Topic: The Kindle, Bitcoin and client side address generation. (StrongCoin) - page 2. (Read 8423 times)

I really like the idea from the previous post:  include the network fee inside your fee.  For example:

Charge 1% of the transfer up to some maximum number (let's say 1BTC)

Out of this fee you send let's say 10% on to the network and keep the other 90%

These are just example numbers - you get the idea.

Also +1 on no fees for transfers within my own accounts.

You could also do a reduced fee or no fee for transfers between all of your own customers (kind of like the cell phone network's family plans) this could be used to bring in more customers.

I don't know that it needs to be configurable by the user as that adds yet another variable to the mix.  Like with other ewallet services, it would be nice if the network fee was included in the wallet service's fee.  

In my instance, without knowing that there was also a trx fee as well I kept getting an "insufficient funds" when attempting to spend all but the 0.01 StrongCoin fee and only when I finally entered an amount low enough did the transaction go through and then learned what the network fee ended up being.

Additionally, it would be nice if I could pay no fee to move the funds from the imported account to another account on StrongCoin without a fee.  Let's say I have a physical bitcoin and by peeling the hologram to reveal the minikey I no longer can consider that key to be secure.  I might not wish to spend it right away, but I want it secured using StrongCoin.  StrongCoin will eventually receive a fee when I finally do spend the funds so allowing this account-to-account transfer lets me spend a physical bitcoin without having to pay a fee to StrongCoin twice.

Fee issues aside, this is an EXCELLENT service!

First, I LOVE this site and idea.  It is exactly what we need to get non-technical people to learn about and start using Bitcoins.

Here are a few bugs to report:

1) Import Key Function, Import Mini Key drop down - Incorrectly calculates the private key from the mini key (probably a very simple math issue).

2) Import Key Function - probably should change the action button from "Import Mini Key" to just "Import Key" since there are three different types of keys in the drop down.

3) Send payment function - Typo.  "The amount ot send" should be "The amount to send"

4) Instead of charging a set fee of 0.01 BTC for your service when I transfer coins I think it would be better for you and the customer if you charged a percentage of the transfer amount - maybe up to some maximum value.  Maybe 1% fee up to a maximum of 1 BTC (or whatever you decide).  The reason is I may want to send some very small amounts in the future like 0.0001 BTC which I could not do with your current system since it would cost me 0.01 to send 0.0001.

5) Could you please let the customers (me) set the network transaction fee - instead of hardcoding it to 0.01 BTC?  As it stands now when I transferred 1.00 BTC you took your cut (0.01) which is OK with me (but I think it should be a percentage see above) and then you hardcoded another 0.01 for the network.  So it cost me 1.02 to send 1.00.  Please allow us to set the network transaction fee value to anything we want, including zero.

Love your public key for transaction fees:  firstbits/1strongx.  How long did it take you to find it?  [BTW note that firstbits/1strong is a different address!!!]

I would love to recommend this site as the easiest way to redeem physical money (physical coins, Bitbills, etc.) once you get the mini key issue fixed.

Your web site is well done, very clean and a pleasure to use.  Thanks!

I was going to send you a small donation but I do not see a published donation address anywhere and I don't want to send it to firstbits/1strongx since the current balance shows exactly how many transactions have been processed through your site so far (18 at 0.01 per transaction).

That's great feedback thanks.

There's a few I hadn't though of there. And some ideas.

For saving a backup I'm think of generating a PDF. A kind of paper wallet.
I will incorporate a workflow loop into payments, so you'll sent, broadcast and confirmed.
Repeat payments might be difficult as I won't have the the private key.

Damn! You must be able to read my mind, cos I got through this idea a few days ago, when I thought what was wrong with MyBitcoin.com. Actually, I already started to look for good ECDSA JavaScript implementation for this.

I think people definitely need a kind of "online-banking" with Bitcoin. This service, if done properly, will be a killer-app.

Some my tips (a visionary of good final site):

- make it look like online banking
- allow to name your addresses
- allow to set description to transactions
- allow for repeating payments
- let the user create his own addressbook of other people addresses
- dump and allow to print nice income/outcome lists
- integrate an address shortener, so you can give a link to your address to your site
- add an ability to save a backup (still encrypted, of course) of the keys at your site
- when paying, notify that the transaction got broadcasted and later, confirmed

I'm hoping to make money from charging a fee to process payments out. I'm not sure what that will be just yet but I'll probably start around the 0.01 BTC mark.

