Last Updated on
NEW YORK (InsideBitcoins) — Many in the bitcoin community have been pointing out various security and technical issues with the Blockchain.info wallet for quite some time, and it appears that these problems are finally catching up with the online bitcoin wallet provider. Amid reports of hacked accounts, a questionable mixing service, and a variety of other security-related issues, the team behind bitcoin.org has decided to remove Blockchain.info from the recommended wallets section of the website.
So what has gone wrong with one of the most widely-used bitcoin wallets on the market?
Malicious Tor exit nodes
A problem related to malicious Tor exit nodes could be viewed as the most serious issue with the Blockchain.info wallet. At one point in time, any exit node was able to attempt a man-in-the-middle attack on a Blockchain.info user if they were connecting to the blockchain.info website through Tor. To Blockchain’s credit, this issue has already been dealt with through the creation of a new Tor hidden service for their bitcoin wallet. Before they launched the hidden service, Blockchain.info decided to block all Tor traffic as a short-term solution.
Delays on source code updates
Another complaint about the Blockchain.info wallet has been the inability for the team behind the wallet to update their public code repositories in a timely manner. In many instances, it would technically be a lie to say that the Blockchain wallet was open source because the code did not match what was available in the public GitHub repository. While no malicious behavior is expected to be behind this discrepancy, the fact that there were delays in updating those public repositories was still a bit unnerving for a chunk of the bitcoin community.
Blockchain now has a separate website where users can confirm that the code running on the blockchain.info website is the same code that is hosted in their public repository.
Falling behind on best practices
Blockchain.info has also fallen behind when it comes to enhanced features for their users. For example, users of the Blockchain wallet are not able to use the security advantages involved with multisig addresses. As Coinbase, Coinkite, Greenaddress, and other bitcoin wallet providers have been trumpeting the benefits of enabling multisig addresses for their users, Blockchain.info has still not added the ability to manage multiple keys for a single address.
“There is always a tradeoff between convenience and security.”
Many in the bitcoin community are also waiting for Blockchain.info to implement BIP 0032, which allows for hierarchical deterministic wallets. These wallets allow bitcoin users to generate an unlimited number of addresses and private keys from the same seed. This means that wallets can be easily backed up and transported to other wallet software with nothing more than a twelve-word mnemonic phrase. Ethereum Creator Vitalik Buterin has a summary of the advantages and possible issues with deterministic wallets over at Bitcoin Magazine. In a response to some criticisms on the Bitcoin.org GitHub repository, Blockchain CTO Ben Reeves mentioned BIP32 support should be coming in early 2015.
Blockchain.info has also been criticized for not forcing two-factor authentication on new accounts, but there are instances where someone who only has access to one device may want to create a Blockchain wallet. As a compromise, Blockchain has decided to force two-factor authentication via email for all accounts that tie their email address to their Blockchain wallet account.
A new security disclosure
To top it all off, Blockchain recently disclosed that an update of their wallet software led to weaknesses in the manner in which new private keys were generated by its users. Users of the Android, iOS, and Chrome apps were not affected, and the issue was quickly resolved in a supplementary update. This latest issue has led some bitcoin developers and researchers to question the depth of Blockchain’s code review process.
— Peter Todd (@peterktodd) December 8, 2014
Switching wallets may not be the right solution
One thing to keep in mind before you decide to jump ship is that Blockchain.info is still the longest standing wallet provider in the bitcoin industry. Although it’s reputation has taken a few hits recently, they still have a proven track record when it comes to online bitcoin wallets. The team behind the Blockchain wallet have basically set the standard for everyone else to follow.
It’s important to remember that many other wallet providers are still young and untested. If anything, this situation may have shown the bitcoin community that we are not quite ready for the mainstream adoption that so many of us desire.
As always, it should be mentioned that it’s best to keep large bitcoin holdings in some form of cold storage.
Editor’s note: We asked Blockchain.info’s CEO Nicolas Cary for his comments and he told Inside Bitcoins:
“There is always a tradeoff between convenience and security. We try to keep the barriers to wallet creation as low as possible so anyone in the world can create a Bitcoin wallet for free. We provide software that lets users manage and spend their own Bitcoins, without tracking, interference or permission. This also means that to a certain extent, our role is limited to educating users about best practices and innovating security features. To this end, we are developing tools that will help users learn about security and audit their own security.”
You can follow @kyletorpey on Twitter.
Walk/Don’t Walk photo credit: nickjeffery