Added Coin.Space wallet

[nikashitsa]

Coin.Space HD Wallet is a free online bitcoin wallet, which you can use to make worldwide payments for free. It makes paying with bitcoins easy and secure available anywhere on your phone or desktop.

Previous attempt #963.
Removed sending BIP39 phrases over SMS, added ios app. Tagged as v2.1.3.

[crwatkins]

I have reviewed Coin.Space from CoinSpace based on the current wallet requirements criteria and my evaluation is below. Last year this wallet was reviewed and I recommended another review after several bugs could be corrected and more usage could be identified. The summary is that the wallet passes on security and overall design. Coin.Space is heavily based on the popular Hive wallet which was listed until it was discontinued last year. During testing, numerous bugs, mostly in the area of UI and user interaction, were reported and fixed. While these bugs never resulted in loss of funds, they did present confusing balance and transaction information to users. For this reason I recommend more testing and QA in the future.

The wallet provides two optional convenience features for discovering addresses, OpenAlias and Mecto, which I strongly recommend against using. The OpenAlias implementation provides a static wallet address which is available to the public via a DNS lookup, encouraging address re-use and discouraging privacy. The Mecto feature allows searching for other Coin.Space users within a certain geographic range. When enabled it exposes the exact geolocation and Bitcoin address of a transaction recipient to unauthenticated attackers.

As an aside, while it has been discussed, we have have not kept wallet requirements up to date with changing fee requirements and thus we have no fee related requirements. It should be noted that Coin.Space offers no user control over the fee used when creating transactions. This should be addressed in the future.

I recommend Coin.Space for listing and I concur with the current scoring in the pull request.

Coin.Space

v2.1.3

Review Version 2016060501

The wallet list is based on the personal evaluation of the maintainer(s) and regular contributors of this site, according to the criteria detailed below.

These requirements are meant to be updated and strengthened over time. Innovative wallets are exciting and encouraged, so if your wallet has a good reason for not following some of the rules below, please submit it anyway and we'll consider updating the rules.

NOTE The Mecto feature (searching for other Coin.Space users based on geographic location) was exercised, and bugs were reported related to inconsistent search results

CONCERN The Mecto API allows unauthenticated attackers to determine the exact geolocation, Bitcoin address, and Coin.Space id of any Mecto enabled users in an attacker chosen ~1km radius.

NOTE The wallet user has no control over the transaction fee

NOTE The OpenAlias feature advertises static Bitcoin addresses via DNS leading to address reuse

Basic requirements:

• Sufficient users and/or developers feedback can be found without concerning issues, or independent security audit(s) is available

NOTE Coin.Space was released over a year ago

NOTE Coin.Space is based on the popular Hive Wallet which has since been discontinued

NOTE CoinSpace claims over 40,000 accounts created https://www.coin.space

NOTE Google Play 1000-5000 downloads

NOTE CoinSpace claims over 1000 iOS downloads/month

PASS Sufficient usage was found

• No indication that users have been harmed considerably by any issue in relation to the wallet

PASS No indication found using standard web searches using Google and Bing

• No indication that security issues have been concealed, ignored, or not addressed correctly in order to prevent new or similar issues from happening in the future

NOTE There was previously a bug bounty at https://hackerone.com/coinspace, but it is no longer active

PASS No indication found

• No indication that the wallet uses unstable or unsecure libraries

PASS Uses BitcoinJS, CryptoJS, and secure-random

• No indication that changes to the code are not properly tested

PASS No indication found

NOTE Because of the type of bugs that were found during review, more wallet testing and QA is recommended

• Wallet was publicly announced and released since at least 3 months

PASS Android 28-Mar-2015 https://www.coin.space/blog/android-client

PASS Windows Phone 22-Apr-2015 https://www.coin.space/blog/windows-phone-app

• No concerning bug is found when testing the wallet

PASS Previous concerning bugs have been corrected

• Website supports HTTPS and 301 redirects HTTP requests

PASS http://www.coin.space which links to downloads redirects correctly

PASS http://coin.space web wallet redirects correctly

• SSL certificate passes Qualys SSL Labs SSL test

PASS https://www.coin.space (links to downloads): A+ rating (with Cloudflare)

