<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Where would you verify that?<br>
<br>
<div class="moz-cite-prefix">On 2/3/2015 10:03 AM, Brian Erdelyi
wrote:<br>
</div>
<blockquote
cite="mid:CB45FC36-3B3E-486D-95FE-596D7380C3D2@gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
Joel,
<div class=""><br class="">
</div>
<div class="">The mobile device should show you the details of the
transaction (i.e. amount and bitcoin address). Once you verify
this is the intended recipient and amount you approve it on the
mobile device. If the address was replaced, you should see this
on the mobile device as it won’t match where you were intending
to send it. You can then not provide the second signature.</div>
<div class=""><br class="">
</div>
<div class="">Brian Erdelyi</div>
<div class=""><br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Feb 2, 2015, at 4:57 PM, Joel Joonatan
Kaartinen <<a moz-do-not-send="true"
href="mailto:joel.kaartinen@gmail.com" class="">joel.kaartinen@gmail.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div dir="ltr" class="">If the attacker has your desktop
computer but not the mobile that's acting as an
independent second factor, how are you then supposed to
be able to tell you're not signing the correct
transaction on the mobile? If the address was replaced
with the attacker's address, it'll look like everything
is ok.
<div class=""><br class="">
</div>
<div class="">- Joel<br class="">
<div class="gmail_extra"><br class="">
<div class="gmail_quote">On Mon, Feb 2, 2015 at 9:58
PM, Brian Erdelyi <span dir="ltr" class=""><<a
moz-do-not-send="true"
href="mailto:brian.erdelyi@gmail.com"
target="_blank" class="">brian.erdelyi@gmail.com</a>></span>
wrote:<br class="">
<blockquote class="gmail_quote" style="margin:0 0
0 .8ex;border-left:1px #ccc
solid;padding-left:1ex"><span class=""><br
class="">
> Confusing or not, the reliance on
multiple signatures as offering greater
security than single relies on the
independence of multiple secrets. If the
secrets cannot be shown to retain independence
in the envisioned threat scenario (e.g. a
user's compromised operating system) then the
benefit reduces to making the exploit more
difficult to write, which, once written,
reduces to no benefit. Yet the user still
suffers the reduced utility arising from
greater complexity, while being led to believe
in a false promise.<br class="">
<br class="">
</span>Just trying to make sure I understand
what you’re saying. Are you eluding to that if
two of the three private keys get compromised
there is no gain in security? Although the
likelihood of this occurring is lower, it is
possible.<br class="">
<br class="">
As more malware targets bitcoins I think the
utility is evident. Given how final Bitcoin
transactions are, I think it’s worth trying to
find methods to help verify those transactions
(if a user deems it to be high-risk enough)
before the transaction is completed. The
balance is trying to devise something that users
do not find too burdensome.<br class="">
<div class="HOEnZb">
<div class="h5"><br class="">
Brian Erdelyi<br class="">
------------------------------------------------------------------------------<br
class="">
Dive into the World of Parallel Programming.
The Go Parallel Website,<br class="">
sponsored by Intel and developed in
partnership with Slashdot Media, is your<br
class="">
hub for all things parallel software
development, from weekly thought<br class="">
leadership blogs to news, videos, case
studies, tutorials and more. Take a<br
class="">
look and join the conversation now. <a
moz-do-not-send="true"
href="http://goparallel.sourceforge.net/"
target="_blank" class="">http://goparallel.sourceforge.net/</a><br
class="">
_______________________________________________<br class="">
Bitcoin-development mailing list<br class="">
<a moz-do-not-send="true"
href="mailto:Bitcoin-development@lists.sourceforge.net"
class="">Bitcoin-development@lists.sourceforge.net</a><br
class="">
<a moz-do-not-send="true"
href="https://lists.sourceforge.net/lists/listinfo/bitcoin-development"
target="_blank" class="">https://lists.sourceforge.net/lists/listinfo/bitcoin-development</a><br
class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. <a class="moz-txt-link-freetext" href="http://goparallel.sourceforge.net/">http://goparallel.sourceforge.net/</a></pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Bitcoin-development mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Bitcoin-development@lists.sourceforge.net">Bitcoin-development@lists.sourceforge.net</a>
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/bitcoin-development">https://lists.sourceforge.net/lists/listinfo/bitcoin-development</a>
</pre>
</blockquote>
<br>
</body>
</html>