This is not true.  If BitGo goes down you still have all your bitcoin due to the 2-of-3 system.  BitGo is non-custodial.

Mike

When you create the wallet, you have the option of where to store the second key.
* If you choose keytern.al to store your second key, you can get BitGo Instant capabilities.
* If you store the key yourself, then BitGo Instant wouldn't work because you could double spend yourself.

The trust point you have here is that keyternal and bitgo are not working against you or related.  We aren't.  Two separate companies.


We have open source utilities to do this (see the github repo for BitGo and test it out yourself!).  The different addresses are created using key derivation; key derivation is a cryptographic method where you can generate a new public key for another key with only the public portion.

In other words:
   f(k1) = k2    (doing this operation on the public key yields a new public key)
   f(K1) = K2   (doing this operation on the private key yields a new private key, corresponding to the same, new public key, k2)


Nope!



Yes it is.  With BitGo, we never hold your keys; if you want out, you can go back to the chain and do it yourself at any time; including to just avoid fees, if that is what you want to do.

Hope this helps!

Mike

It definitely should not be the case!  Feel free to send me or support@bitgo.com email and we'll get this sorted out.

Thanks
Mike

BitGo has been full HD for at least 6 months :-)

Mike

What surprises me is that you think your desktop wallet is safer.  It's absolutely not.  Did we not learn anything from the growth of malware over the past 10 years?  30% of home computers are running malware already, and the numbers are growing, not shrinking.  Every desktop wallet, from Armory to Bitcoin-QT, etc, is vulnerable to these attacks while BitGo is not.  Any single-signature wallet is even more vulnerable.

So perhaps all of us should stop thinking of wallets as either "desktop" or "web".  BitGo is both.  BitGo is a desktop wallet (use the chrome app) with a web service component (the BitGo service).  The two together are called a "multi-signature wallet", and as we all know, this has been declared the "year of multi-sig" for a reason:  because it is safer than desktop or web wallets.

But to answer your questions:  the keys are provisioned on machines other than the service with the user's full control, and are never known to the service.  Hardware signing is coming too.

Mike

No, you're not wrong, but "security" has so many facets, that you can't simplify the problem to just a couple of sentences either :-)

A couple of points:

a) You can't guarantee against being hacked.  Security is not a feature you finish - its something you work on forever.  But what you can do is to build a system where the damage of an attack is minimal.  Since BitGo doesn't have two keys, the attacker wouldn't get anything immediately by breaking in.  As you point out, he could "lie in wait".  Keeping the bitcoins safe is much easier in this situation, because it is now a matter of quickly detecting the intrusion rather than having to protect data.  Unlike coinbase, or other traditional online services, we don't have large pools of bitcoin waiting to be tapped.  Every user has their own keys, so each user is individually partitioned.  This makes it much less attractive to the intruder to attack.

b) You correctly point out that to date, press-worthy attacks have been primarily against online services.  This is true.  But its about to change.  The reason the attacks have been against online services is because we've been naive and secured large pools of bitcoin behind a single signature!  The attacker breaks in, and instantly has access to all customers funds that use that service.  Both blockchain.info and bitgo avoid this problem by having each customer retain his/her own keys.  Using multi-signature on top of that protects from malware as well.

c) There are many people that think their desktops are safer for their wallets.  They aren't.  They're only safer than online wallets that use single-signature tech.  Hackers have already started to retool their malware (and about 30% of all home computers are breached already).  Those tools will be in every desktop wallet and simply take the unencrypted keys.  You need to use multi-signature for sure, and to make it easy, you're probably going to want to use a service for that second signature.  The service can implement dynamic, real-time updates to its fraud checks in ways that your desktop wallet never can.  I have a lot of paranoia about desktop software.

Mike

Thanks for the kind words.

I understand your nervousness, you should have that with bitcoin.  If it makes you feel better, we hire external security auditors regularly to go over our service and software.

