Couple things about multisigs:
1.) They're not as secure as they've been paraded out to be. The one problem they do help address quite nicely is they make bitcoin more trustless, and *help* ensure the site owner can't steal user funds. Please note though, it's only a few lines of Javascript that have to be added by either, the site owner or a hacker, and they will have full access to funds of all new users. There's already been some reports of injection attacks, and I'm sure will be more to come.
Y U always do this? Small technical issues like this are always identified and squashed in short order when it comes to bitcoin. One person is going to get injected and stolen from, a raging post will go up on reddit, and the following day some coder will have solved the problem... That's just business as usual in bitcoinland.
and most of these wallet services seem to use a 12 word mnemonic password, which means about a 8 - 14 character password, which in my mind isn't overly secure. To get to a user's funds you need, a) the company password / seed which will be sitting in their database somewhere, and b) that 8 - 14 character user password which is usually sitting in their browser. If a hacker gets those two things, a customer's funds are gone.
Good seedmaking practicies is surely something people are going to be teaching very soon.
I was looking through
Bitcore from Bitpay yesterday and realized how easy it's going to be for hackers to do batch/bulk inspecting of the contents of wallets in seed-generated wallets. Rest assured anyone with an easy 12-word mneumonic password is going to have their funds stolen. These services still using that archaic system will either upgrade or teach how to make them far safer than an 8-14 character password is.
And to top it off, it's very reliant on the client side, and most people who know what they're talking about will tell you that's a really bad idea. These multisig wallets are coming out because people are sick and tired of a site owner running off with a user's funds, and this helps ensure that can't happen. Don't confuse that with actual security though.
Again, issues that tech improvements will eradicate. I've heard Andreas talk on how to fix this very issue, so you can be sure there's already 100 different coding projects started up with different approaches on eradicating it asap.
2.) Adoption is unfortunately slower than many people would like to see. For the past while I've been stuck watching the transactions and blocks flow through the network, and you don't see many multisigs. You do see them, but they're few and far between. And a multisig and standard transaction have a couple key differences, so it's easy to point them out as they flow through the blockchain.
This is going to be a perfect example of Hemmingway's famous quote:
"It will happen gradually, then suddenly."
The ability to truly use multisigs has only been around since the latest bitcoin core update, I believe 4 months ago. Since then shittons of different companies have said that they're going to offer a multisig solution, and BitGo seems to be the first to do it well. -Meanwhile, BitPay says they'll offer theirs soon, and blockchain is working on theirs as well.
With those kinds of guns working on multisig all at once, I have no doubt whatsoever that they'll iron out every last bug from multisig within a few months and bitcoin wallets will no longer be something that hackers find easy pickings anymore. It'll become big-resource business again, like bulk credit card DB hacks are, (but far less frequent) because they'll need to hack in and steal both the customer's privkey and the providers' privkey AND match them together to see a payday. That isn't going to be as easy as CC DB breaches are today at all.
---------------------------------------------------
I do agree with you now that bitcoin will always be #1 for various reasons:
1.) So far, all the altcoins are just cheap knockoffs of bitcoin. They take bitcoind, change a few configuration paramters, slap a new logo on it, maybe add a new PoW concept, and call it a new coin. They're generally just shitty knock offs of bitcoin.
2.) Bitcoin has all the talent. The core devs are really intelligent guys who know their stuff, and there's zero chance of them leaving bitcoin. Guys like dogecoin don't have developers of that caliber, and never will.
3.) Well, bitcoin has all the investor and VC interest, merchant adoption, etc. A new coin trying to compete with that is in for quite the uphill battle. It's like a new search engine trying to knock out Google.
Yes! You're starting to come around... Remember though; There is a robust incentive structure between the merchant adoption, consumer adoption, and miners.
- More merchants accepting bitcoin makes bitcoin more attractive to more consumers. ->
- The more consumers that buy bitcoin raises the price of a bitcoin which is attractive to miners. ->
- The more hashing power that miners add to bitcoin makes it more secure for merchants to want to adopt it. ->
- Goto 10
It's a self-enforcing, positive feedback loop that simply will not stop growing until bitcoin is accepted by all merchants on the planet. This was Satoshi's plan from the beginning. That bitcoin from LiamLennon above is an extremely safe bet.
US Marshals are auctioning off the SR1 coins on the 27th
USMS Asset Forfeiture Sale
Excellent. I'm thrilled for the fedcoats to no longer own those coins. Here's hoping that most of them are sold to believers and not quick-flippers.
Luke, what do you think of ghash.io getting 51% of the hash rate? This could end badly, eh? So far they haven't done anything nefarious, although I have seen some reports of double spends. That, and they managed to get a 0 transaction block confirmed a few days back, hence got 25 BTC free.
It's an interesting situation, best summed up by this reddit image:
And all these people forget totally what Andreas said here:
[ame=http://www.youtube.com/watch?v=yWTQgmCuiCw]Andreas Antonopoulos Says States Can't Stop Bitcoin - YouTube[/ame]
Nevertheless, they make threads like these, offering 25 Bitcoin bounties to solve the problem:
This is RIDICULOUS. Andreas Antonopoulos, I will personally pay you 25BTC if start the conversation on Eliminating Pools & Solo Miners w/ frequent payouts... : Bitcoin
Ugh; It's a clusterfuck but it's more a problem with reality not keeping up with our idealism than it is one of actual security.
I guess in a couple more cycles Cex.io will have some competition and we can put this one to rest. I'm not worried at all though; Cex.io has far more to lose than gain by counterfeiting a single transaction, even if they could get away with it.
Oh, and confirmed with one of the core bitcoind devs -- this whole multisig thing you're excited about is bullshit. I was wracking my brain with it, but just didn't see it, so questioned it. Sure enough, it's bullshit, and moreless just a marketing gimmick.
I get MY info from the bitcoin devs, so I'd really like to see your source on this. Both Gavin & Andreas still seem gung-ho on multisig, as far as I can see. Wladimir van der Laan, the new core dev, doesn't seem to have said anything lately about it.
This whole push of, "we don't see your password, because it's encrypted in your browser" doesn't improve security at all. If anything, I would argue that it weakens it because, a) it adds more points of attack, b) passes responsibility of network security onto the user, c) doesn't stop a nefarious site owner from stealing funds, and d) doesn't stop the fact that if the server is compromised, so are all user funds.
Again, details that will be solved as soon as they need to be. Does the encryption need to happen at any level other than simply sending the co-signer service their privkey? Certainly that is doable... Just have a local app generate the 3 signatures, print the storage signature immediately without showing it on the screen, and wrap one in GPG and send it manually to the approved address for that co-signer service, deleting all trace of it from your computer immediately afterwards.
You wouldn't ever need the 3rd key back; once the co-signer has it, that wallet exists between your computer and theirs and it should never be modified/moved in any way. Luckily, even multisig addresses are disposable so this is a good thing, as Satoshi had wanted.
