Pages:
Author

Topic: thoughts on Bitgo - the most secure wallet 3-fa - page 2. (Read 9089 times)

hero member
Activity: 518
Merit: 500
People are still using web wallets really? Did we not learn from blockchain.info.

What's wrong with blockchain.info?

People still get hacked on blockchain, but they are a lot better than most web wallets, and if they add trezor support like they plan on, they will be the most secure web wallet.

I think blockchain.info will probably be safer for a newb who doesn't really know waht they're doing, as long as they set up all the security features; 2 factor auth and a second password etc.

Local clients are better for newbies, but lets be honest we need to teach newbies about all forms of security cause many sites use 2FA they should learn it now. What it is and how it helps from hackers but not backend hackers.

backend hackers or site owners that just run off with all the coins ......
legendary
Activity: 1498
Merit: 1000
People are still using web wallets really? Did we not learn from blockchain.info.

What's wrong with blockchain.info?

People still get hacked on blockchain, but they are a lot better than most web wallets, and if they add trezor support like they plan on, they will be the most secure web wallet.

I think blockchain.info will probably be safer for a newb who doesn't really know waht they're doing, as long as they set up all the security features; 2 factor auth and a second password etc.

Local clients are better for newbies, but lets be honest we need to teach newbies about all forms of security cause many sites use 2FA they should learn it now. What it is and how it helps from hackers but not backend hackers.
newbie
Activity: 9
Merit: 0
is that a new online bitcoin wallet?
legendary
Activity: 1134
Merit: 1008
CEO of IOHK
Quote
I'm the creator of BitGo, so I know I am biased.  For what it is worth, we've already done a full external security audit (expensive!) of the software both client and server side.  The operational engineering that has gone into BitGo is also atypical and has been designed from the ground up for bitcoin security.  We'll be doing another audit in the not-too-distant future.  Peer reviews and security reviews are absolutely essential.

Who did your full audit. I am looking for an auditor myself and it would be nice to grab someone who is now familiar with Bitcoin
hero member
Activity: 518
Merit: 500
Same advice as always for me. Keep as little as possible online, and use 2fa. I don't care what security features are promoted with web wallets, most of your coins should be safely offline.
global moderator
Activity: 4018
Merit: 2728
Join the world-leading crypto sportsbook NOW!
People are still using web wallets really? Did we not learn from blockchain.info.

What's wrong with blockchain.info?

People still get hacked on blockchain, but they are a lot better than most web wallets, and if they add trezor support like they plan on, they will be the most secure web wallet.

I think blockchain.info will probably be safer for a newb who doesn't really know waht they're doing, as long as they set up all the security features; 2 factor auth and a second password etc.
legendary
Activity: 1498
Merit: 1000
People are still using web wallets really? Did we not learn from blockchain.info.

What's wrong with blockchain.info?

People still get hacked on blockchain, but they are a lot better than most web wallets, and if they add trezor support like they plan on, they will be the most secure web wallet.
legendary
Activity: 1498
Merit: 1000
I don't get it. Only 2 FA is needed for transactions. So if someone hacks in to an account he can withdraw the coins with just 2 passwords, right?

What about the people who run the service? This is where things like trezor will solve, and 2FA is a just a false sense of security for that attack.
legendary
Activity: 1148
Merit: 1014
In Satoshi I Trust
People are still using web wallets really? Did we not learn from instawallet, inputs.io, and blockchain.info. I see a couple problems with this one. How are they generating the 3 keys? .

yep and there will always people who do this. you could say it every day and still people would store them online.  Roll Eyes

i guess someday there will be an online wallet with high security AND insurance over the funds, maybe then you could store them online (but i wouldnt do that).
legendary
Activity: 3766
Merit: 1217
I don't get it. Only 2 FA is needed for transactions. So if someone hacks in to an account he can withdraw the coins with just 2 passwords, right?
hero member
Activity: 518
Merit: 500
People are still using web wallets really? Did we not learn from instawallet, inputs.io, and blockchain.info. I see a couple problems with this one. How are they generating the 3 keys? If it isn't client side, it isn't safe. If they are holding on to the 3 keys even indirectly they are not safe. It isn't open source, so there is no way to verify or run this services on my own. Also all web wallets will be consider not safe until they implement trezor support.

So again don't use web wallets none of them are safe unless you are using a trezor or hardware option to sign the transaction.

Yeah, not being open source is a big turn off.
global moderator
Activity: 4018
Merit: 2728
Join the world-leading crypto sportsbook NOW!
People are still using web wallets really? Did we not learn from blockchain.info.

