Pedro Worcel [ARCHIVE] on Nostr: 📅 Original date posted:2015-02-02 📝 Original message:Where would you verify ...
📅 Original date posted:2015-02-02
📝 Original message:Where would you verify that?
On 2/3/2015 10:03 AM, Brian Erdelyi wrote:
> Joel,
>
> The mobile device should show you the details of the transaction (i.e.
> amount and bitcoin address). Once you verify this is the intended
> recipient and amount you approve it on the mobile device. If the
> address was replaced, you should see this on the mobile device as it
> won’t match where you were intending to send it. You can then not
> provide the second signature.
>
> Brian Erdelyi
>
>> On Feb 2, 2015, at 4:57 PM, Joel Joonatan Kaartinen
>> <joel.kaartinen at gmail.com <mailto:joel.kaartinen at gmail.com>> wrote:
>>
>> If the attacker has your desktop computer but not the mobile that's
>> acting as an independent second factor, how are you then supposed to
>> be able to tell you're not signing the correct transaction on the
>> mobile? If the address was replaced with the attacker's address,
>> it'll look like everything is ok.
>>
>> - Joel
>>
>> On Mon, Feb 2, 2015 at 9:58 PM, Brian Erdelyi
>> <brian.erdelyi at gmail.com <mailto:brian.erdelyi at gmail.com>> wrote:
>>
>>
>> > Confusing or not, the reliance on multiple signatures as
>> offering greater security than single relies on the independence
>> of multiple secrets. If the secrets cannot be shown to retain
>> independence in the envisioned threat scenario (e.g. a user's
>> compromised operating system) then the benefit reduces to making
>> the exploit more difficult to write, which, once written, reduces
>> to no benefit. Yet the user still suffers the reduced utility
>> arising from greater complexity, while being led to believe in a
>> false promise.
>>
>> Just trying to make sure I understand what you’re saying. Are
>> you eluding to that if two of the three private keys get
>> compromised there is no gain in security? Although the
>> likelihood of this occurring is lower, it is possible.
>>
>> As more malware targets bitcoins I think the utility is evident.
>> Given how final Bitcoin transactions are, I think it’s worth
>> trying to find methods to help verify those transactions (if a
>> user deems it to be high-risk enough) before the transaction is
>> completed. The balance is trying to devise something that users
>> do not find too burdensome.
>>
>> Brian Erdelyi
>> ------------------------------------------------------------------------------
>> Dive into the World of Parallel Programming. The Go Parallel Website,
>> sponsored by Intel and developed in partnership with Slashdot
>> Media, is your
>> hub for all things parallel software development, from weekly thought
>> leadership blogs to news, videos, case studies, tutorials and
>> more. Take a
>> look and join the conversation now.
>> http://goparallel.sourceforge.net/
>> _______________________________________________
>> Bitcoin-development mailing list
>> Bitcoin-development at lists.sourceforge.net
>> <mailto:Bitcoin-development at lists.sourceforge.net>
>> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>>
>>
>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
>
>
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20150203/3878832d/attachment.html>
📝 Original message:Where would you verify that?
On 2/3/2015 10:03 AM, Brian Erdelyi wrote:
> Joel,
>
> The mobile device should show you the details of the transaction (i.e.
> amount and bitcoin address). Once you verify this is the intended
> recipient and amount you approve it on the mobile device. If the
> address was replaced, you should see this on the mobile device as it
> won’t match where you were intending to send it. You can then not
> provide the second signature.
>
> Brian Erdelyi
>
>> On Feb 2, 2015, at 4:57 PM, Joel Joonatan Kaartinen
>> <joel.kaartinen at gmail.com <mailto:joel.kaartinen at gmail.com>> wrote:
>>
>> If the attacker has your desktop computer but not the mobile that's
>> acting as an independent second factor, how are you then supposed to
>> be able to tell you're not signing the correct transaction on the
>> mobile? If the address was replaced with the attacker's address,
>> it'll look like everything is ok.
>>
>> - Joel
>>
>> On Mon, Feb 2, 2015 at 9:58 PM, Brian Erdelyi
>> <brian.erdelyi at gmail.com <mailto:brian.erdelyi at gmail.com>> wrote:
>>
>>
>> > Confusing or not, the reliance on multiple signatures as
>> offering greater security than single relies on the independence
>> of multiple secrets. If the secrets cannot be shown to retain
>> independence in the envisioned threat scenario (e.g. a user's
>> compromised operating system) then the benefit reduces to making
>> the exploit more difficult to write, which, once written, reduces
>> to no benefit. Yet the user still suffers the reduced utility
>> arising from greater complexity, while being led to believe in a
>> false promise.
>>
>> Just trying to make sure I understand what you’re saying. Are
>> you eluding to that if two of the three private keys get
>> compromised there is no gain in security? Although the
>> likelihood of this occurring is lower, it is possible.
>>
>> As more malware targets bitcoins I think the utility is evident.
>> Given how final Bitcoin transactions are, I think it’s worth
>> trying to find methods to help verify those transactions (if a
>> user deems it to be high-risk enough) before the transaction is
>> completed. The balance is trying to devise something that users
>> do not find too burdensome.
>>
>> Brian Erdelyi
>> ------------------------------------------------------------------------------
>> Dive into the World of Parallel Programming. The Go Parallel Website,
>> sponsored by Intel and developed in partnership with Slashdot
>> Media, is your
>> hub for all things parallel software development, from weekly thought
>> leadership blogs to news, videos, case studies, tutorials and
>> more. Take a
>> look and join the conversation now.
>> http://goparallel.sourceforge.net/
>> _______________________________________________
>> Bitcoin-development mailing list
>> Bitcoin-development at lists.sourceforge.net
>> <mailto:Bitcoin-development at lists.sourceforge.net>
>> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>>
>>
>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
>
>
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20150203/3878832d/attachment.html>