Adding ArcBit wallet

[stequald]

Hi, I would like to add the bitcoin wallet ArcBit to Bitcoin.org.

[crwatkins]

Thanks for the PR @stequald! You may want to remove the entry for the web wallet since that's for website-only wallets and I believe that you have a Chrome extension.

You may have used GreenAddress as an example which links their Chrome app as their web link. I think that should link to https://greenaddress.it instead. I'll ping @greenaddress to fix that in the GreenAddress listing if appropriate.

[stequald]

@crwatkins Just updated PR with removal of web wallet.

[crwatkins]

Hey @stequald thanks for the quick update! You'll also want to remove web from

compat: "mobile desktop web android ios windows mac linux"

[stequald]

@crwatkins Oops, missed that. Just updated.

[crwatkins]

Thanks @stequald

[crwatkins]

Hi @stequald,

Under the android: and ios: sections, you have os listed as both android and ios (for both of them). I think you probably meant to list ios for ios and android for android.

[stequald]

Hey @crwatkins I've just updated PR with the fix.

[crwatkins]

I have reviewed the ArcBit wallet based on the current wallet requirements criteria and my evaluation is below. The summary is that I can recommend this wallet for listing.

I concur with the current scoring in the pull request.

ArcBit

iOS Version 1.4.2

Chrome app version 1.1.7

Android version 1.0.5

Review Version 2017020801

The wallet list is based on the personal evaluation of the maintainer(s) and regular contributors of this site, according to the criteria detailed below.

These requirements are meant to be updated and strengthened over time. Innovative wallets are exciting and encouraged, so if your wallet has a good reason for not following some of the rules below, please submit it anyway and we'll consider updating the rules.

NOTE The "Brain Wallet" mode of the Chrome app was considered a set of accessory tools and not the default mode of the wallet. It was tested (and worked well), but it was not reviewed against the listing criteria.

Basic requirements:

• Sufficient users and/or developers feedback can be found without concerning issues, or independent security audit(s) is available

PASS ArcBit for iOS has been available for 19 months and various conversation can be found on reddit.com and bitcointalk.org without concerning issues.

• No indication that users have been harmed considerably by any issue in relation to the wallet

PASS No indication. Problems found have been resolved.

• No indication that security issues have been concealed, ignored, or not addressed correctly in order to prevent new or similar issues from happening in the future

PASS No indication. Support has been very responsive.

• No indication that the wallet uses unstable or unsecure libraries

PASS No indication found: Chrome app uses bitcoinjs and cryptojs; iOS app uses CoreBitcoin; Android app uses bitcoinj

• No indication that changes to the code are not properly tested

PASS No indication

• Wallet was publicly announced and released since at least 3 months

PASS Released 30 June 2015 - https://www.reddit.com/r/Bitcoin/comments/3bn3n7/announcement_launching_arcbit_first_bitcoin/

• No concerning bug is found when testing the wallet

PASS No concerning bug was found. Minor issues reported were addressed quickly.

NOTE During a wallet restore, some UI elements may be slow at updating to the new wallet; this is being investigated.

• Website supports HTTPS and 301 redirects HTTP requests

PASS http://arcbit.io redirects to https://arcbit.io

• SSL certificate passes Qualys SSL Labs SSL test

PASS https://arcbit.io has rating A+

• Website serving executable code or requiring authentication uses HSTS with a max-age of at least 180 days

PASS max-age is 2 years with preload

• The identity of CEOs and/or developers is public

PASS https://arcbit.io

• Avoid address reuse by displaying a new receiving address for each transaction in the wallet UI

PASS A list of new receive addresses is displayed

• Avoid address reuse by using a new change address for each transaction

PASS A new change address is used in each transaction

• If private keys or encryption keys are stored online:

N/A

• Refuses weak passwords (short passwords and/or common passwords) used to secure access to any funds, or provides an aggressive account lock-out feature in response to failed login attempts along with a strict account recovery process.
• If user has no access over its private keys:

N/A

• Provides 2FA authentication feature

• Reminds the user to enable 2FA by email or in the main UI of the wallet

• User session is not persistent, or requires authentication for spending

• Provides account recovery feature

• If user has exclusive access over its private keys:

  • Allows backup of the wallet

PASS Backup of BIP39 phrase is in settings. Wallet reminds users to backup the phrase.

NOTE Full wallet metadata can be backed up to local disk from the Chrome browser, or to iCloud from iOS.

• Restoring wallet from backup is working

PASS Wallets were restored from just the BIP39 phrase as well as with full metadata from the saved backup

NOTE Funds were restored to wallets from other developers, such as Multibit HD, using the BIP39 phrase

• Source code is public and kept up to date under version control system

PASS https://github.com/arcbit

• If user has no access to some of the private keys in a multi-signature wallet:

N/A

• Provides 2FA authentication feature

• Reminds the user to enable 2FA by email or in the main UI of the wallet

• User session is not persistent, or requires authentication for spending

• Gives control to the user over moving their funds out of the multi-signature wallet

• For hardware wallets:

N/A

• Uses the push model (computer malware cannot sign a transaction without user input)
• Protects the seed against unsigned firmware upgrades
• Supports importing custom seeds
• Provides source code and/or detailed specification for blackbox testing if using a closed-source Secure Element

Optional criteria (some could become requirements):

• Received independent security audit(s)

NOTE No known security audits

• Does not show "received from" Bitcoin addresses in the UI

PASS iOS app and Android app does not display "received from" addresses

FAIL Chrome app displays "received from" address; ArcBit has plans to address this

• Uses deterministic ECDSA nonces (RFC 6979)

PASS A transaction signed by the Android ArcBit wallet was duplicated and signed with custom code using pybitcointools which is RFC 6979 based. The signatures match. The other ArcBit wallets also use libraries which produce deterministic signatures.

• Provides a bug reporting policy on the website

PASS Provides a support email address on https://arcbit.io

• Website serving executable code or requiring authentication is included in the HSTS preload list

PASS https://arcbit.io has preload headers enabled and is pending submission

• If user has no access over its private keys:

N/A

• Full reserve audit(s)

• Insurance(s) against failures on their side

• Reminds the user to enable 2FA in the main UI of the wallet

• If user has exclusive access over its private keys:

  • Supports HD wallets (BIP32)

PASS Supports standard BIP44 with multiple accounts

• Provides users with step to print or write their wallet seed on setup

PASS New wallets popup a pointer to wallet backup in Settings

• Uses a strong KDF and key stretching for wallet storage and backups

PASS Uses 10k rounds of PBKDF2

• On desktop platform:
  • Encrypt the wallet by default

FAIL Does not encrypt (Chrome browser local storage) by default

NOTE There is an option to encrypt in Settings

• For hardware wallets:

N/A

• Prevents downgrading the firmware

[wbnns]

@stequald @crwatkins Thank you both very much for the work on this.

Unless others object, this will be merged on Wednesday, February 15th.