default to mobile on choose-your-wallet

[voisine]

I'm biased, but I propose that the choose-your-wallet page should default to mobile wallets even if the user views the page from a desktop system. Most new users learning about bitcoin for the first time are going to have very little computer security knowledge, and the prevalence of bitcoin stealing malware is growing at an alarming rate. http://www.coindesk.com/report-bitcoin-targeted-22-financial-malware-attacks/

We should encourage new users to use mobile platforms that use app sandboxing and other methods of hardening against malware. The problem of bitcoin stealing malware is only going to get worse. I'd like to hear feedback from others.

[gmaxwell]

The mobile world is also a security mess but the vectors are different. Devices are easily lost or stolen, and there often (litterally) hundreds of people at the {carrier, OS privider, software developer} with the technical ability to unilaterally push replacement software onto client devices. (and whom may be coerced to do so).

I don't think tihs is a silver bullet.

[luke-jr]

Indeed, I would consider it foolish to store ones bitcoins on a mobile device. That's like carrying around your life savings in your physical wallet.

[saivann]

There is also the option of not selecting any category by default, as suggested by @theymos previously:
http://www.reddit.com/r/Bitcoin/comments/2ax6xi/new_choose_your_wallet_page_on_bitcoinorg/cizrg3j

[schildbach]

@saivann Which would bring us back to the "overwhelming choice" problem, right?

[luke-jr]

If "overwhelming choice" is a problem, we could start hiding broken wallet software (eg, those reusing addresses or promoting myths like "from address" and "address balance") by default...

[saivann]

@schildbach I don't know if mixing all wallets this way really makes sense in general, but only the first 12 wallets would be displayed (Bitcoin Core would remain in the first position), and the user could see more wallets by exploring the categories.

[voisine]

@gmaxwell I agree it's no silver bullet, but I am convinced that the popular mobile platforms are a significant improvement over the common desktop environments when it comes to malware. Most of the mobile wallets listed also offer easy off-device backup of the HD seed, and mobile platforms are moving toward pin codes/biometrics and filesystem encryption to help protect your data if your phone is stolen. It's not perfect by any means, but the improved security of mobile platforms and their ability to help reduce incidence of bitcoin theft was a primary motivating factor for my own work.

[schildbach]

@luke-jr @saivann Good points.

@gmaxwell @voisine People can always decide to use a mobile device non-mobile. I assume most tablets are used that way. Or the other way round: notebooks get stolen as well. Sometimes I think it's an advantage I have my mobile phone on my body when I'm away from home. My notebook stays at home and could get compromised by the BND (German equivalent of the NSA).

[saivann]

Although I also have the (perhaps wrong) impression that mobiles are less likely to cause security issues, if we put that argument aside and consider both platforms equal in terms of security, I think that mobiles are more appropriate for most users from a usability perspective. What bothers me with this idea is the decreased visibility for Bitcoin Core and full nodes in general.

[gmaxwell]

My comments were not limited to use mobilly, FWIW. Informally, my expirence suggests large amounts of losses still happen on mobile, as it exists today... and we're left with more blockchain.info like systemic risk vectors on these platforms.

Multisignature security and dedicated signer hardware are the kinds of meaningful security improvements that I think people are really looking for with this kind of proposal, and I think would make more sense than just 'mobile'.

[voisine]

@saivann I also like the idea of not selecting any category by default. I think more people will end up choosing mobile in that case just for the convenience factor.

[harding]

If we believe something is more secure, I think we should tell that to users. We shouldn't count on a weak default (or no default) to lead them to the desired choice.