What's wrong with blockchain.info?
legendary
Activity: 1498
Merit: 1000
People are still using web wallets really? Did we not learn from instawallet, inputs.io, and blockchain.info. I see a couple problems with this one. How are they generating the 3 keys? If it isn't client side, it isn't safe. If they are holding on to the 3 keys even indirectly they are not safe. It isn't open source, so there is no way to verify or run this services on my own. Also all web wallets will be consider not safe until they implement trezor support.

So again don't use web wallets none of them are safe unless you are using a trezor or hardware option to sign the transaction.
hero member
Activity: 518
Merit: 500
Get it independently audited by a security expert, and publish the report Smiley

I mean that in all seriousness. Every one claims their wallet is super-secure, history proves otherwise in many cases ...

This is excellent advice :-)

I'm the creator of BitGo, so I know I am biased.  For what it is worth, we've already done a full external security audit (expensive!) of the software both client and server side.  The operational engineering that has gone into BitGo is also atypical and has been designed from the ground up for bitcoin security.  We'll be doing another audit in the not-too-distant future.  Peer reviews and security reviews are absolutely essential.

I would never be so foolish as to claim that anything is impervious.  But the concepts that we've pioneered in the BitGo architecture have held up to scrutiny so far.  Hopefully these concepts are just a better starting point for anyone building a new wallet going forward.

We love feedback, we know we're not perfect, and we will take seriously any potential exploits or vulnerabilities.  Don't hesitate to reach out to me personally if you have any issues.

Mike Belshe
---
CTO & CoFounder, BitGo, Inc
[email protected]
[email protected]


That sounds excellent Mike, great response Smiley

My only other "advise" is that you should publish any company details about yourself. There are so many "one-man ops" in bitcoinland, some aren't even registered companies. The more you share about yourself, the more trust you engender.
newbie
Activity: 8
Merit: 0
Get it independently audited by a security expert, and publish the report Smiley

I mean that in all seriousness. Every one claims their wallet is super-secure, history proves otherwise in many cases ...

This is excellent advice :-)

I'm the creator of BitGo, so I know I am biased.  For what it is worth, we've already done a full external security audit (expensive!) of the software both client and server side.  The operational engineering that has gone into BitGo is also atypical and has been designed from the ground up for bitcoin security.  We'll be doing another audit in the not-too-distant future.  Peer reviews and security reviews are absolutely essential.

I would never be so foolish as to claim that anything is impervious.  But the concepts that we've pioneered in the BitGo architecture have held up to scrutiny so far.  Hopefully these concepts are just a better starting point for anyone building a new wallet going forward.

We love feedback, we know we're not perfect, and we will take seriously any potential exploits or vulnerabilities.  Don't hesitate to reach out to me personally if you have any issues.

Mike Belshe
---
CTO & CoFounder, BitGo, Inc
[email protected]
[email protected]


A 2 of 3 wallet is an excellent idea! Kudos Mike! I would suggest using crowd spring or some other design service to spruce up the design and stock images on BitGo. Other than that the theory looks quite sound.
legendary
Activity: 1232
Merit: 1195
This is an online wallet?
newbie
Activity: 36
Merit: 0
Get it independently audited by a security expert, and publish the report Smiley

I mean that in all seriousness. Every one claims their wallet is super-secure, history proves otherwise in many cases ...

This is excellent advice :-)

I'm the creator of BitGo, so I know I am biased.  For what it is worth, we've already done a full external security audit (expensive!) of the software both client and server side.  The operational engineering that has gone into BitGo is also atypical and has been designed from the ground up for bitcoin security.  We'll be doing another audit in the not-too-distant future.  Peer reviews and security reviews are absolutely essential.

I would never be so foolish as to claim that anything is impervious.  But the concepts that we've pioneered in the BitGo architecture have held up to scrutiny so far.  Hopefully these concepts are just a better starting point for anyone building a new wallet going forward.

We love feedback, we know we're not perfect, and we will take seriously any potential exploits or vulnerabilities.  Don't hesitate to reach out to me personally if you have any issues.

Mike Belshe
---
CTO & CoFounder, BitGo, Inc
[email protected]
[email protected]
hero member
Activity: 518
Merit: 500
Get it independently audited by a security expert, and publish the report Smiley

I mean that in all seriousness. Every one claims their wallet is super-secure, history proves otherwise in many cases ...
sr. member
Activity: 433
Merit: 250
Basically it uses 3 private keys.
1 online say like codebase
Your password or on your computer
And a 3rd that you can print out or store offline

You only need 2 to make a transaction

But if coinbase gets hacked, the hacker would need your key so it makes it impossible

Even if they hacked your computer, then they'd need the offline key or codebase key

I suck at explaining it but just go here

https://www.bitgo.com/p2sh_safe_address
Pages:
Jump to: