Added Coin.Space wallet

[nikashitsa]

Coin.Space HD Wallet is a free online bitcoin wallet, which you can use to make worldwide payments for free. It makes paying with bitcoins easy and secure available anywhere on your phone or desktop.

[crwatkins]

I have reviewed Coin.Space based on the current wallet requirements criteria and my evaluation is below. The summary is that I found nothing wrong with the overall architecture. However, because of the insufficient usage based feedback and the bugs that I noted in the review (one of which being quite serious), I cannot at this time recommend it for listing as it may be too immature for general use. I would be happy to re-review Coin.Space after the issues have been addressed and sufficient usage has been identified. The requirements also provide for an independent audit as an alternative to usage feedback which Coin Space was happy to look into.

Coin.Space

v0.1.5

Review Version 2015072401

The wallet list is based on the personal evaluation of the maintainer(s) and regular contributors of this site, according to the criterias detailed below.

These requirements are meant to be updated and strengthened over time. Innovative wallets are exciting and encouraged, so if your wallet has a good reason for not following some of the rules below, please submit it anyway and we'll consider updating the rules.

NOTE OpenAlias support was demonstrated, but security considerations were not reviewed

Basic requirements:

• Sufficient users and/or developers feedback can be found without concerning issues, or independent security audit(s) is available

NOTE No evidence of usage on Reddit http://www.reddit.com/r/Bitcoin/comments/30lyvx/coinspace_hd_wallet_for_android_released/

NOTE Facebook page https://www.facebook.com/coinspacewallet has over 4000 likes, but it is uncertain how to relate that to users

NOTE No substantive reviews on http://www.windowsphone.com/

NOTE Google Play: 100-500 downloads, 17 ratings, all reviews non substantive

NOTE No users on bitcointalk.org

NOTE No users found with generic searches using Google and Bing

NOTE No independent security audit is available, but Coin Space is receptive to having one

FAIL Insufficient evidence of usage found to conclude that there are no concerning issues

• No indication that users have been harmed considerably by any issue in relation to the wallet

PASS No indication found

• No indication that security issues have been concealed, ignored, or not addressed correctly in order to prevent new or similar issues from happening in the future

NOTE Bug bounty at https://hackerone.com/coinspace

PASS No indication found

• No indication that the wallet uses unstable or unsecure libraries

PASS Uses BitcoinJS, CryptoJS, and secure-random

• No indication that changes to the code are not properly tested

PASS No indication found. Some tests are on github.

• Wallet was publicly announced and released since at least 3 months

PASS Android 28-Mar-2015 http://www.coinspace.ch/blog/android-client

PASS Windows Phone 22-Apr-2015 (exactly 3 months) http://www.coinspace.ch/blog/windows-phone-app

• No concerning bug is found when testing the wallet

FAIL A number of concerning bugs were found and reported. Following are some in no particular order other than the first being the most concerning.

1. Each time a wallet is created, the user's private BIP39 seed is sent to the Coin Space server. Coin Space is addressing the issue.
2. The Windows Phone wallet was basically unusable. Numerous issues were reported including the UI freezing for 30 seconds at a time, and balances were not current, even after a manual refresh.
3. On the web wallet, a previous transaction listed in the History tab disappeared (after a Send) and then later reappear in the list, while other transactions previously listed as confirmed reverted to “pending confirmation.”
4. Receive address are not always updated after receiving a transaction for that address.

• Website supports HTTPS and 301 redirects HTTP requests

FAIL http://www.coinspace.ch which links to downloads does not redirect to https

PASS http://coin.space web wallet redirects correctly

• SSL certificate passes Qualys SSL Labs SSL test

PASS https://coinspace.ch (links to downloads): A+ rating (with Cloudflare)

PASS https://coin.space (wallet): A rating (with Cloudflare)

• Website serving executable code or requiring authentication uses HSTS with a max-age of at least 180 days

PASS https://coinspace.ch 180 days

PASS https://coin.space 180 days

• The identity of CEOs and/or developers is public

PASS Link to Crunchbase on https://www.coinspace.ch/about.html

• If private keys or encryption keys are stored online:

NOTE An encryption key is stored online that is used to decrypt local wallet storage.

• Refuses weak passwords (short passwords and/or common passwords) used to secure access to any funds, or provides an aggressive account lock-out feature in response to failed login attempts along with a strict account recovery process.

PASS Aggressive lockout: Account is deleted after five failed PINs.

NOTE No filter for common PINs.

NOTE Recovery process is full restore from BIP39 phrase.

