Remove Web/Cloud Wallets

[schildbach]

With web wallets being robbed each week (today: 40k coins stolen from "sheep market place"), I propose

• remove all web wallet / cloud wallet recommendations from bitcoin.org.
• replace the right "web wallets" column on the "choose your wallet" page by just a big warning, basically the same text as in the current red "be careful" warning.

I volunteer to provide a patch, if we have a rough concensus for this change.

[ghost1542]

I would certainly be interested to know what others think about that.

[gmaxwell]

I think my views were well known on this subject matter...

...but I also think that client quality is a more complex story than "web or not", none of the wallets are flawless today, all have limitations which could harm their users. Many of the web wallets have better privacy than e.g. wallets that force constant address reuse, arguably better then ones without a good backup story (e.g. Bitcoin-qt fails here), better ecosystem security impact than ones that refuse to send to people who use multisignature security, etc.

So while I opposed ever listing them, and still am not fond of them, I am— perhaps— a little less confident that we'll be doing people a service by delisting them when some of the alternatives we do list are inferior in ways beyond short term ease of use. Heck, we have an 'open source' wallet, that I don't believe anyone but it's author has successfully built in recent memory.

I'd like to see the community come up with a set of criteria that we'd like to see for wallets listed on Bitcoin.org, work towards achieving the requirements in all wallets, and then impose them on Bitcoin.org. Such a criteria would probably naturally exclude most (or all) web wallets, but then we could be more confident that in doing so we wouldn't be recommending something worse.

[luke-jr]

I agree with @gmaxwell for the most part. Ideally, we would have a certification process that includes independent binary verifications (eg, gitian; this eliminates everything but Bitcoin-Qt/bitcoind today) and not promoting any erroneous/confusion misunderstanding about Bitcoin (this eliminates at least all the Android wallets and Electrum today). But today, I think some compromise is necessary.

[ghost1542]

I agree with @gmaxwell on this too. I don't know when / how this should be discussed though.

Two recent comments on bitcointalk left me wondering if listing web wallets (even with the explicit warning) promotes them more than it educates visitors. So while I hoped that bitcoin.org could educate users and be used to incentivize these services to implement good practices, I am less convinced that this is the best approach today.

I am very interested by any useful guidance from developers regarding all wallets. For instance, I previously expressed concerns regarding auto-updating mechanisms of Android wallets and interesting solutions have been suggested (e.g. threshold signing).

[mikehearn]

This seems to mix up wallets like blockchain.info which don't hold users private keys with coinbase/exchanges, which does. Treating them the same way seems unfair - arguably b.i is no worse than any other system that can be auto updated, theft-wise.

So realistically the only one that would be considered removable due to hosted wallet thefts would be Coinbase, and frankly bitcoin.org should probably be promoting them at least for US visitors, given that it's currently the only easy/cheap way to buy Bitcoins inside America. It's promoted at the top of howtobuybitcoins.info for the US section anyway, so IMHO it makes little difference what is done on the choose your wallet page.

[mikehearn]

Let's revisit this. There have been three web wallets that exploded messily in recent days and now we're seeing press articles like this one:

http://www.theguardian.com/technology/2014/mar/04/bitcoin-bank-flexcoin-closes-after-hack-attack

I'm consistently amazed at the amount of money these services have on deposit. Clearly a lot of users aren't getting the message about not needing to trust third parties. Presumably, those who make their way to the bitcoin website already are ahead of the curve, but putting a strong warning there seems like a better and better idea.

[ghost1542]

@mikehearn Any idea of what improvements could be done? Flexcoin just shows that despite not being listed on bitcoin.org, online wallets will continue to harm users. Bitcoin.org actually already warns people against such services, so I don't know if there's any efficient thing left we can do with bitcoin.org.

I can however start a discussion on bitcointalk or anywhere else this could be more suited about wallets inclusion guidelines.

[mikehearn]

I'm wondering if we should put a warning box at the top of

https://bitcoin.org/en/getting-started

But you're right. The current "choose your wallet" page has pretty reasonable warnings on it. Perhaps there's nothing more we can do here.

[ghost1542]

@mikehearn Mmh, the "Secure your wallet" page is linked everywhere for this purpose. However, how about if I give extra importance to the "Be careful with online services" text (see screenshot below).

Changes include moving text to the top, adding a warning icon and updating the text to mention the bad history of security breaches in online wallets and further mention that people can use Bitcoin without using such services. Branch: https://github.com/bitcoin/bitcoin.org/commits/warning

[mikehearn]

Yeah that looks good!

