MultiBit – Secure Bitcoin Desktop Wallet For Storing ...
Multibit Review - by BitReview - Find the Best Bitcoin ...
Bitcoin Thin Client CryptoCoins Info Club
How trustworthy are the authors of Electrum and MultiBit ? Why are their signing keys not verified?
Hello, I was a bit alarmed by these two posts some weeks ago: http://www.reddit.com/Bitcoin/comments/210fgj/there_is_an_pgp_imposter_of_bitcoin_dev_gavin/ http://www.reddit.com/Bitcoin/comments/1tin7f/warning_a_fake_electrum_website_with_malware_is/ In the first case, basically somebody registered a PGP key which at first glance looked like the signing key from Gavin Andresen. Such a key could be used to sign malware which appears as the true bitcoin client. This would only be detected if people check carefully. If people do NOT check it - maybe rushing in a situation where the network needs a quick fix - the consequences could be truly disastrous. In the second case, the Electrum website was actually faked to distribute malware which was camouflaged as the Electrum client. If people install such a client, it could send their bitcoins anywhere - this kind of attack can really cause a lot of grief, too. Note that in some simple setups, it might be possible to recognize the faked web site by its address, but in other cases, this will not be possible - think of insidious attacks on home routers or exploits of the recent Apple "goto" bug, which essentially disables SSL protection. In these cases, and whenever youinstall bitcoin software, it is always important to check for digital signatures of the maintainers, which can warrant the authenticity of the code. And, doing this properly includes verification of their keys. To make it short, I was newly installing Electrum and I decided to do it right and to look after the digital signatures and whether the signatures properly certified in a web of trust. Now, trust paths can be looked up by databases like these: http://pgp.cs.uu.nl/ It works so that in the "from" field, you enter YOUR key ID (which needs to be connected to the web of trust graph). In the "to" field, you enter the key ID of the signing key for the software. Now, you should be able to find at least one trust path from you to the signing key for the software. For example, if Mark Shuttleworth wants to verify the key of Gavin Andresen, he enters his key ID: D54F0847 into the "from" field, and Gavin's key - 1FC730C1 - into the "to" field. This will look as here: http://pgp.cs.uu.nl/mk_path.cgi?FROM=D54F0847&TO=1FC730C1&PATHS=trust+paths The trouble is, if Mark looks up the key for ThomasV, this looks so: http://pgp.cs.uu.nl/mk_path.cgi?FROM=D54F0847&TO=7F9470E6&PATHS=trust+paths that is currently, no trust paths to ThomasV's key are found. The same is true for Jim Burton, maintainer of Multibit. In other words, ThomasV's key cannot be verified, if somebody does not has other means. Well, somebody could look into the bitcoin forum - but first, the forum can be and has been hacked. And second, a forum identity does not mean much. Pirateat40 had an account, too, as well as the owner of bitcoinica. I do not suspect the developers of working in an evil plot, but honestly, I'd really like to know a bit more. Now, I have a few questions:
Who knows ThomasV ? Can a few prominent GPG users from the Bitcoin community who know him kindly sign his key and connect him to the larger web-of-trust ? Otherwise, it would be much more difficult to thwart attacks like against Gavin.
What do we know about Electrum's (and MultiBit's) developers? What is actually their expertise? Doing crypto well is damn hard. Why should we assume that the have the technical astuteness to move many many coins around safely?
Bitcoin-qt has been audited many many times by knowledgeable people. Has the Electrum source code been audited as well? To which degree? Has it been audited at all?
Thanks! Edit: A few developers have posted here... can other people confirm what they say? Can it be proven? Anyone was at that conference? Edit: As an important clarification: The fact that a key can be found on a keyserver, is signed by some entity, or is contained in the "strong set" of the PGP web of trust or in any web of trust does not necessarily imply that the key is linked to an authentic identity, end even less that the owner is a good guy. It only provides a mean to check this identity and to support the assumption that the identity is correct, independent from hacking attempts. And as a reply to some badly downvoted comment: Yes, knowing or probably knowing the identity of the auhtor of some code is by no means a substitute for skilled people carefully checking the code and any change in it.
Are we overlooking pgp verification of wallet installation files?
I am curious how many people use pgp to verify the new version of their favorite wallet software every time a new version comes out? To me it seems like pgp verification isn't taken very seriously. Most, but not all vendors will put out new pgp signature files with each new release however if you are relatively unaware of security this could mean you are unknowingly missing a very important step. Importing the authors pgp key, downloading the associated signature file and then verifying the executable isn't very obvious to those who aren't security savvy. However it is an obvious security hole and a potential honeypot for anyone looking for some easy coin. One thing I find disturbing is how few of the major wallet developers put any significant effort into educating their users on the first step of securing their hot wallet. Multibit and armory are the only two clients I know of that give any information on pgp verification, but even multibit misses this important step on their "How to install" page. Electrum doesn't even provide a signature file for their linux version instead providing a hyperlink with an md5 hash appended to it. Bitcoin-qt from what I can tell only provides sha256 hashes of their files with zero instruction on how to use them. To me it seems like the pgp step of securing a wallet is looked at as the boring minor tidbit that you have to have that nobody really wants to put time into resulting in most vendors throwing up some hashes/signatures with little to no information on how to use them. I think that all vendors should have a section with instructions on how to verify their software, put this as the second step in getting started with their software right after the download step and make sure to provide pgp signatures for each installer package and not just hashes. For me, not being a security expert, I feel much safer verifying a pgp signature vs checking that a hash matches. With bitcoins being targeted on a daily basis through incredibly creative means this seems to me like a giant gaping hole that could be fought with a very small amount of education. Just a thought. Edit: because I suck at the grammarEdit: after digging around I found the electrum signature files for linux. There is no direct link to the page from their website but they can be found here: http://download.electrum.org/
GPG instructions and public key list for verifying Bitcoin clients.
