What kind of security concern would there be with using JS to implement your wallet? Or building the wallet yourself as opposed to a solution with updates and whatnot?
This introduction appears to be geared toward experimentation rather than production use. However, using JS server-side with node would be solely dependent on the implementation (the same as using any other language). Client-side (in-browser) adds all the usual client-side JavaScript crypto caveats¹.
Looking at the two popular web wallets as an example. Blockchain.info and Coinbase. Blockchain.info is a client-side wallet implemented in JS Keys are encrypted client-side and encrypted keys stored in the server. There are good good benefits there because if blockchain.info is hacked, your keys are still with you and not compromised (Different story if the server starts serving malicious JS though)
The server-side wallet approach means that if their hot wallets gets hacked, all the funds will be gone.
Initially did not see anything thanks to Ghostery + RequestPolicy. Since all the JavaScript disablers tend to trigger the haterade dispensers, I also checked to see whether or not they had anything in place for the search bots:
Building static pages using a javscript framework seems to be the new thing. Doesn't really make sense to me - this page is hardly dynamic (as opposed to a single page app).
I assume your point is to justify the fact that this page does not load if JavaScript is disabled, because the domain has a web app on it at a separate URL? It is possible to have both static document pages, viewable without JavaScript, and a web application that requires JavaScript to function.
I thought several times about building a bitcoin wallet but I'm just too worried that I'll get something wrong and either lose a key or accidentally make a transaction that loses coins so decided not to risk it even for my own use. I'd frankly be terrified to let anyone else risk their own money on something like that without extreme levels of code review etc.
These kind of handson tutorials are awesome. You can just copy/paste and run the code inside the browser console and see your transaction propagate to the network. I wish more tutorials were as easily 'runnable'.
This is fine for learning about Bitcoin, but don't use this is in production. No matter how secure you think you are, someone can likely get into your server and serve their own JavaScript (making your clients send all their money and/or keys). Also, this tutorial uses a Bitcoin centralized service to communicate with the network, and you have to trust that they won't feed you false information/withhold transactions/perform malleability attacks.
16 comments
[ 3.4 ms ] story [ 50.7 ms ] thread¹ http://www.matasano.com/articles/javascript-cryptography/
The server-side wallet approach means that if their hot wallets gets hacked, all the funds will be gone.
https://www.google.com/#q=site:helloblock.io+how+to+build+a+...
Too bad, as 'building a bitcoin wallet' is certainly worth ranking for (and the content is certainly high quality)!Well if that happens you're in deep shit in any case whether you use this service or not...