[gmaxwell]

I'd drop out the two-factor comment. Actual implementations so far are largely snake-oil: They don't protect against theft by the service operator (e.g. how two factor using a trezor as a multisigner would), they don't protect against compromise of the service, they don't really protect against compromise of the users system (because there is existing malware that just diverts the session once you auth).

Not to say that they aren't good to have and shouldn't be used, but they don't make a material enough improvement— as they are being done today— to wave away any of the prior concerns, and I think the current construction there might be read as suggesting they do.

[mikehearn]

I think the comment is fine. It's just saying, don't do this but if you insist at least do that.

As a veteran of Google's wars against phishers and hijackers I've seen how effective 2FA can be. Sure it doesn't stop against hacked or malicious service providers but it's very effective at blocking many common attacks on individual account holders.

[gmaxwell]

@mikehearn I'm confused as to what relationship that has at all with that text. The text is about hacked and/or malicious service providers.

[mikehearn]

The text is giving advice for people who choose to disregard the warning and use such services anyway. It's good advice. So what's the problem? It's like saying don't play with venomous snakes, but if you do at least have a doctor nearby to help you.

[ghost1542]

I had a similar opinion on the currently published text, but mentionning two-factor auth seemed important regardless. How about we just split the sentence like this:

Accordingly, you might want to use other types of Bitcoin wallets. Otherwise, you should choose such services very carefully. Additionally, using two-factor authentication is recommended.

[ghost1542]

Closing this issue as it has been addressed differently by the new page layout.

[barmstrong]

Further complicating this issue is that sites like Coinbase actually do offer options to control your own keys now: http://www.reddit.com/r/Bitcoin/comments/2woas8/psa_you_can_store_your_own_private_keys_on/

Most on this thread are well of this, but just to make it clear, there are a variety of ways to lose coins in addition to a hosted service being hacked.

• on hosted sites that only store encrypted keys, you can still get phished
• people can forget passwords
• people can lose backups, or lose devices themselves

I've never seen any hard data on how often coins are lost due to the above vs a hosted website getting hacked. One thing is for sure, when a hosted site gets hacked it is usually a large amount all at once, whereas the other methods mentioned above happen in small amounts on a more regular basis, and the fault is usually blamed on the user instead of a company.

Anyway - security is a complex topic. I agree it is not as simple as saying hosted services = unsafe.

[ghost1542]

Concerning the above, some food for thoughts in case someone wants to work on these ideas on separate pull request / issues:

Optional multisig: I previously thought we could apply a neutral (grey) score explaining to the user that they have both choices for Coinbase and Coinkite. I however didn't have enough time to completely test both services and see if I could I could recover access to the funds offline without the other party's permission. Additionally, the score text is pretty hard to write in a simple and understandable way.

User mistake: At least when it comes to lost wallets and passwords, web wallets sometime offer account recovery options that can get around this issue and HD wallets now often have clear, simple and semi-mandatory backup steps on setup (e.g. many force the user to write the mnemonic seeds on paper and later ask them to provide certain words to make sure they didn't dismiss the step). I think this is something that would be meaningful as a future requirement, perhaps once Bitcoin Core also becomes a HD wallet.

Anyway - security is a complex topic. I agree it is not as simple as saying hosted services = unsafe. ...I've never seen any hard data on how often coins are lost due to...

At the very least, this survey is quite revealing. Although it doesn't cover a very important aspect (how much coins people have lost), it clearly shows that both user mistakes and third party risks are common. So it's indeed not all black or white.

Web wallets are probably often disadvantaged because they are more opaque by design. Some like Circle and Coinbase probably meet very demanding audits and security requirements behind the scene, yet it is hard for bitcoin.org contributors to verify such claims and avoid bad mistakes. Like suggested on #746, I think having more insight into the security of web wallets could be useful to update requirements, scores and listing order, if someone had time to spend time on this.

To quote gmaxwell:

we should probably require the service have some statement on how it would hacking, insider theft, etc. E.g. Does it have insurance which covers users assets? To what degree? Is it self insured? Does the insurance actually protect the users? Can it prove that it actually has the users funds and isn't secretly fractional reserve?

[harding]

I don't like discussion on closed issues---it makes it hard to keep track of unresolved concerns---so I'm going to reopen this issue. If the discussion falters without any new conclusions, I'll re-close it in about a week.

[harding]

Here are the wallets currently listed in the Web section:

I believe almost all of them have a mobile app, a browser plugin, or both. I haven't given this any real thought, but maybe it's time to fold those apps/plugins into the mobile/desktop sections and then remove the web wallet section.

Treating everything as an app would make it easier for us to emphasize to users the security and privacy (and other) differences between wallets.