• If user has no access over its private keys:

N/A

• Provides 2FA authentication feature
• Reminds the user to enable 2FA by email or in the main UI of the wallet
• User session is not persistent, or requires authentication for spending
• Provides account recovery feature
• If user has exclusive access over its private keys:
  • Allows backup of the wallet

PASS Wallet backup is BIP39 phrase

• Restoring wallet from backup is working

PASS Wallet was restored from BIP39 phrase. Wallet was also restored to MultiBit HD using BIP39 phrase.

• Source code is public and kept up to date under version control system

PASS https://github.com/skyjam/CoinSpace

CONCERN There is only one version tagged, v0.1.5.

• If user has no access to some of the private keys in a multi-signature wallet:

N/A

• Provides 2FA authentication feature
• Reminds the user to enable 2FA by email or in the main UI of the wallet
• User session is not persistent, or requires authentication for spending
• Gives control to the user over moving their funds out of the multi-signature wallet
  • For hardware wallets:

N/A

• Uses the push model (computer malware cannot sign a transaction without user input)
• Protects the seed against unsigned firmware upgrades
• Supports importing custom seeds
• Provides source code and/or detailed specification for blackbox testing if using a closed-source Secure Element

Optional criterias (some could become requirements):

• Received independent security audit(s)

FAIL No audit currently, but Coin Space has expressed interest in conducting an audit

• Avoid address reuse by using a new change address for each transaction

PASS Uses a new change address for each transaction

• Avoid address reuse by displaying a new receiving address for each transaction in the wallet UI

FAIL In a running wallet, after a new confirmed received transaction is displayed on the History tab, the same receive address is displayed for reuse on the Receive tab.

NOTE Wallet does eventually provide a new receive addresses after some unknown time period/conditions

• Does not show "received from" Bitcoin addresses in the UI

PASS Does not show received from addresses

• Uses deterministic ECDSA nonces (RFC 6979)

PASS A transaction created by the wallet was re-signed using custom code compatible with RFC 6979 and the signatures matched.

• Provides a bug reporting policy on the website

PASS A contact form is provided https://www.coinspace.ch/contact.html

• If user has no access over its private keys:

N/A

• Full reserve audit(s)
• Insurrance(s) against failures on their side
• Reminds the user to enable 2FA in the main UI of the wallet
• If user has exclusive access over its private keys:
  • Supports HD wallets (BIP32)

PASS Supports BIP32 using standard m/0'/c/i path

• Provides users with step to print or write their wallet seed on setup

PASS Provides BIP39 phrase on setup and encourages users to write it down

NOTE Wallet seed is never available to end users after setup

CONCERN There is a feature that encourages users to send their BIP39 phrase in an unencrypted SMS message during setup

• Uses a strong KDF and key stretching for wallet storage and backups

PASS KDF is not used. The server provides a strong key when the correct PIN is supplied.

NOTE This requires the server to be available to access the wallet in any way

• On desktop platform:
  • Encrypt the wallet by default

PASS Local wallet storage is encrypted by default

• For hardware wallets:
  • Prevents downgrading the firmware

N/A

[saivann]

@crwatkins At the risk of repeating myself, huge thanks again for your work on this!

[nikashitsa]

@crwatkins @saivann thank you for the great review! We are going to fix all Fails soon.

[crwatkins]

@nikashitsa, I would like to point out the precedence of my CONCERN above regarding sending the BIP39 phrase unencrypted in an SMS message. In a previous wallet review, there was strong concern over "sending the seed unencrypted over non-secure protocols" #652 (comment) which resulted in the removal of that feature. You might want to strongly consider improving the security of that channel or removing it.

[nikashitsa]

@crwatkins we have fixed all found issues and released v0.1.6.
All wallets in stores have been updated. Please let me know, if there are still some issues.
Many thanks :)

[crwatkins]

@nikashitsa Great! That was certainly fast. Can you comment on the status of an audit (or otherwise provide feedback)? In addition, can you comment on your intentions on sending BIP39 phrases in the clear over SMS (see my above comment)?

[ghost]

I have contacted all the suggested individuals to complete an audit Coinspace but received no reply. Is possible this is being viewed as an unsolicited contact.

Losing the pass phrase seems to a common issue for BIP39 web wallet users. We can review removing the SMS BIP39 phrase reminder but feel that its only an option and in no way encouraged, only offered on an opt in basis.

[nikashitsa]

@crwatkins Your review is really detailed and contains only objective comments. Thank you.
I agree with @skyjam about sending BIP39 phrases.

[saivann]

FWIW, I've previously opposed to merging Airbitz until they stopped sending their seed unencrypted over email. I still think it's not appropriate and having these seeds encrypted before sending them in the cloud would be a fair requirement.

[ghost]

@saivann CoinSpace doesn't send seed over email.

[jspeigner]

Just wanted to post an update here that CoinSpace is now in the Apple App Store now.

[jspeigner]

Why was this closed?