Topic: Blockchain.info/wallet is the BEST Bitcoin client as-of-date. (Read 9577 times)

You can enable email alerts and double encryption in the web interface.

the android app needs
 
- password protection
- email confirmation of payments

really really bad. someone gets hand on my phone, bitcoins are gone.

If you have a jailbroken iPhone you can download it from the bigboss repo:

http://moreinfo.thebigboss.org/moreinfo/depiction.php?file=blockchainDp

It has now been "In Review" by apple for more than a week, I think they must be trying to consult steve jobs from beyond the grave.

Agreed bro.. its solid!

Since android App is already out, i guess we are close!!!

hey, thanks a lot! I appreciate that!

Good thing I printed my keys 

This is certainly true at present BitcoinSpinner is a masterpiece of simplicity and is what I give to anyone I'm showingn bitcoins to.

But I think if you're looking for where your competition will come from it is if blockchain.info releases an android client (assuming all the features from the website carry over).

The best client depends on your use case. IMO there is no silver bullet.
More and more people use their smart devices more than their ordinary computer, and being able to pay (small) amounts with a few clicks is very appealing.
BitcoinSpinner was designed for this purpose, and has some nice features related to this discussion:

• You decide when to update the software
• Back up once and for all using a QR-code
• Ready for use right after installation
• Private key never leaves device
• Server cannot spend your coins

I think the best client is Electrum. It's simple, easy, fast and best of all: it's very easy for me to modify the code to suit my needs. I've modified it to send transactions from any address I want just by having the private key, sending the change to the same address and without needing to import it.

After Electrum, the best one is blockchain.info, I agree. I suggest piuk to add a bigger button for entering the wallet. Each time I want to enter I find a bit difficult to find wallet, then login. Also, when you type the pseudonym in the login field and go to the password field, the login field should change automatically instead me needing to press the button, waiting and then type the password.

Edit: I agree with BitcoinSpinner also being great! I've done half of my transactions to date with it!

Edit 2: My 100th post! Woo!

You could do it yourself, for instance. Just curl and diff, if false then remote shut down server and alert admin. I'm sure it's already in place, that's why this sort of attack wouldn't affect the server for a long period. If the server is compromised though, the program can stay dormant until a juicy account is online. Potentially the attack wouldn't be worth it.

Still, these are patches to the security concerns we already know of. That's why an elegant and general solution is necessary.

It would be good if there were a way to sign the JS code and have the browser verify it upon every download. If the signing key is kept offline then even a server compromise would not allow altering the JS code maliciously.

This would not even need to be verifiable by all users. Even a few capable users would be enough to  detect and notify quickly. I don't know if there is browser add-ons for signed code checking but seems like there should be.

Because full server hacks are less common than database leaks. To have any significant effect the hacker's malicious code would have to go unnoticed for an extended period of time and it would only effect users who logged in with both their main password and second password during this time. You also can't make your own backup incase the operator ever goes AWOL. I'm not saying it is infallible, but it is better than storing keys.


The first point about TLS doesn't apply, all content is sent over SSL. Also a secure key store is also not needed.

Yes the runtime is malleable but it as not as easy to inject malicious js as that article suggests. Very little user provided data is printed on My Wallet pages and it is checked at multiple points for validity. Anyone is more than welcome to review our server side code for XSS vulnerabilities (https://raw.github.com/zootreeves/blockchain.info/master/WalletServlet.java). The site is vulnerable to malicious browser extensions, if any are discovered I will act accordingly.

The RNG uses the native window.crypto extension if available and is seeded with every mouse click and key press. I am dubious whether this can actually be exploited in practice.

You can also create a watch only wallet and scan your private keys from a paper wallet in "offline mode", in this case you are protected from any malicious javascript and do not need to trust blockchain.info at all.


You can enter the firstbits which are typically 5-6 characters. Native iPhone app will be available soon.

That's not my point. My point is that people who don't want to bother with installing software are the same people that don't want to bother with keeping their computer safe. They want it to just work. Like I want my car to just work.

So you help them with one thing but not with the other.

It gives you the ability to use a simple identifier. Again, the software has interface issues.

You make things safe without requiring software installations. No contradiction.

How do i quickly enter 30+ character address into this thing? Manually? Should seller send me an email so i can copy/paste it?

It looks impractical to me as a mobile phone wallet without QR reading ability.

You are contradicting yourself. You say this (which I agree with):


But you also say this:


Regular people aren't interested in computers so they don't know how to keep it safe, and they shouldn't have to bother with it. You said it yourself, "they do not want to be bothered with software installations". How do you expect them to keep their computer safe if they shouldn't even be bothered with installing software?

Good choice.

Javascript has serious flaws but they can be fixed. If we are going to bring Bitcoin to the end-user, we need to do it through the browser. All of Bitcoin's competitors rely soley on the browser and most users aren't going to compromise on that. They do not want to be bothered with software installations for something that has been and should remain seamless all the way through.

I think people deserve the best experience when it comes to Bitcoin. Their idea of best does not entail hobbyist level, military-grade security from back-to-front when it can't even allow the user to easily understand and manage their finances; at least not more easily than what Paypal brings them.

Over-engineered security will be the end of Bitcoin. We have to focus solely on what regular people want and not our scrupulous desires that remain stuck in a hobbyist culture.