Update en.yml

[sunnankar]

Update to first paragraph to be more concise and additional focus on (1) explaining the importance of private keys and (2) securing the private keys. Fixed typo in #380 of

and

.

[saivann]

@sunnankar I think I understand what you want to do here, but I'm not sure if the result is better than what we have now for a few reasons.

• We currently link to the "You need to know" page in bold, and this page already better cover this question and all other information new users need to be aware of.
• The suggested text is longer while it should ideally remain as short as possible, so people actually read it.
• The consensus seems to be to speak about wallets and avoid speaking of private keys as much as possible, since private key is a more complicate and risky concept for non-technical users.

In general, there might be many different good ways to introduce wallets, but unless we agree the new version have some significant improvement in it, I think we should also keep in mind the cost of re-translating these strings in all language.

@gwb3 Any opinion on this?

[sunnankar]

Understanding private keys is a prerequisite to understanding wallets. Private keys control bitcoins and wallets are an instrument to manage and secure private keys.

The 'choose your wallet' and 'you need to know' pages never mention private keys once. This is a gaping hole in presenting material information and potential risks to new users.

One problem with speaking about wallets in general and knowingly and willfully refusing to discuss private keys is that private keys can be held with the individuals and other times are held with third parties which presents tremendous differences in the risk profile based on who to trust. Unless, of course, one wants to hold the private keys of others (like mybitcoin.com, MtGox, etc.) so the nefarious actor can abscond with the funds in the future then that would be a great reason to keep new users in ignorance. Sure, the mouse over popups attempt to distinguish based on security but it appears inadequate.

It is vital for new users to be adequately appraised of this risk so they can conduct further research on such a vital topic. Given the large amount of funds people have lost and are losing in this industry I think it is important to do more education on this extremely important subject and that should start when individuals go to download their first wallet.

[saivann]

@sunnankar If you take a closer look, you'll notice that there's a lot of energy spent on educating the user about how to have full control over their own wallets (secure your wallet, wallets disclaimers, wallets categories description). This doesn't require the user to interact with technical concepts like private keys which leads to bad behavior, security risk and privacy leaks.

[wbnns]

@sunnankar Thanks again for contributing and sharing your perspective here. Again, I agree @saivann - there is also a page dedicated to "Securing your wallet" (https://bitcoin.org/en/secure-your-wallet) on the "Some things you need to know" page.

I like how we are keeping things high-level here and allowing the visitor to click-through for more detailed info where they would like to read more. Also, I second the point about we should all agree as a team that there is a significant improvement or change in meaning of the text, when considering changing these types of things.

[sunnankar]

@saivann,

There is a big difference between keeping things at 'high-level' and intentionally omitting critical and material foundational knowledge for proper wallet security.

Here is an example of the problem from not proper education:

The mouseover for BitGo:

"This wallet relies on a centralized service by default and requires a certain level of trust on a third party. This third party however does not control your wallet. Using backups and a strong password is always recommended when applicable."

This is a complete misstatement of fact that 'this third party does not control your wallet'.

For example, BitGo (which holds over $100m of bitcoins) holds their key and can touch the other two keys via the JavaScript they serve. Thus, the third party has control, or could possibly control, all necessary private keys to move bitcoins.

Attack vectors are possible such as:

• their servers being hacked and compromising both keys
• an inside job compromising both keys which could happen at generation
• SSL MITM changing a receive address

The same analysis holds for Blockchain.info unless one is using the Javascript browser extension.

With Coinbase the warning states: 'Web wallets host your bitcoins.'

A more accurate reading would be 'Coinbase solely holds the private keys that control the bitcoins.'

[saivann]

@sunnankar That could be separate pull req, but I indeed also considered updating this to "This third party however have limited control over your wallet" so this disclaimer would be a little more accurate regarding possible attack scenarios. This said, we clearly say that it's the user responsibility to secure their own wallet. You could use the same argument against any software wallet, as they could compromise users key when they update, which is pretty similar to BitGo.

Edit: Also not to mention that bitcoin-stealing malware are becoming more widespread and people often do dumb mistakes, so ultimately controling your own keys isn't a security garantee either.

[saivann]

Closing this pull request since it didn't get to a consensus.