The reason you can't access all of the features is because we aren't really a consumer site, we've been focusing on larger, institutional holders of bitcoin.  I wish it were free for everyone, but it costs us a lot of money to do this, and it just hasn't been our focus.  I hope others will use the bitgo platform & APIs to build consumer based products.  If you are interested, we can get you setup for $19.99/mo with a basic account.  I know its not free.

To answer your other questions:
* The currency should stick; we'll take a look at that.  (let me know which browser you're in and if you're in private browsing modes)
* Our prices are from bitcoinaverage.com
* The FAQ you stumbled across has some legacy references.  I'll strip those out.

Again, sorry that we don't have everything a consumer or individual would want right now.  I think we're one of the few (only?) bitcoin businesses focused on business needs.

mike

I'm not trying to promote bitgo, but the idea that you can do multi-signature properly with bitcoind alone is completely untrue.  You at least need some additional software for routing partially signed transactions to appropriate stakeholders, and better yet you need a service that applies fraud detection rules similar to those used at visa, mastercard, paypal, etc.

Things you can't do with bitcoind alone:
a) Basic fraud checks (based on geography, user patterns, etc)
b) Spending limits and velocity limits. 
c) Verify that funds are not being sent to known scam addresses (someday these lists will be as large as email anti-spam blacklists)
d) Enforce specific whitelisted addresses to send to
e) Lockdown transactions to be only originated from certain IP addresses or machines

The list goes on and on.  Granted, if you've only got a couple of bitcoin, you don't need all of these protections.  But, if you've got serious holdings, you absolutely do.  Blanket statements that bitcoind's multi-sig is good enough for all levels seems pretty false to me.

Mike

Hey Vertoe-

Mike from BitGo here with a few thoughts.  We're working hard to up the ante on security, so we really value your skepticism.

You asked a number of questions, so let me try to address them individually.

Issue #1: What if an attacker compromises bitgo.com and changes the JS code to broadcast my keys somewhere?
The core issue here is browser-based javascript.  It's very hard (impossible!) to completely secure.  You've probably read the Matasano analysis on browser-based JS code.  http://matasano.com/articles/javascript-cryptography/  There are many attacks that could lead you to getting bad JS code for your wallet, but I don't think attackers would try to attack BitGo's servers, as that is harder.  The easiest approach is to get a chrome extension to modify the code in the browser.

But the simple answer is to simply not use browser based JS - instead use the Chrome App of BitGo.  You can download it here, and it is not vulnerable to this attack.   https://chrome.google.com/webstore/detail/bitgo/jlgeogaipkoajobchncghcojanffjfhl

But lets suppose you were using the browser version of BitGo and the servers were compromised to serve up bad javascript.  The malicious code would still not be able to access your keys unless it could trick you into initiating a transaction.  Of course, it could lie-in-wait until you did do a transaction, but until you initiate the transaction and provide your per-wallet passcode, the malicious code would have nothing.

But lets suppose eventually you did type in your passcode and the malicious code got that.  Now the malicious code knows your username, password, your wallet passcode, and your private key.  Even with all this information, the attacker still can't coin arbitrary transactions (see my next note, below).  The problem is that he needs to convince BitGo to sign your transaction as well, and that requires logging into your account, which the attacker can't do thanks to 2-factor authentication, which is required on all accounts.

What the attacker could do, however, would be to wait for you to make a transaction, and then modify the transaction to send to his own address instead of your intended address.  For basic wallets, this would be an effective attack, and as I mentioned before, the protection for this is to use the Chome App version of Bitgo.  However, for our enterprise-class wallets, this still would not be enough to compromise the account - thanks to BitGo's use of server side spending limits, address whitelisting, and multi-user approval requirements.  The attacker might be able to get the transaction submitted, but a properly configured wallet would not allow BitGo to sign this transaction.  If it did go through, it would be akin to stealing $300 from your ATM for an account that held millions.


