The website presents to the user a page that asks for their identifier or username, if they can provide either of those, the server returns an AES encrypted file containing all of the private keys for the bitcoin wallet. Using JavaScript, these are decrypted with the users password when and if they can supply it. At face value, this means that the server will never be able to see the wallet, or spend from it. There's quite a few very nasty attack vectors against this service though.
• Any browser plugins have full access to everything in the wallet, at any time. Most people run AdBlock, or Ghostery, or SSL Everywhere, a compromise of any plugin (or a malicious author) can steal coins at their will.
• The server can modify the client code at any time, which means that it could be changed to send back the private keys once they have been decrypted, or to simply send back the password when entered.
• The website offers a "verifier plugin" for their users to use, which supposedly verifies the contents of blockchain.info for malicious activity. If you look at the source of the plugin on github, it pretty much prevents XSS and nothing else. There's absolutely nothing stopping somebody at blockchain.info from modifying the code.
• Any person in the world can download the encrypted wallet, and preform an offline attack on it in their own time. Due to the way wallets are stored the public key is exposed, meaning a malicious entity can check the balance of the wallet before launching the full power of their GPUs against it. This particular attack was noted by the community, and blockchain.info started sending email notifications out to their users; many users noticed quickly how many people were downloading wallets to attack. It's not like the bitcoin community suffer a deficit of graphics cards.
• The encryption of the wallet files is hilarious; AES and 20 rounds of PBKDF2. I doubt that there's any off-the-shelf implementations that can handle it, but I wager oclHashCat could probably be easily modified to attack them. If it can manage 3 million attempts against 1Password keychains, it would be magnitudes faster against this.
The author is well aware of all of this, and still keeps the misleading statements about the security of the service on the introduction page.
Thank you for posting this. I think this highlights really well how complicated Bitcoin security issues are.
I will come right out and admit that there is an intrinsic risk to leaving your Bitcoin wallet on a 24/7 server that an attacker can potentially break into. I think that running your own (vs a centralized hosted wallet service) potentially mitigates some of this risk, but of course, if there was a security issue with Coinpunk, an attacker could theoretically write a script to spider for servers. I do believe that it does help to reduce the "single point of failure" problem though.
I do think that the added convenience of 24/7 bitcoin transactions is worth the risk. I think that there is a threshold of acceptable risk that people will take for convenience. After all, even if you're running Bitcoin-qt on a desktop, what's to stop a trojan horse from infecting that machine and stealing its wallet file?
There are a few things I want to implement eventually to improve the security of Coinpunk. One thing I want to do is allow accounts to remove and backup their private address keys. This would in effect turn the account into a "savings account" that is locked from changes. You could move a large portion of your funds to that account, and then keep the rest available for quick transactions.
Another thing I want to do is enable the wallet encryption feature. It's not a huge security gain because the attacker probably has access to that password, but I don't think it hurts. This could perhaps be combined with a chroot jail that doesn't have access to the config file after loading, requiring the user to figure out how to pry the password out of memory on a running program (which isn't impossible, but it's definitely more work).
I wanted to get the basic system running, and then explore these security improvements in a systematic way with help from the community. So these features will eventually go in, I just want to go slow and make sure we get things right.
Please keep in mind that I have nothing against developing Bitcoin services, and absolutely nothing against your project.
My main gripe is with services like Blockchain.info and Strongcoin.com who make claims that are provably false. Both have large banners on their main pages claiming that their services are the safest most secure store for currency. We—both they and I—know it to be a lie.
Yeah I didn't take any offense to your comments, I found them to be very reasonable and I think it's important that we have an honest discussion about these issues. :-)
Would security be significantly improved (or at least only really require trust of blockchain.info) if a username/password pair was also required to even get the encrypted private key?
Maybe, but that only takes out one of five attacks. The remote server still has access to all your private data, your backups are still weak, and plugins can still access everything.
Blockchain.info is also behind CloudFlare, so you have to trust them too.
The website presents to the user a page that asks for their identifier or username, if they can provide either of those, the server returns an AES encrypted file containing all of the private keys for the bitcoin wallet. Using JavaScript, these are decrypted with the users password when and if they can supply it. At face value, this means that the server will never be able to see the wallet, or spend from it. There's quite a few very nasty attack vectors against this service though.
• Any browser plugins have full access to everything in the wallet, at any time. Most people run AdBlock, or Ghostery, or SSL Everywhere, a compromise of any plugin (or a malicious author) can steal coins at their will.
• The server can modify the client code at any time, which means that it could be changed to send back the private keys once they have been decrypted, or to simply send back the password when entered.
• The website offers a "verifier plugin" for their users to use, which supposedly verifies the contents of blockchain.info for malicious activity. If you look at the source of the plugin on github, it pretty much prevents XSS and nothing else. There's absolutely nothing stopping somebody at blockchain.info from modifying the code.
• Any person in the world can download the encrypted wallet, and preform an offline attack on it in their own time. Due to the way wallets are stored the public key is exposed, meaning a malicious entity can check the balance of the wallet before launching the full power of their GPUs against it. This particular attack was noted by the community, and blockchain.info started sending email notifications out to their users; many users noticed quickly how many people were downloading wallets to attack. It's not like the bitcoin community suffer a deficit of graphics cards.
• The encryption of the wallet files is hilarious; AES and 20 rounds of PBKDF2. I doubt that there's any off-the-shelf implementations that can handle it, but I wager oclHashCat could probably be easily modified to attack them. If it can manage 3 million attempts against 1Password keychains, it would be magnitudes faster against this.
The author is well aware of all of this, and still keeps the misleading statements about the security of the service on the introduction page.