Topic: Feedback on P2SH web wallets (Read 3794 times)

Fair points.  Note that all wallets have this exact problem too :-)

Maintaining Privacy
To maintain maximal privacy, it is important to not re-use bitcoin addresses. However, re-generating such keys repeatedly with each transaction would make many of the backup benefits that come with this system difficult. Users of bitcoin standard addresses already face this problem today and use a variety of deterministic wallet mechanisms to generate multiple keys from a single source.
The same techniques can be applied to the 2-of-3 address. Any key used as a signature should be rotated to a new address based on the next sequence in the deterministic key.

As a compromise solution, the 2-of-3 address offers one more option: only rotating the server's key. Since the 2-of-3 key is generated from 3 keys, one of which is managed by the service, we can rotate the user's funds to a new address by only rotating the server’s key. The resulting address cannot be correlated to the original 2-of-3 address. However, upon spending of the outputs, the public keys will again be revealed and a correlation could be made at that time. To maintain the ability for the user to extract funds without the service, the service will need to send the newly minted service public key to the user for safekeeping. This can be done via email. But again for maximal privacy, use of deterministic key rotation is recommended.

I must say that is the funnest coming soon web page I've ever visited.

It also sparked my interest as to what exactly the start up's services are, so I will stay tuned.

PS: I'm not just saying that because you're a girl. About half of my previous post in this thread was just me joking around.. I am not looking for an online girlfriend rofl. 

Only the scenario where both the server and the user are compromised does the attack succeed. This is why mbelshe is proposing the P2SH approach, because two signatures are needed, and they must of course be signing the exact same transaction.

The fact is that most people can't keep malware off their machines today.  This has nothing to do with bitcoin.  If you can't securely administer a machine, how could you possibly securely manage a local wallet?  Further, you need to backup your keys, but most people can't administer proper backups either.  Is it really a requirement that you need to be both a security and IT expert before you can use bitcoin?

On a compromised client's computer, the attacker only has to wait for the user to start any transaction. The attack consists in replacing the transaction (generated client-side) into one that sends all funds to the attacker. User doesn't know this, she enters 2FA and encryption key believing everything's ok.

—Right, then I'll create the transaction server-side so the user validates it before entering the 2FA and/or her encryption key!

No, because then the attacker will target the server and present a bogus transaction to the user, who will happily agree with it without knowing that it's fake and provide the key.

Thanks for reading!

Regarding 2FA: I think the biggest security measure here is that there are two machines involved in signing.  2FA is a nice add on to anything, but if you only need one signature, then you just have to break one machine. 

Nicely thought out. The gains over a traditional approach using 2FA are only incremental, but then 2FA properly implemented ought already to be highly fraud resistant, even under malware conditions.
The real gains are in the nature of the backup, I guess.

Wrt to the address creation vulnerability: why is it necessary to have the user and the backup privkey on the machine concurrently? What about creating the backup privkey on an airgapped machine and then transferring the pubkey for address creation?