Issue #2: I don't believe this is better than cold storage!
Single-signature wallets, even in cold storage, are inherently less secure than any multi-signature, cold storage solution.  If you don't want hot-keys (maybe you don't want to transact on the wallet), simply create your multi-signature wallet with 2 keys that are offline entirely.  In this case, you can't use the BitGo website to transact, of course, but that's what you wanted - cold storage.

The reason this is better than single signature systems is because single-sig systems ultimately put all the key material onto a single machine to sign.  And when you do that, if the machine has malware, your funds can be taken before you press send.  With multi-sig, the two signatures are each applied on separate machines, making it very difficult for an attacker to steal.  Combined with spending limits, this approach can still be used such that if someone does manage to bring one of the offline keys online, that they'll still have to get through the other spending rules before an automated signature can be applied.

It is fair to point out that BitGo doesn't have a web-based wizard for provisioning this type of cold, multi-sig wallet.  We'll be improving that soon, but the API does exist, and many customers have used it.


Let me know your thoughts.

When you start looking around for security auditors, you'll find they make you sign agreements that you can't disclose their name.  This is because if you are ever hacked, they don't want to tarnish their own brand.  Ironic, right?  But I assure you, this is industry standard for these types of things.

But if you are looking for a known and trusted auditor, starting with Matasano (http://www.matasano.com/) is a good start.  It is not cheap.

Mike

Incorrect.  2FA is required both for login and transactions.

Mike

The blanket answer of "all web wallets are unsafe" is too black-and-white.  And it's just not true that the only safe way to secure bitcoin is with a Trezor.  (I love the Trezor, by the way, and look forward to getting mine).

But BitGo isn't really a web wallet anyway.  Sure you access it from the web, but it requires 3 independent devices to transact.  So unlike a client-side wallet, where compromising a single machine will steal your bitcoin, BitGo requires 3 machines get hacked before your funds can be taken.  If you consider that 30% of home computers are infected already (source: http://www.infoworld.com/t/cyber-crime/malware-infects-30-percent-of-computers-in-us-199598), this is a pretty important point.  As bitcoin grows, the incentive to steal bitcoin keys grows.  Anyone relying on a single system to host the keys to their bitcoin will be vulnerable, and common users aren't security experts enough to keep away the malware.

So to answer your questions, BitGo strongly believes we should never hold the keys to your account.  We're a backup, and a cosigner, but we never see enough keys to transact.  BitGo today allows you to create one in your browser, import one (public key only) from a 3rd source of your choosing (offline, your existing wallet, etc), and one is created on the BitGo service.  If you use this option, you've used 3 independent sources for key generation which means that your wallet starts out in great shape.  To transact on it with BitGo, you'll need to provide one key, and BitGo provides the second key.  On top of that we use 2FA to your phone to protect against any keylogger type attacks.  This bitcoin address creation process is hard to do - its a lot of work, and we're still working on making it simpler - but we will stick to our security principles that we should never hold your keys. So there are options for small bitcoin accounts to create two keys in your browser and send one to paper backup.  This is a tradeoff the user can make.

There is another great advantage to the 2-of-3 system which a single key system can't do.  The server can audit who is requesting a transaction by looking at IP addresses, access patterns, enforcing velocity limits, notifying stakeholders of the pending transaction, etc.   All of these features are made possible by being a "web wallet" with a server assisting.   Single key systems simply can't do this.

Regarding open source - you can find some of our source code out here:  https://github.com/BitGo.  The client software is already open source by its very nature - it runs 100% in your browser.

Anyway, I am not stating that BitGo is perfect by any means, so I hope it doesn't sound that way.  With security, you just constantly need to 'raise the bar', and I hope that this solution materially raises it.

If you do see any specific flaws or want to audit our code, I welcome that very much!

Best,
Mike

This is excellent advice :-)

I'm the creator of BitGo, so I know I am biased.  For what it is worth, we've already done a full external security audit (expensive!) of the software both client and server side.  The operational engineering that has gone into BitGo is also atypical and has been designed from the ground up for bitcoin security.  We'll be doing another audit in the not-too-distant future.  Peer reviews and security reviews are absolutely essential.