[ghost1542]

@harding ...So basically all web wallets would be added to the Desktop section and those with a mobile app would be added to the Mobile section as well? Maybe this would make sense at this point.

For the record, Bitgo, Coinapult and Coinkite have no desktop or mobile apps (AFAIK).

[harding]

@saivann I was thinking:

• Wallets with a mobile app would be placed in the appropriate categories (android, ios, blackberry)
• Wallets with a browser plugin would be placed in all three desktop categories (win, osx, linux)
• Wallets with neither an app nor a plugin would be delisted.

I haven't verified this is really them, but BitGo seems to have a Chrome app: https://chrome.google.com/webstore/detail/bitgo/jlgeogaipkoajobchncghcojanffjfhl

That leaves just Coinapult and Coinkite without apps. Also pending wallet requests Celery (pull #730) and QuickWallet (pull #550) don't have apps that come up in the first page of search results---all the rest seem to have apps. Relative to the total number of wallets currently listed (14) and that want to be listed (10), losing 4 seems like a low number.

[ghost1542]

@harding Considering that 1) An app does not add this much security for custodial wallets, 2) Delisting wallets always generate significantly negative noise and 3) There is a score dedicated to remote apps, I feel like this could be avoided.

[harding]

@saivann what amount making it a forward requirement, so that Coinapult and Coinkite get "grandfathered in" to the desktop section, but we don't add any new wallets to that section unless they have an app?

[ghost1542]

@harding I think if such a requirement is applied, it should be applied to all wallets, and ideally wallet developers should be made aware of it and possibly given reasonable time to implement the changes.

But I think my main question is: Does it make sense to make this requirement a priority when considering the security improvements versus the effort required to provide an app, and the drawbacks (diminished compatibility and more complexity on desktop).

It's also worth to note that there is few difference between "remote app" and "auto-updating app", except when updates need to be signed. Maybe this should be the real focus. I still don't know if Chrome apps are signed or not...

To my understanding, for there is any security improvement with providing an app, one must be sure that the app indeed provides the whole frontend locally. I haven't checked if this is the case for BitGo, Circle, Coinbase, Xapo. Any app could otherwise easily just load most of the website remotely.

It's also worth to note that wallets will all continue to work without an app, and receive significant users this way. So it is hard to assess if requiring an app will make any strong difference on desktop.

[FrancisPouliot]

As far as I'm concerned I would not remove the web-wallet section. A compromise might be to have a "web-only" wallet section for the likes of Coinkite and Coinapult? In the "mobile" section we could add a mention for apps what also have a website equivalent

[ghost1542]

@FrancisPouliot Not a bad idea, although one advantage with the current layout is that wallets which are providing apps get increased exposure by being listed twice, so this provides an incentive. I feel like this could be applied to custodial wallets like Coinbase and Circle as well if we had more insight into their background security, audits and insurances.

[harding]

@saivann

But I think my main question is: Does it make sense to make this requirement a priority when considering the security improvements versus the effort required to provide an app, and the drawbacks (diminished compatibility and more complexity on desktop).

I don't think I said that only accepting apps would provide more security, but rather that it would make it easier for us to emphasize the security differences. For example, BW4A's page says:

Coinbase's web wallet says:

It's my understanding that you re-designed the wallet page and previously closed this specific issue because you thought users could make better informed choices with the new wallet scores. So let's use them! Let users decide based on the information we give them whether they want to use a native P2P SPV client with support for hardware wallets or an app that just makes some API calls to a remote site that does all the real work.

As for the "drawbacks", how much of an issue are they really? (@FrancisPouliot, your insight from working with Bitcoin novices would be especially insightful here.) It seems to me that all of wallets we list that I've tried are really easy to install and use---even Bitcoin Core if you don't mind waiting overnight for the sync.

[ghost1542]

@harding Sure. In case this wasn't obvious, delisting wallets because they don't provide an app is what I feel uncomfortable with. Listing them alongside other wallets with the appropriate score (if we give a good score for Chrome plugins to protect the incentive), on the other hands, is something I think could probably make sense.

Although of course please feel free to disagree :) I have commented a lot at this point and don't want to be orienting the discussion without doing the work. I only hope my comments are useful.

[harding]

@saivann oh, you were right to feel uncomfortable---I do think we should delist[1] wallets that don't provide an app. However, I have no desire to push that through against your advice.

I have commented a lot at this point and don't want to be orienting the discussion without doing the work.

I feel the same way about my comments. I've been wracking my brain out for a week now trying to think of some way to make the Choose Your Wallet page require less time to maintain without compromising the quality of the listings.

