Author: Brian Erdelyi 2015-02-02 21:03:42
Published on: 2015-02-02T21:03:42+00:00
In an email exchange between Joel Joonatan Kaartinen and Brian Erdelyi, Joel asked how one can verify if they are not signing the correct transaction on their mobile device if the attacker has access to their desktop computer but not the mobile device. Brian responded stating that the reliance on multiple signatures as offering greater security than single relies on the independence of multiple secrets. He added that if the secrets cannot be shown to retain independence in the envisioned threat scenario, then the benefit reduces to making the exploit more difficult to write, which, once written, reduces to no benefit. Brian explained that although the likelihood of two of the three private keys getting compromised is lower, it is still possible. As more malware targets bitcoins, he believes that finding methods to help verify those transactions before completion is worth trying. However, he stated that the balance is trying to devise something that users do not find too burdensome.To address Joel's concern, Brian stated that the mobile device should show the details of the transaction, such as the amount and bitcoin address. Once verified, the user can approve it on the mobile device. If the address was replaced, the user would see this on the mobile device as it won't match where they were intending to send it, and they can choose not to provide the second signature.
Updated on: 2023-06-09T16:12:35.946061+00:00