BitGo Multisig: A Stranger, His Friend, and You

Bitcoin is rife with idealism; wild, frivolous idealism that can be wholly energizing, intoxicating, and invigorating, but as is far too often the case, taken advantage of. Intentionally. A frequent point of idealism, despite chants of “DECENTRALIZE DA WURLD” and the clear opportunities for butthurt, is in bitcoin wallets.

Perhaps because of their delusions of digital security, Bitcoiners still aren’t making high-entropy paper wallets. It’s a lot of work, granted, but tripping over each other to host your coins on some unproveni crowd/VC-funded start-up is about as decentralized as the Board of Governors of the Federal Reserve. And I couldn’t sworn that we were trying to avoid that kind of thing.

Which brings us to the latest Wired pump piece on idealist-chomping multisig fucktards BitGo:

When you sign up for a BitGo wallet, the company creates three keys: one that’s stored by the company’s servers, one that’s encrypted and stored on its servers, and a third that you print out and put somewhere safe.

So this company, founded by the two not-particularly-trustworthy-looking doods (seen below), is holding 2-of-3 keys. Sorry, they’re holding one and “their friend” is holding another, which is totally kosher because they only need 2-of-3 to spend your coins. Oh wait, no… that means you’re cut out… that doesn’t work at all.

And are they seriously storing one key unencrypted and one key encrypted?

If you forget your password or somehow lose access to one of the other two keys, the third can still keep your bitcoins secure.

That doesn’t keep your coins secure at all. How do you lose access to one of the other two keys when they are in effect holding 2-of-3? You only have one to lose!

To spend your bitcoins, you need access to two of these three keys.

Wrong again. To spend your bitcoins, they need access to 2-of-3 keys, which is exactly what you’re handing them on a silver platter.

Anyone can use the BitGo wallet, but the company sees a real opportunity in building bank-like services that let companies put corporate controls over their bitcoins. On Tuesday, BitGo introduced a suite of wallet services that let businesses limit how many bitcoins a user can spend without corporate approval, and control digital currency spending in other ways.

Awesome! Spending restrictions! Also known as capital controls! I’m sure there will be a market for this with the Argentinian government at the very least. Also, super uncool.

Typically, you would spend bitcoins by logging into your BitGo account and then using your phone to get access to a second key.

Ah, the impenetrable fortress that is your phone. Except for the giant holes in phone security that punks like Nic Cary from Blockchain.info walk through when they give your 2FA code away, or when your phone gets baseband hacked. Y’know, but other than that it’s totally safe. Like, bank safe.

The icing on the cake, from BitGo’s own website, is a slight re-phrasing of Wired’s coverage. The truth between who holds the third key, BitGo or “BitGo’s friend,” is probably intentionally obtuse:

We hold one key, you control a second key, and a third key is held as a backup with a trusted party. If a single key is compromised, your Bitcoin can’t be stolen. This makes our wallet virtually hack proof.

So to recap: trusting a stranger and “their friend” is “virtually hack proof.” Even if we grant them this tall tale, we’re left with a wallet implementation that’s far from theft/scam proof. The opportunity for collusion is open, disgusting, and creates clear incentives for abuse. If BitGo gets off the ground, it can only end in flames.

And yes, CTO Belshe is a former Googler who diddled about with Chrome. Who knows, maybe he even had something to do with the Easywallet.org search hack?

Will O'Brien, Mike Belshe, BitGo

___ ___ ___

  1. “Unproven” may also be “new and exciting,” but that doesn’t mean it’s earned your trust. It means the opposite. Some former Googler saying “we’re more secure than traditional banking” is always and everywhere a wallet inspector’s promise. So for the love of God, stay the fuck away from these guys. []

9 thoughts on “BitGo Multisig: A Stranger, His Friend, and You

  1. Will O'Brien says:

    Hi Peter Dushenski-

    This is Will O’Brien, CEO of BitGo. I don’t believe we have met at any of the industry conferences, such as CoinSummit or Inside Bitcoins, so I’m assuming any information you have regarding BitGo did not come from us directly. Your recent post referring to BitGo is factually inaccurate and I wanted to correct the facts with you directly.

    BitGo only ever sees 1 of the 3 keys in a multi-sig wallet. That key is generated on our servers and stored securely.

    The user key and backup key, and the passcode, are never seen by BitGo. The user key is generated in the user’s browser and encrypted with a passcode. We recommend users create their own backup key as a “cold key” that is not seen in the user’s browser or on our servers.