I have noticed their is a growing problem of fake bitcoin clients, and I expect the frequency and elaboratness of these fake clients to increase. Verifying the signatures for these clients will detect if you are receiving anything other than what the signer the of the software signed. The exception to this is if the attacker acquires the signer's private key, which should be a lot more difficult than tricking users to visit the wrong site or hacking servers. This can also be addressed by using multiple signatures per client. An important part of this process is acquiring the public keys for the sofware signers in a secure manner. To help with this I have included a signed list of fingerprints and where to acquire the public keys to act as another source to verify the keys used to sign bitcoin clients. I have also included instructions for verifying the fingerprint list and bitcoin clients. To deal with the issue that posts and comments on Reddit can be easily modified I suggest other users (especially well known ones) post a signature of the fingerprint list in a comment in this thread, or at least a hash of the fingerprint list (not as secure but still better than nothing). List of Fingerprints: +++ Bitcoin-Qt: Signer: Gavin Andresen (CODE SIGNING KEY) [email protected] Fingerprint: 2664 6D99 CBAE C9B8 1982 EF60 29D9 EE6B 1FC7 30C1 Key ID: 1FC730C1 Key Link: bitcoin.org/gavinandresen.asc Electrum: Signer: ThomasV [email protected] Fingerprint: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6 Key ID: 7F9470E6 Keyserver: pool.sks-keyservers.net Signer: Animazing [email protected] Fingerprint: 9914 864D FC33 499C 6CA2 BEEA 2245 3004 6955 06FD Key ID: 695506FD Keyserver: pool.sks-keyservers.net Multibit: Signer: Jim Burton (multibit.org developer) [email protected] Fingerprint: 299C 423C 672F 47F4 756A 6BA4 C197 2AED 79F7 C572 Key ID: 79F7C572 Keyserver: pgp.mit.edu Armory: Signer: Alan C. Reiner (Offline Signing Key) [email protected] Fingerprint: 821F 1229 36BD D565 366A C36A 4AB1 6AEA 9883 2223 Key ID: 98832223 Keyserver: pgp.mit.edu +++ My Key:
Hashes for fingerprint list: SHA-256: 7A6B9841 355B1127 E5639A9D 7040D81C F395D382 884376C2 31829C63 6FCF1B80 SHA-512: 04A49A60 A1645479 ED0B3CE9 AE32E156 E9768CC2 0D4EF393 814162BE BFA6FAF5 6C520769 C654467F 6B61EBD4 4A5A5C93 9DF81B7D AA468A50 2DD7FFF3 F637A49C Verifying the fingerprint list: Save fingerprint list, from the first plus to the last plus, to a text file called fingerprints.txt Next save my key to a file called dcc4e.asc and my signature to a file called fingerprints.txt.asc In terminal or command line run:
I’m trying to download Multibit from https://multibit.org/community.html the Win 64 version. it consistently gives a ‘The signature of multibit-0.5.18-windows ... MultiBit is the bitcoin wallet for your desktop. It currently works with Windows, OSX, and Linux. MultiBit is designed to connect directly to the Bitcoin peer-to-peer network. The Multibit product would benefit greatly from releasing an on-the-go mobile solution for day to day bitcoin requirements, as its lack of cold storage or multiple signature functionality means users might look elsewhere to store bitcoin savings. However, its user interface, which is among the best in the industry, combined with its compatibility with hardware cold storage solutions like ... Other advantages that MultiBit has over the native bitcoin client is the ability to open multiple wallets simultaneously (HD support). Plus, MultiBit offers official support for 40+ languages – something we don’t see with other wallets. Two of the drawbacks of MultiBit are its lack of two factor authentication support and its lack of multi-signature support. However, the wallet remains ... MultiBit is a simple Bitcoin wallet for Windows, MacOS and Linux based on BitcoinJ.Its main advantages over original Bitcoin client are the option of using multiple wallets at once and the lack of need to download several-gigabyte Blockchain (16.5GB as of April 2014).The project was founded by english developer Jim Burton.
bitcoin wallet - bitcoin for beginners - learn how to mine ...
Today I check out how to use a multi signature wallet via the CoPay platform. Tip Address: 1CwYp77iDHy2XFoV1LLEeJA3t8ynF5ZzAd Bitpay Wallet Tutorial: https:/... Easy Bitcoin Electrum Wallet/Client tutorial for beginners. 2014. - Duration: 14:10. ... Download the Multibit.org Bitcoin Wallet (subtítulos en español) - Duration: 5:35. Coin4ce.com ... https://copay.io BitPay, the leading payment processor for Bitcoin transactions is happy to announce a multi-signature wallet, Copay. Unlike other "Multi-Use... made with ezvid, free download at http://ezvid.com MultiBit, Java Bitcoin client - Duration: 2:22. Yu-Jie Lin Recommended for you. 2:22. Bobby Owsinski - Improve the Sound of Your Room - Duration: 1:50:09. ...