Where would you verify that?
On 2/3/2015 10:03 AM, Brian Erdelyi wrote:
Joel,
The mobile device should show you the details of the transaction (i.e.
amount and bitcoin address). Once you verify this is the intended
recipient and amount you approve it on the mobile device. If the
address was replaced, you should see this on the mobile device as it
won’t match where you were intending to send it. You can then not
provide the second signature.
Brian Erdelyi
On Feb 2, 2015, at 4:57 PM, Joel Joonatan Kaartinen
<joel.kaarti...@gmail.com <mailto:joel.kaarti...@gmail.com>> wrote:
If the attacker has your desktop computer but not the mobile that's
acting as an independent second factor, how are you then supposed to
be able to tell you're not signing the correct transaction on the
mobile? If the address was replaced with the attacker's address,
it'll look like everything is ok.
- Joel
On Mon, Feb 2, 2015 at 9:58 PM, Brian Erdelyi
<brian.erde...@gmail.com <mailto:brian.erde...@gmail.com>> wrote:
> Confusing or not, the reliance on multiple signatures as
offering greater security than single relies on the independence
of multiple secrets. If the secrets cannot be shown to retain
independence in the envisioned threat scenario (e.g. a user's
compromised operating system) then the benefit reduces to making
the exploit more difficult to write, which, once written, reduces
to no benefit. Yet the user still suffers the reduced utility
arising from greater complexity, while being led to believe in a
false promise.
Just trying to make sure I understand what you’re saying. Are
you eluding to that if two of the three private keys get
compromised there is no gain in security? Although the
likelihood of this occurring is lower, it is possible.
As more malware targets bitcoins I think the utility is evident.
Given how final Bitcoin transactions are, I think it’s worth
trying to find methods to help verify those transactions (if a
user deems it to be high-risk enough) before the transaction is
completed. The balance is trying to devise something that users
do not find too burdensome.
Brian Erdelyi
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot
Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and
more. Take a
look and join the conversation now.
http://goparallel.sourceforge.net/
_______________________________________________
Bitcoin-development mailing list
Bitcoin-development@lists.sourceforge.net
<mailto:Bitcoin-development@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/bitcoin-development
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Bitcoin-development mailing list
Bitcoin-development@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bitcoin-development
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Bitcoin-development mailing list
Bitcoin-development@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bitcoin-development