|
|
|
|
|
|
by BrokenPipe
4481 days ago
|
|
|
Our FAQ https://greenaddress.it/faq we have a chrome app non minified and open source on github.
That client is local and no JS can be injected as it connects via ws. Furthermore it verifies data against the electrum network and provides nLocktime transaction unlocking your funds. |
|
|
2) You control the distribution keys for the silently updating Chrome app, and your signing key, which means all you need is the end-user's signing key to empty people's wallets -- which you (or any adversary that compromises you!) can get by pushing a Chrome app update.
3) Unless you are actually pushing users to use externally downloaded, NON-AUTOUPDATING, code signed applications by default, you're making users insecure by default. An open source client on GitHub doesn't do anyone any good if your default is to strip away crypto-currency's security. This is no different than Microsoft's previous policy of shipping insecure services enabled by default.
Essentially, this boils down to "trust us" -- you control the infrastructure that protects one half of the signing keys, and you already have access to the other half.
It'd make a helluva lot more sense if a locally installed client was maintained by a trusted third-party, and it was the default user mode.
Cloud-focused web people are undermining the promise of bitcoin by simply not understanding why the cloud is so dangerous, whether we're talking about user data (creating a vast treasure trove for the government), or money.