'Re: [ZS] Bitcoin, Empire of void*'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cypherpunks
Subject:    Re: [ZS] Bitcoin, Empire of void*
From:       Eugen Leitl <eugen () leitl ! org>
Date:       2012-06-30 19:29:21
Message-ID: 20120630192921.GE12615 () leitl ! org
[Download RAW message or body]

----- Forwarded message from R|diger Koch <rudiger.koch@gmail.com> -----

From: R|diger Koch <rudiger.koch@gmail.com>
Date: Sat, 30 Jun 2012 10:44:27 +0200
To: doctrinezero@googlegroups.com
Subject: Re: [ZS] Bitcoin, Empire of void*
Reply-To: doctrinezero@googlegroups.com

2012/6/30 Lodewijk andri de la porte <l@odewijk.nl>

> I can't help but plug my e-wallet, bitvau.lt.


And about time! Don't keep us oblivious about your progress.


> It's going to get a lot more work the next half year but it does what the
> reference wallet does already (balance/history/transact/addressmange).
>
> I intent to offer much more usability oriented services. I don't really
> see the value of an online but javascript and encrypted wallet, why not use
> a deterministic wallet and seed it with full name, place and date of birth,
> etc. and a normal password? You'd get much more security, which is what you
> wanted right?
>

I agree - I actually tried to convince Thomas (author of Electrum) to do it
that way. Name, birthplace.... is not really a password, but it's a salt
that chages the situation of an attacker. Instead of trying out a
passphrase and checking if *any* address matches, he needs to target
specifically you. But Thomas doesn't see the difference. Prefixing a good
password with an unknown, but guessable salt "R|diger Koch - Anu -
Haidelberga - 19121965" is making life of an attacker really miserable -
particularly if you add deliberate spelling errors in.

The beauty of JS from your POV is that you can shift the responsibility
100% to the user. And there is no point to hack your server, because you
hold no user data on your server if the wallet is re-created from the
passphrase every time the user "logs in". So you don't need to back-up
anything and you can't be taken legally responsible for data loss.

-Anu

-- 
Zero State mailing list:
http://groups.google.com/group/DoctrineZero

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic