16 comments

[ 3.4 ms ] story [ 50.7 ms ] thread
What kind of security concern would there be with using JS to implement your wallet? Or building the wallet yourself as opposed to a solution with updates and whatnot?
This introduction appears to be geared toward experimentation rather than production use. However, using JS server-side with node would be solely dependent on the implementation (the same as using any other language). Client-side (in-browser) adds all the usual client-side JavaScript crypto caveats¹.

¹ http://www.matasano.com/articles/javascript-cryptography/

Looking at the two popular web wallets as an example. Blockchain.info and Coinbase. Blockchain.info is a client-side wallet implemented in JS Keys are encrypted client-side and encrypted keys stored in the server. There are good good benefits there because if blockchain.info is hacked, your keys are still with you and not compromised (Different story if the server starts serving malicious JS though)

The server-side wallet approach means that if their hot wallets gets hacked, all the funds will be gone.

A lot of casinos and exchanges are using blockchain.info as a hot wallet instead of rolling their own multi sig hot wallet. Crazy risk
Generally server-side wallets don't keep all user funds online. Most are stored offline in cold storage, which requires multiple signatures to access.
They still have to keep at least the amount the richest user owns online in case that user decides to withdraw all their coins.
Initially did not see anything thanks to Ghostery + RequestPolicy. Since all the JavaScript disablers tend to trigger the haterade dispensers, I also checked to see whether or not they had anything in place for the search bots:

https://www.google.com/#q=site:helloblock.io+how+to+build+a+...

  > Your search - site:helloblock.io how to build a bitcoin wallet - 
  > did not match any documents. 
Too bad, as 'building a bitcoin wallet' is certainly worth ranking for (and the content is certainly high quality)!
Building static pages using a javscript framework seems to be the new thing. Doesn't really make sense to me - this page is hardly dynamic (as opposed to a single page app).
There's also a block explorer - https://helloblock.io/latest
I assume your point is to justify the fact that this page does not load if JavaScript is disabled, because the domain has a web app on it at a separate URL? It is possible to have both static document pages, viewable without JavaScript, and a web application that requires JavaScript to function.
I thought several times about building a bitcoin wallet but I'm just too worried that I'll get something wrong and either lose a key or accidentally make a transaction that loses coins so decided not to risk it even for my own use. I'd frankly be terrified to let anyone else risk their own money on something like that without extreme levels of code review etc.
(comment deleted)
These kind of handson tutorials are awesome. You can just copy/paste and run the code inside the browser console and see your transaction propagate to the network. I wish more tutorials were as easily 'runnable'.
This is fine for learning about Bitcoin, but don't use this is in production. No matter how secure you think you are, someone can likely get into your server and serve their own JavaScript (making your clients send all their money and/or keys). Also, this tutorial uses a Bitcoin centralized service to communicate with the network, and you have to trust that they won't feed you false information/withhold transactions/perform malleability attacks.
> No matter how secure you think you are, someone can likely get into your server

Well if that happens you're in deep shit in any case whether you use this service or not...

Good tutorial and good service. Interested in seeing Part 2: Manage Addresses/Keys