Based on the comments above, I think it would be reasonable to default to no category and no wallets displayed. Then, when the user choose a category but before any wallets are displayed, we display a warning specific to wallets in that category. For example:

• Warning: desktop and laptop operating systems are especially vulnerable to bitcoin-stealing malware. Consider choosing a multisig wallet with remote two-factor authentication or which operates in conjunction with a hardware wallet.
• Warning: mobile devices are easily lost along with the bitcoins sent to them. Be sure to setup your wallet backup system before receiving any bitcoins on your mobile wallet. In addition, devices which automatically update their software can be changed to steal your bitcoins. Consider choosing a multisig wallet with remote two-factor authentication or which operates in conjunction with a hardware wallet.
• Warning: hardware devices are easily lost along with the bitcoins sent to them. Be sure to setup your wallet backup system before receiving any bitcoins on your hardware wallet.
• Warning: most web wallets offer less privacy and security than the other wallets listed on this page. Consider using a desktop or mobile wallet whenever possible.

[saivann]

@harding I think I may have a preference for updating / downgrading the "Environment" score for mobile wallets instead of duplicating the scores as an extra disclaimer.

I feel like other information in the scores is as important than the Environment score. And although wallets are grouped by platform today, maybe the page could support more advanced filtering in the future (e.g. filter wallets that support feature x, that protect privacy, are deterministic, etc).

I also fear there are liabilities that come with recommending a particular setup, in general I wished we could provide transparency and information and help the user avoiding risks and issues, but not take any responsibility for the users' choices.

[saivann]

(Although I am perhaps paranoid here with the suggested solution - hardware wallet w. multisig & 2FA - more comments are welcome)

[harding]

@saivann indeed, adding details to the score field seems like a good idea and there's certainly no harm in doing it.

[saivann]

Here's an attempt to squeeze all this information from @gmaxwell & @harding (and a mention about unpatched Androids out there) in the small bubble and use a consistent language with the Desktop score.

Fragile environment

This wallet is loaded on mobiles which are easily lost or stolen. Although mobiles use
app isolation against malware, many devices do not receive security updates or are
vulnerable to malicious automatic updates. Backing up your wallet, using a strong
passphrase, moving most of your funds to cold storage or enabling two-factor
authentication can make it harder to steal on your bitcoins.

[harding]

Near the end: s/steal on your/steal your/

Otherwise, sounds good to me.

[saivann]

Note; this proposal indirectly will redirect people to multisig and hardware wallets, by giving them a better score, but not necessarily lead people to using them together as suggested by @harding. This might possibly be achieved later as a mention in the "Transparency" score of hardware wallets

A rough example:

Hardware wallets cannot be reliably audited (secure RNG, using the right source code...)
generating your own seed or using a multi-signature wallet can make it harder
to steal your bitcoins.

[schildbach]

The "update can steal your Bitcoins" argument can be applied to any platform. And at the same its a non-threat (if the update is validated correctly), because you're trusting an entity already and it could steal your coins already before the update. Mobile platforms that have the update mechnism built into their system are at an advantage here, as opposed to e.g. Windows where each app does its own, sometimes unsecure, thing.

[schildbach]

An alternative to multisig and hardware wallets is simply do not keep too much coins on your mobile device. That's a security model most people know from their leather wallet and in general it works pretty well.

[saivann]

I agree that OS updates is a double-edged sword, and probably not the same systemic risk than web wallets, as one would need to compromise both signing keys and the update servers. If "mobiles which are easily lost or stolen" is the only point we really agree on, perhaps we can just opt for the following?

• Plan on dropping wallets that do not provide a backup step when creating a wallet (related to #541).
• Include the same security suggestions in the desktop and mobile score (see below).
• Keep warning people about their responsability of securing / backing up their wallet with the warning disclaimer already on the page.

Secure environment

This wallet is loaded on mobiles where apps are usually isolated
against malware. However, mobiles are usually easier to steal or lose.
Backing up your wallet, using a strong passphrase, moving most of
your funds to cold storage or enabling two-factor authentication can make
it harder to steal your bitcoins.

[saivann]

Back to the initial topic of this pull request, I have just submitted the "no category by default" idea, see #677.

[saivann]

Closing this pull request as the page now shows no category by default.