please be careful with CoinPrism

[Alex Mizrahi]

CoinPrism is a web wallet. This means that the one who controls the server controls everything.

Say, he can send a customized JS code which will steal users' private keys.

If I understand correctly, issuance is done through the web wallet as well, so a malicious party who controls the server can also steal issuer's keys and issue coins himself.

Thus it is possible that somebody will hijack the server, obtain keys of an issuer who creates "gold coins", issue a lot of these gold coins and start selling them.

Then the real issuer will either have to honor the contract and buy back these counterfeit "gold coins" for the price of gold, or to default. Because so-called "Open Assets" protocol doesn't differentiate between newer and older assets, so it's not possible to differentiate counterfeit "gold coins" from real ones.

Well, anyway, do I need to explain why centralized solutions are bad to bitcoiners?

I apologize  that I failed to release ChromaWallet on time as I promised. The main problem is the lack of manpower. Progress is slow, but it exists (see here: https://github.com/bitcoinx/ngcccbase/commits/master).

We're about to release a version with SPV.

[Taariq Lewis]

Thanks Alex,

I'm confused.  Do you mean browser-based wallet or hosted-web wallet? I'm assuming the latter so wanted to confirm.

Also, if you'd like some help with Chromawallet, will you please send me a note? I think I've been trying to reach you to talk about this issue, but I've not heard any word.

Cheers!

Taariq

[Alex Mizrahi]

 

I'm confused.  Do you mean browser-based wallet or hosted-web wallet? I'm assuming the latter so wanted to confirm.

As far as I can tell, it is only available on their site: https://www.coinprism.com/

Similar to blockchain.info, but there is no browser extension option.

Also, source code is not available.

I've looked through JS code some time ago, and it looks like almost everything is done on the server side, client only signs transactions. If that's the case, it won't be secure even in browser extension form.

[Flavien]

Not sure what the concern is here? Yes, there is always a risk when you use a third party, but this is hardly something new. 1.8 million wallets on blockchain.info tend to disagree than people are paranoid enough to care that much. Our goal is to bring colored coins to the masses, and in 2014, this is done though a web application.

Coinprism does all the encryption on the client side, and the goal of this method - also used by Blockchain.info - is to remove risk if the database is compromised. Of course no system is 100% secure, and we are not pretending we are, if you have found a vulnerability, feel free to report it to us and we will give you a bounty.

And regarding address-issued vs transaction-issued, I believe we have already discussed that to death, and we agreed to disagree. I believe being able to reissue a coin is a must-have feature as it makes it pretty much useless otherwise. The price to pay is that you have to be careful with your private keys, but isn't that why it's called a private key in the first place?

[Alex Mizrahi]

Not sure what the concern is here? Yes, there is always a risk when you use a third party, but this is hardly something new.

Well, it isn't recommended to use blockchain.info for large amounts of money, like keeping your life savings in it. But with OpenAssets, it's the only option for now, right?

I think people should be aware of this.

Also it's worth noting that blockchain.info earned its reputation over years, a new site which uses same approach isn't automatically as secure. Blockchain.info's wallet is open source:

https://github.com/blockchain/My-Wallet

There is a way to check that it serves same JS files.

And there is a browser extension option.

 

1.8 million wallets on blockchain.info tend to disagree than people are paranoid enough to care that much.

How many people have lost their money in inputs.io? How many believed that keeping bitcoins in mtgox account is safer than storing them locally?

Ordinary users don't know a shit about security.

[Oren Gampel]

I agree that a general warning is warranted:

Coinprism is indeed a few days old site, and web wallets indeed have third party risk exposure.

However:

If someone puts his life's saving on a site that he just arrived to, than any warning is moot. I'm sure that as time passes coinprism matures and more and more people will be able to use safely. The risk is not only from malicious owner, which I personally don't believe is the case with Flavien, but also with early stage bugs etc. which always take time to pan out, especially in crypto-heavy code.

Regarding the exposure to third party: It can sometimes be worth it, considering the fact that managing your keys is still somewhat complex to a simple user. A reliable website can be a better and even safer solution to storing your keys yourself. Again, depending on the geekness level of the end user. I would even argue that "Ordinary users don't know a shit about security" are exactly those who will reach better security with reliable and trusted website (if they can find it), than with their keys stored on their mobile or home desktop...

Our space will grow from different approaches that will offer the most options to end users.

Oren

m: +972-544-999-006

--
You received this message because you are subscribed to the Google Groups "Colored Coins" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoinX+u...@googlegroups.com.
To post to this group, send email to bitc...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[stan.st...@hubculture.com]

Well put.

It's time for a new kind of money: Ven.VC

From: Oren Gampel Sent: Saturday, 17 May 2014 12:29 To: bitc...@googlegroups.com Reply To: bitc...@googlegroups.com Subject: Re: please be careful with CoinPrism

[Alex Mizrahi]

 

Regarding the exposure to third party: It can sometimes be worth it, considering the fact that managing your keys is still somewhat complex to a simple user. A reliable website can be a better and even safer solution to storing your keys yourself. Again, depending on the geekness level of the end user. I would even argue that "Ordinary users don't know a shit about security" are exactly those who will reach better security with reliable and trusted website (if they can find it), than with their keys stored on their mobile or home desktop...

There is also an option to use multi-factor authentication via multi-sig scripts, e.g.:

https://www.bitgo.com/

https://greenaddress.it/en/

[Yoni Johnathan Assia]

The launch of coinprism is a major milestone for the coloredcoins community.

In any bitcoin, and bitcoin 2.0 projects, risk disclaimers are generally a good thing - people should always understand the risks.

The CC should support both txn and address based issuance, each has its pros and cons, security vs simplicity.

[stuartc...@gmail.com]

The launch of colorprisim is a great step forward in the community. I tend to agree that while everyone should know the risk potential, it is important to know your central sever party and if you should trust them. Would you trust mastercoin? Do you trust coinbase or block chain? This solution is a good compromise for the community. No point in throwing rocks at coin prism unless there is a better alternative or you have found vulnerabilities.

Trust is a great force multiplier.
Tom Ridge