PASS https://coin.space (wallet): A+ rating (with Cloudflare)

• Website serving executable code or requiring authentication uses HSTS with a max-age of at least 180 days

PASS https://www.coin.space 180 days

PASS https://coin.space 180 days

• The identity of CEOs and/or developers is public

PASS Link to Crunchbase on https://www.coin.space/features.html

• If private keys or encryption keys are stored online:

NOTE An encryption key is stored online that is used to decrypt local wallet storage.

• Refuses weak passwords (short passwords and/or common passwords) used to secure access to any funds, or provides an aggressive account lock-out feature in response to failed login attempts along with a strict account recovery process.

PASS Aggressive lockout: Account is deleted after five failed PINs.

NOTE No filter for common PINs.

NOTE Lost PIN recovery process is full restore from BIP39 phrase.

• If user has no access over its private keys:

N/A

• Provides 2FA authentication feature
• Reminds the user to enable 2FA by email or in the main UI of the wallet
• User session is not persistent, or requires authentication for spending
• Provides account recovery feature
• If user has exclusive access over its private keys:
  • Allows backup of the wallet

PASS Wallet backup is BIP39 phrase

• Restoring wallet from backup is working

PASS Wallet was restored from BIP39 phrase. Wallet was also restored to MultiBit HD using BIP39 phrase.

• Source code is public and kept up to date under version control system

PASS https://github.com/CoinSpace

• If user has no access to some of the private keys in a multi-signature wallet:

N/A

• Provides 2FA authentication feature
• Reminds the user to enable 2FA by email or in the main UI of the wallet
• User session is not persistent, or requires authentication for spending
• Gives control to the user over moving their funds out of the multi-signature wallet
  • For hardware wallets:

N/A

• Uses the push model (computer malware cannot sign a transaction without user input)
• Protects the seed against unsigned firmware upgrades
• Supports importing custom seeds
• Provides source code and/or detailed specification for blackbox testing if using a closed-source Secure Element

Optional criteria (some could become requirements):

• Received independent security audit(s)

NOTE No audit

• Avoid address reuse by using a new change address for each transaction

PASS Uses a new change address for each transaction

• Avoid address reuse by displaying a new receiving address for each transaction in the wallet UI

PASS Displays an unused address for each receive

NOTE A receive address may be re-displayed if it has not yet received a transaction

CONCERN When using OpenAlias, the same Bitcoin address is always used

• Does not show "received from" Bitcoin addresses in the UI

PASS Does not show received from addresses

• Uses deterministic ECDSA nonces (RFC 6979)

PASS A transaction created by the wallet was re-signed using custom code compatible with RFC 6979 and the signatures matched.

• Provides a bug reporting policy on the website

PASS A contact form is provided https://www.coin.space/contact.html

NOTE There is also a support request button on the settings frame in the wallet

• If user has no access over its private keys:

N/A

• Full reserve audit(s)
• Insurrance(s) against failures on their side
• Reminds the user to enable 2FA in the main UI of the wallet
• If user has exclusive access over its private keys:
  • Supports HD wallets (BIP32)

PASS Supports BIP32 using standard m/0'/c/i path

• Provides users with step to print or write their wallet seed on setup

PASS Provides BIP39 phrase on setup and encourages users to write it down

NOTE Wallet seed is never available to end users after setup

• Uses a strong KDF and key stretching for wallet storage and backups

PASS KDF is not used. The server returns a strong key when the correct PIN is supplied.

NOTE This requires the server to be available to access the wallet in any way

• On desktop platform:
  • Encrypt the wallet by default

PASS Local wallet storage is encrypted by default

• For hardware wallets:
  • Prevents downgrading the firmware

N/A

[jspeigner]

Thank you for the review, we look forward to providing another Bitcoin Wallet to the community.

[Cobra-Bitcoin]

Merged here 23d06b4. Great work on this wallet.