All the ways I've thought of require higher standards so fewer wallets qualify, which means we'd need to delist wallets. I've said before that I think this is the direction we need to go, and that it "will probably lead to uncomfortable conversations." I guess this is one of them. :-(

[1] It's not really delisting. It's just removing the category they're currently listed in. D'ya think that would convince the critics on Reddit? :-)

[barmstrong]

Qualifying apps is a hard problem. There are generally a few approaches I can think of:

1. Consumer Reports - they've dedicated themselves to doing rigorous testing of products to score them, and their score carries a great deal of weight since people can see how much they invest in it, there is a business model to fund this level of testing
2. Google Play Store - they let the wisdom of the crowds determine the winners over time, by rating, number of installs, user flags and don't offer any opinion themselves except to remove clearly malicious apps
3. Wikipedia - list everything that is noteworthy (the only threshold is whether enough people will know of it or care) and try to leave out any judgment of the items. In other words, eliminate bias, and try to only provide facts.

My feeling on this situation is that we are currently trying to be consumer reports but don't have enough resources to do it effectively, and there is a great deal of conflict (bias?) about what the standards should be to judge good vs bad. People have different preferences for what is a good or bad wallet. We could try the Google Play version - but we might not have real time access to all the data to appropriately rank them. This leaves the Wikipedia style in mind as the right option. Go for completeness, list facts, eliminate value judgement on it. This would end up with a table of results, something like this page on Wikipedia http://en.wikipedia.org/wiki/List_of_countries_by_English-speaking_population

If people want a ranked list, they will probably type "bitcoin wallet" into Google and start to click through those results.

(one other option would be paid listings where you bid for the top spot, but that probably isn't right for a .org site)

[harding]

@barmstrong thank you for your insightful comment.

The Wikipedia style would certainly be the easiest option to maintain, but how are users supposed to reasonably evaluate two dozen different wallets if we experts can't even manage to evaluate all those wallets ourselves?

I fear such a list would simply result in users choosing wallets based on things they understood, such as popularity or date of most recent release, rather than important (but technical) security and privacy terms that mean nothing to them.

Filtering recommendations by popularity is something I've been thinking about, but popularity seems to be better correlated with marketing budget than technical quality, and I'd really like to ensure we list apps that tackle the hard problems in decentralization and privacy. (Is this a bias of mine? I suppose it is, but I'm comfortable with it.)

The Consumer Reports model is, as you say, pretty much what we do now. However, I think people miss the fact that CR typically only evaluates a small subset of the available options. That is, their refridgerator buying guide only compares a dozen different models---but there's many more than that sitting in your local applicance store.

Our current wallet review system works the other way around---wallets choose us instead of us choosing them. And because of the meritorious principles that run through open source communities like ours, we can't refuse to consider anyone without a really good reason.

I think it's possible the CR model could work for us if every six months a group of us chose in secret which n wallets we would review and then confined our efforts to just those wallets. This would not be very open source, but it would be maintainable with a roughly fixed amount of effort no matter how many new wallets get released every year.

[barmstrong]

The trouble is that the bitcoin.org site is trying to express opinion right now on what is safe and what is not, but this opinion is being designed by committee. You're always going to struggle with that because people have different opinions on that, there isn't a clear definition of "secure" in bitcoin.

There either needs to be one person who has the final say on that page (if it's you I'm fine with that) and disclose that it is an opinion curated by one person (although to me this seems out of place on a site like bitcoin.org). Or give up stating opinions and value judgements and go for facts instead (wikipedia model) which are harder to dispute.

I don't envy your position. It sounds like you'll have to make a decision to move things forward, and I can tell you've been working hard on it so thank you for doing that.

Selfishly my only concern here is that the second most popular wallet on Android (as chosen by users) is not currently listed as an option on bitcoin.org. That doesn't seem correct to me, so I'd like to fix it. But I can tell from this thread there are lots of issues going on.

If you make a decision for a direction to go on the page and would like some resources to create it Coinbase is happy to chip in with a PR and/or design love.

[luke-jr]

I don't think the GooglePlay/Wikipedia options are practical, given the nature of bitcoin wallets (as you say, users can't reasonably evaluate these). But at the same time, I don't think it's ConsumerReports-quality-or-nothing - striving to present the best recommendations possible, without being too biased or having a dedicated team working on it, seems perfectly reasonable here.

I don't think the problem with this approach is the existence of opinions nearly as much as it is the lack of quality of the existing wallet software - because of the latter, we're forced to choose between not showing anything vs showing software that does not meet a reasonable minimum standard of quality (Bitcoin Core is close, but still falls short as a wallet). It makes sense to raise the bar on what is required for recommendation as existing wallet software is improved.

