote from: mikewirth on February 23, 2015, 11:00:45 AM

So if they keep private keys (in encrypted form), why haven't they been hacked. It seems like they'd have a shitload of keys and after someone got those they'd have very little trouble 'guessing' passwords against them. Are you sure they keep private keys in their database? Seems like a very big target to me.

On many occasions in the past people that have used weak passwords have had their blockchain.info wallets emptied by hackers, and those with strong passwords have had their blockchain.info wallet emptied by malicious browser plug-ins.

It happened right in front of me once:

https://bitcointalksearch.org/topic/stolen-bitcoins-help-602250

You can see here (from the https://blockchain.info/wallet webpage) that they are still storing the encrypted private keys in their database:

mikewirth

sr. member

Activity: 532

Merit: 250

Quote from: DannyHamilton on February 23, 2015, 10:48:22 AM

Quote from: mikewirth on February 23, 2015, 10:40:51 AM

So when I 'import' an address, I have to put my private key into a textbox. Does this private key leave my machine and go out on the Internet?

Yes, but as long as blockchain.info is working properly it should be encrypted before it is sent out.

Quote from: mikewirth on February 23, 2015, 10:40:51 AM

Blockchain clearly says they don't keep private keys.

Where does it say that? I'm nearly certain that blockchain.info stores all the private keys in encrypted form.

Quote from: mikewirth on February 23, 2015, 10:40:51 AM

So where does this private key 'live' after I import an address into Blockchain.info wallet?

Unless they've changed their service recently (and I don't think they have), the private key is encrypted with your password in your browser, then the encrypted private key is sent to their servers where it is stored in their database.

Whenever you want to spend any bitcoins that require that private key, the encrypted form of it is sent from their database back to your browser where it is decrypted with your password and used to create the transaction.

So if they keep private keys (in encrypted form), why haven't they been hacked. It seems like they'd have a shitload of keys and after someone got those they'd have very little trouble 'guessing' passwords against them. Are you sure they keep private keys in their database? Seems like a very big target to me.

DannyHamilton

legendary

Activity: 3416

Merit: 4658

Quote from: mikewirth on February 23, 2015, 10:40:51 AM

So when I 'import' an address, I have to put my private key into a textbox. Does this private key leave my machine and go out on the Internet?

Yes, but as long as blockchain.info is working properly it should be encrypted before it is sent out.

Quote from: mikewirth on February 23, 2015, 10:40:51 AM

Blockchain clearly says they don't keep private keys.

Where does it say that? I'm nearly certain that blockchain.info stores all the private keys in encrypted form.

Quote from: mikewirth on February 23, 2015, 10:40:51 AM

So where does this private key 'live' after I import an address into Blockchain.info wallet?

Unless they've changed their service recently (and I don't think they have), the private key is encrypted with your password in your browser, then the encrypted private key is sent to their servers where it is stored in their database.

Whenever you want to spend any bitcoins that require that private key, the encrypted form of it is sent from their database back to your browser where it is decrypted with your password and used to create the transaction.

mikewirth

sr. member

Activity: 532

Merit: 250

So when I 'import' an address, I have to put my private key into a textbox. Does this private key leave my machine and go out on the Internet? Blockchain clearly says they don't keep private keys. So where does this private key 'live' after I import an address into Blockchain.info wallet?

Topic: Blockchain.info - where are the private keys? (Read 2542 times)