undefined | Better HN

0 pointsjerguismi11y ago0 comments

Which makes me wonder... The keys are generated in-browser. What if the users computer is compromised, and a malware succeeds in capturing the keys + bip38 passphrase? I don't know if this product will be pain in the ass for coinbase, if the user funds start disappearing from these multisig addresses.

All the best luck for this product, though.

0 comments

adrianmacneil11y ago

If the computer is infected, then yes it would be possible to steal both the private keys, and the passphrase. To avoid this attack scenario, we're investing pretty heavily in technologies such as CSP.

However, this can be mitigated with our group multisig vault, where separate users create their own keys. For malware to steal these, it would require infecting multiple computers.

icebraining11y ago

Seems like the next step would be to allow the users to store their copies on a smart card instead of a PC.

wcoenen11y ago

Like the Trezor[1] hardware wallet.

[1] http://www.bitcointrezor.com

1 more reply

wcummings11y ago

CSP?

floatrock11y ago

Content Security Policy -- http://en.wikipedia.org/wiki/Content_Security_Policy

basically headers that can tell the browser not to execute stuff that leads to injection like inline javascript or inline styling, allows for whitelists of domains (so the browser won't run script src="http://hackercdn.com/malicious.js"), etc.

j / k navigate · click thread line to collapse