    Because of this design, BitGo can never access the bitcoins of its customers. BitGo is a security service and co-signer only.

    We have been live since August 2013 and are one of the most experienced and respected teams in the industry. We have performed extensive independent security audits as well.

    To learn more, I wanted to encourage you to read the following resources:
    1- Our whitepaper about multi-sig P2SH addresses at https://www.bitgo.com/p2sh_safe_address.
    2- You may examine our client-side code at https://github.com/bitgo.
    3- An endorsement by BitPay on their blog http://blog.bitpay.com/2014/04/07/bitcoin-wallets-and-decentralization.html.

    Feel free to send any other questions you have about our security policies to security@bitgo.com

    • Bitcoin Pete says:

      Hi Will,

      Thank you for the factual corrections. However, you’re still holding one of the customer’s keys, which creates additional vulnerability compared to even a desktop application and a USB key, much less high-entropy cold storage. Also, using browser-side key generation is fine for computer class but falls woefully short for anything securing real wealth.

      These criticism can be directed at bc.info just as well BitGo, and I appreciate that you’re decentralizing the webwallet space, I just see webwallets in general as antithetical to Bitcoin as they create perverse incentives for “hacks.” BitGo is also too new and too narrowly used to demonstrate that it’s appreciably more secure than its competitors. I’ll be watching your progress over the next few years. Best of luck!

  2. kanzure says:

    I signed up for an account on BitGo (using a throwaway email address), and they emailed me 2 private keys. That means they had those 2 in their possession. Case closed.

    • Will O'Brien says:

      Hi kanzure-

      Sorry, but this is categorically wrong.

      The keys you were emailed were encrypted with your passcode in the browser before the email was generated. BitGo never saw the unencrypted keys nor your passcode. So we absolutely do not have the keys.

      You can read our FAQ for details or read this walkthrough guide.

      Here are some snippets:

      Why do I need to save my private keys?

      In order to ensure the highest protection of your Bitcoin holdings, 2 of your 3 keys are created in your browser and BitGo never sees them. BitGo only offers you your private keys once, when these keys are created. Therefore, you will only have one chance to save or print these keys. If you did not print or save the keys in any form, there is nothing BitGo can do to distribute your keys back to you at a later time.

      You need to save your keys in case you ever need to access your Bitcoin without using BitGo. This protects against the unlikely scenario that BitGo is not available, or in the event you forget your passcode.

      and

      What is the safest way to store my Private Keys?

      It is very important that you save your private keys in the most secure way possible. The most secure method is to print out the keys right away and place the printout in a secure place.

      Alternatively, you can email yourself a PDF of the keys that is encrypted with your passcode. We recommend you print out that PDF and write your passcode on the physical paper.

      Lastly, there is an advanced option in the wallet creation to provide your own Backup Key by entering the public key of a Bitcoin address you control.

      We also let you bring your own backup key, a “cold key” to the wallet instead of generating it in the browser. Our enterprise customers use this practice.

      Hope this clears up the confusion. You can email us at security@bitgo.com if you have more questions.

      Thanks.

    • kanzure says:

      “Alternatively, you can email yourself a PDF of the keys that is encrypted with your passcode” where the pdf’s passcode has the same one as the in-browser passcode? So are you generating the password-protected pdf on the server-side or the client-side?

    • Will O'Brien says:

      From my earlier response: “The keys you were emailed were encrypted with your passcode in the browser before the email was generated. BitGo never saw the unencrypted keys nor your passcode. We absolutely do not have the keys.”

      The PDF itself is not password-protected, the keys are encrypted with a strong passcode client-side. The PDF is useless to anyone without your passcode.

      As a reminder, you do not need to email this encrypted PDF. It is an option, not required in the flow.

  3. […] if you’re as dumb as TwoBitIdiot and are using Coinbase, Circle, or BitGo to store most of your coins, you deserve to lose them. […]

  4. […] I certainly appreciate that my calling out Gavincoin’s, Lanier’s, O’Brien’s, Terpin’s, and Bortzmeyer’s malicious idiocy is, in effect, calling those fiat emperors […]

  5. […] is, alas, not even a new or original scam in the Bitcoin space. Surely you’ll recall BitGo and their various “accidents.” Cancoin is exactly no different, but realising this, has […]

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>