[ghost1542]

The trouble is that the bitcoin.org site is trying to express opinion right now on what is safe and what is not

I must say I am confused by this statement. Bitcoin.org only sticks to verifying and reporting a few basic facts about wallets, most of them being about letting the user know when/if the wallet requires trust. A wallet that requires more trust isn't systematically insecure and the scores have all been written accordingly. Popularity is not a measure of quality (Mt Gox, inputs.io), however many other points are good clues, such as public track record, insurances, audits. This is why I encourage Coinbase to provide more transparency on the later.

[harding]

@saivann we express lots of opinions:

• Green color for things we think are good; yellow for things we think are less good
• Sorting wallets by their levels of decentralized trust
• Saying some things, such as a lack of HSTS, are not allowed
• Etc...

I think we're all agreed that expressing these opinions makes the page more useful for non-experts, but that researching these things and then trying to form consensus about their relative importance comes at a cost.

(I'm currently thinking about @barmstrong's and @luke-jr's most recent responses and hope to add my own well-considered comment to the conversation later today.)

[ghost1542]

@harding I think the ordering and listing bias is a conservative move we've had to adopt to protect bitcoin.org contributors and visitors in the absence of reasonable insight, rather than a true opinion. If it is a fact that users are completely at the mercy of certain services, it doesn't mean that these services will abuse this trust, it only means the risk is greater. If the opposite can be demonstrated, for example with audits, regulations, insurances, or anything else, I think this bias could deserve to be revisited.

[FrancisPouliot]

@barmstrong for security it would be ideal, in my opinion, to use the Crypto Consortium Security Standards as a template (or the in its current form). see: http://cryptoconsortium.github.io/CCSS/

Another useful framework was developped by a friend of mine (shayan) and Jeremy Clarck which is also a useful resource for assessing wallet security: "A First Look at the Usability of Bitcoin Key Management "http://www.internetsociety.org/sites/default/files/05_3_3.pdf

@barmstrong although I think there are undeniable "objetive" characteristics (mostly security related) users value certain features more than others. Usability and the ability to easily make back-up are important but both are subjective.

If we had the money we could use focus groups / polling to determine the usability and how easy users can secure their keys / make back-ups and then have some form of data. The idea is to have input not only from people interested in giving input (which will probably be biased in the expertise level of using Bitcoin).

Food for thought - I realize such research is a lot of work / is costly.

[luke-jr]

CCSS's recommendations, although a bit convoluted at present, seem like a decent starting point for webwallet provider security standards.

[FrancisPouliot]

@luke-jr wallets need to be audited against the standards. perhaps we can convince auditors (like Michael Perklin) or other infosec people to do this voluntarily

[luke-jr]

@FrancisPouliot You mean non-web wallet software? Those standards don't make sense for that..

[FrancisPouliot]

I'm not an info-sec expert myself, I should make clear. After reading the standards I though that some of the features might apply to non-web wallet software such as Key Storage, Key Generatio, Key Usage, Security Audits. There are some aspects that clearly don't apply to non-web wallets such as proof of reserves.

An easy fix would be to put "n/a" in the appropriate category if it does not apply http://i.imgur.com/VCVp8AT.png

Alternatively, the standards could only be used to web-wallets, although it was my impression that the standards could be used for some mobile apps too

[harding]

My experience reviewing wallets for the site is not as extensive as @saivann's, but I strongly feel that the most difficult part---and perhaps most important part---isn't the technical review. That's pretty easy actually. What sucks time and mental energy are the non-technical parts where we try to guess whether the team behind the wallet can be trusted and whether users of the wallet are at increased risk of losing their bitcoins.

I think explicitly expressing our opinions could both simplify reviews and better help users. Reviews could be simpler because we could directly state our doubts rather than, as I have done, researching them excessively in order to find a smoking gun that would allow us to disqualify that wallet. An overtly opinionated review could also better help users by allowing us to more easily express wallet benefits and drawbacks that don't fit within our current scoring system.

There either needs to be one person who has the final say on that page [...] and disclose that it is an opinion curated by one person (although to me this seems out of place on a site like bitcoin.org).

I think it's possible to make it more granular than that. The site stakeholders could choose several people we trust to make reviews and then each wallet author could choose a specific reviewer from that list and agree to accept their judgment. After, say, six months, the wallet author could ask for a new review from a different reviewer. The review would be credited to the specific reviewer, removing the need to have one person who has final say on the page.

Below is a quick 5-minute mock-up of what it could look like, along with some additional features to address other concerns in this thread (like how we currently judge wallets purely by their default features rather than what it's possible to enable) plus the ability to filter wallets by arbitrary criteria so users can just keep playing with the toggles until they find a wallet they like: