ruthtern
commented
4 years ago Fake concern Authoritarian demands
Go away
Open fresheneesz opened 4 years ago
ruthtern
commented
4 years ago Fake concern Authoritarian demands
Go away
fresheneesz
commented
4 years ago @ruthtern Care to justify your opinion, like I did? In what world is what I said in any way "authoritarian" or "demands"? I'm asking nicely.
Update: I take it from your silent downvote that you have nothing of substance to say.
OutCast3k
commented
4 years ago Sorry, its unlikely i'd remove this feature.
I understand your concerns but, its not going to happen for now.
All the best.
ellttBen
commented
4 years ago Hello, I believe there is a way to satisfy everyone in this case. By running the website on ipfs, which is an absolute breeze in my opinion, you can get the assurance that the website you're loading is completely unaltered since an ipfs address (or CID which stands for content identifier) is tied to the cryptographic hash of the content itself. Anyone can add the website to ipfs and get the same CID independently to verify this. You can then offer from the website a link to the ipfs-hosted version of the website as an optional added safety measure, with some documentation about how to independently verify the CID (which I would be glad to write if there's any interest). If you want to go further down that route, there are actually ways to configure your DNS to serve directly from an ipfs gateway through Cloudflare or the local ipfs node if the browser supports it. There is also a way to use ipfs's distributed DNS (called IPNS) in order to serve new versions of the website, this time signed by your own public key. Switching over completely to ipfs would drastically reduce your hosting expenses as an added bonus. (You could theoretically host this on a Raspberry Pi and use IPFS as your own CDN...). Plus you'd be supporting the decentralized web :rocket: . Have a great day!
fresheneesz
commented
4 years ago @ellttBen That's a really interesting idea! Very cool!
@OutCast3k
I'm not going to switch to malicious code.. im not completely anonymous.. Its unlikely I'd ever let the domain lapse .. always delivered my promises over the past 8-9 years
Thanks for the assurance, but A. How do we know that besides your word? B. How do we know you're security is good enough that your web site serving will never be hacked? C. How do we know you'll keep this host name forever? The answer is, we don't and we can't. There's no way for us to verify any of those things. I'm sure you're a great guy doing great things for the bitcoin community, but teaching people to trust websites with their keys is demonstrably harmful.
For anyone who is savvy with security, they may take the time to verify your trustworthy record and up to date ownership over the domain. However, its not the savvy users that are the problem here. Its the newbs who will just say "I always let coinb.in have my private key and it's been perfectly fine for me" and "I thought you had to give your private key to web services, I didn't know they could steal my coins with it!" Even if your service is perfectly reliable and trustworthy, its teaching newbs that this is best practice and that they shouldn't worry about it on other shittier services that might be or become malicious at some point.
magickalJ
commented
3 years ago @ellttBen That's a really interesting idea! Very cool!
I agree, I'll look into it myself as well, though not very code savvy in comparison to sysadmin stuff, as IPFS is on my agenda anyway.
@fresheneesz I also agree with you and your points are also some thoughts to be supported in general, I think. However, isn't it common in open source to not just suggest such huge (paradigm) shifts which require quite some work by the original developer but in contrast to just go ahead and start making those changes you suggest? I'll try my best to understand each line of code here, sure, but as I got limited time as well there is also at least some trade-off between trust and convenience happening; so while your arguments are valid, what's the issue about going ahead and do accordingly?
Please correct me if I'm doing you or someone else wrong and it already happened somewhere properly, I am not aware.
jordanius
commented
3 years ago Wait... there are "newbies" using... coinb.in? You seriously think this? This is an advanced tool for creating bitcoin transactions as pure text whose audience is limited pretty much to other programmers. You want the author to cut out the ability to use the application as a live website? And a possible "solution" to these imaginary concerns is to switch the whole thing over completely to IPFS? You guys are joking, right? Please tell me this whole thing is simply sarcasm. All of the "concerns" being raised just reek of someone who's been up coding for way too long and needs to take a break, go outside, talk to some people, etc.
I'll echo the first reply: go away. Oh, and then look up the word "pedantic". It's not just the name of a GCC flag...
fresheneesz
commented
3 years ago @jordanius I think people might take you more seriously if you were less of a dick (or maybe if you had more than 1 contribution on github). Just a thought : )
Its great that you've created this and open sourced it. However, serving this online is very problematic:
To remedy this, please create instructions for how someone can download, verify, and use this application offline. Also, please disable any functionality that requires any kind of private key or seed handling from coinb.in, the tor service, and the github hosted page. And please add a note about why this has been done and why letting an online webpage handle your private keys is unsafe.
Honestly, no disrespect - this clearly took a lot of hard work and ingenuity to build - but its irresponsible to serve this application as it is and let countless people compromise their security for the sake of convenience.