Importing keys, key storage, exporting keys and viewing balances will all be free.

There may be opportunities to add value with other services such as

- paper wallet pdfs.
- iphone/android app.
- faster payments.

The benefit of this service is you're not tied down to it. At any point you can take your keys and import them into another service. So I'm determined to make this the best online wallet service.

How does strongcoin.com make money or at least cover operating costs?

So far, all of the large-scale attacks against bitcoin sites were not aimed at individual accounts.  They were aimed at the central wallet for the site.  Yubikeys will make it hard for someone to clean out your account by stealing your password.  However, they won't protect you against a site-wide break that renders the site insolvent to pay back your account balance.

StrongCoin, however, does not have a site-wide wallet, and keeps each account key encrypted with a separate password.  An attacker that manages to steal the account database will need to break the individual passwords.  Unless an attacker is targeting specific accounts with large balances known to be hosted by StrongCoin, the compute cycles will be better spent mining for bitcoins.

That said, the security does heavily depend on users picking good passwords, and remembering them.  The site's address generator does have a calculator that gives an estimated cracking time, so hopefully it will foster good practices.

Details about the encoding scheme are here, along with a (small) password cracking challenge.

Yes, I want to sign the transactions on the client side. I'm looking to automate the mechanism described here https://bitcointalksearch.org/topic/easy-offline-transactions-with-standard-client-35469

As far as I can see I won't need a patched client.

Interesting idea.

If you don't know the private keys, how do you get the server to send out the payments on behalf of your clients? Are you using a custom bitcoind or the regular one? Even if you're using a custom bitcoind, at some stage your server must in possession of the private keys in order to sign the outgoing transaction? Or are your transactions even signed on the client side and passed back to your server somehow to be sent out?

Thanks Matt.

I've given feedback to the user about the strength of their password. i.e. It gives an estimate of how long their particular password would take to brute force.

I'm not sure how 2 factor authentication would help except perhaps for logging into the system itself. But let me have a think about it.

Great ideas here.  The Kindle angle is fantastic.

The fact that the private keys are encrypted before sending to the server is of little value if a weak password is used.  You or anyone in possession of the encrypted data could brute force the password, it would only be a matter of time.

Could you make your Javascript work with something like the yubikey for the purpose of generating a strong password?

I'd like to introduce StrongCoin. http://strongcoin.com/

Sign up and click on New Account to see the address generator in action.

** Warning This is A Technical Preview, Don't send Bitcoins to the addresses you create **
StrongCoin is now up and running.

StrongCoin is yet another wallet service (YAWS) with a difference. I'm not storing private addresses on the server except in AES encrypted form.

When you go to create an address in StrongCoin you currently have 2 options.

1. Use the javascript account creator, this takes a password from you and AES encrypts the private key before sending it to the server.

2. You can create a public and private key offline, encrypt the private key and submit to StrongCoin. I'm working with the developer of VanityGen to try and make this as simple as possible.


The StrongCoin server has no-way of knowing the password you used for your private key and can't decrypt your key. Also anyone that attacks our servers will not be able to access your private key as long as you've chosen a strong password.

Coming Soon.

1. Payments, I'm looking to create a javascript popup that will take your password, decrypt your private key and sign a payment all in the browser. Only the signed payment gets sent to the server.

2. Offline payments, I'll be offering the ability to pass through payments created offline.

3. Address book, for storing beneficiaries and their addresses.

4. Email backup. I want to send an email after each account is created (or after a group of accounts) this will have your public key and encrypted private key. Therefore if anything happens to our service you will still have access to your funds.

5. Payment and Address creation page signing. I'm looking for a way to show the user that no malicious code has been injected into the system.

6. A popup keyboard, this is hopefully circumvent key loggers by allowing the user to click enter a password. see http://www.greywyvern.com/code/javascript/keyboard

7. Coming Soon - Address generation via a sentence. see https://bitcointalksearch.org/topic/mental-bitcoin-wallet-i-have-real-bitcoins-stored-in-my-head-35082


Feedback

I'd like to gather feedback if I may.

How can I make this service better ? How can I address all the risks ?

p.s. And yes it works on the Kindle browser, which is surely one of the safest environments to generate keys [/list]