I would never be so foolish as to claim that anything is impervious.  But the concepts that we've pioneered in the BitGo architecture have held up to scrutiny so far.  Hopefully these concepts are just a better starting point for anyone building a new wallet going forward.

We love feedback, we know we're not perfect, and we will take seriously any potential exploits or vulnerabilities.  Don't hesitate to reach out to me personally if you have any issues.

Mike Belshe
---
CTO & CoFounder, BitGo, Inc
mike@belshe.com
mike@bitgo.com

Wait - that is definitely not true. :-)

Granted, you did identify that for one type attack, P2SH doesn't fully protect you.   But you're leaving off the far more common cases where P2SH doesn't have the same problems as standard addresses:

For active attacks, like you described, you're right, P2SH has the same vulnerability as standard addresses.  But as I mentioned, the second machine in the 2-signature process can audit, enforce spending limits, introduce delays, do additional confirmations, etc.  Although this is not a panacea, its something you can't do with standard addresses.

For idle attacks, which is what we mostly read about these days, P2SH is much stronger than standard addresses.  With standard addresses, hacking a single key system and stealing a single key gives you full access to the entire address, and you can steal the money at any time.  With a multi-signature address, you get nothing from doing this.

Mike

Cool.  Good to know.  You're right that for now the P2SH keys kinda stand out :-)

Right now I'm working on a scheme which uses deterministic wallets to auto-rotate your address in a way that you never have to worry about.  A 2-of-3 P2SH address is simply a set of 3 keys; we can independently rotate them on the client & server predictably such that your addresses change with every transaction in an uncorrelated way without revealing the private keys to the other machine.  It turns out that I need this more for maintaining sane key management than for privacy.  Users do need multiple addresses - and if you've got 2 keys to manage for each address, it's just too much work.

Hopefully P2SH will not be so standout 6 months from now!

If you want to try it out, this is live on bitgo.com now and has been in use for some time.  Send me (or tiffney if you prefer!) an email for an invite.  mike@bitgo.com.

mike

Phinneas -

That's Tiffney, and she works with me at bitgo!  I'll have to talk with her about your request.

Bitgo.com is the one true BitGo, I think.  But it does appear to be a popular name, with similar sounding names popping up in canada and israel that are unrelated.

Hey Sarchar -

I think you and I have been thinking the same thing :-)

I have an online version of this implemented at bitgo.  https://bitgo.com.  It probably doesn't offer all the combinations of key creation that you're looking for yet, but send me an email (mike@bitgo.com) and I'll send you an invite.  Would love to get more feedback.

mike

I agree with you on that!!!

In this system, even if the server is hacked, the attacker can't get your coins.  The server only has one key, but you need two to access the funds.  So although you lost one key, you've still got the same level of protection as you would have had with a client-side single key address.

Mike

dserrano is right - there are some types of attacks you can't catch.  He suggests a real-time attack, where you wait for the user to transact, and then change the contents of the transaction (depending on the API this could be a client-side or server-side attack).  For example, you may be able to change the destination address without the user noticing.  Of course, all wallets, even local ones, are susceptible to this attack today.  But with the client/server hybrid, the server can act as your co-signer and make sure it at least fits the right parameters.  In the future, I believe you could use this same mechanism to send to a human co-signer (like a business partner) for a human verification.

But, I think the P2SH address, used either web-based or locally is fundamentally stronger than a single-key address.

Mike

Fair points.  Note that all wallets have this exact problem too :-)

But the p2sh wallet offers some real hope.  The user can specify on the server spending limits or authorized accounts that he/she is willing to transact to.  After the client coins the transaction, the server can validate that everything looks okay, before applying its signature.

Nothing is perfect, but you can't do this at all with a standard bitcoin address.

The payment protocol (with authenticated recipients) would help with users not noticing that funds are being siphoned to an attacker's address.

Mike