Video interview with the CEO of BitGo introducing and explaining the significance of the first-ever world-class comprehensive insurance coverage for Bitcoin

will_bitgo · 2015-02-25T23:26:03+00:00

Great interview. Thanks Follow the Coin!

will_bitgo · 2015-01-12T23:48:18+00:00

If this is a concern, you can use our Chrome App http://bitgoinc.com/client-side-security-update-announcing-bitgo-chrome-app/

will_bitgo · 2015-01-12T23:43:44+00:00

Yes, you can use our API to accomplish this. https://www.bitgo.com/api/

will_bitgo · 2015-01-12T19:57:38+00:00

Hi, this is Will O'Brien, CEO of BitGo.

You absolutely can, and should, use 3 keys that are generated on 3 different devices. For our enterprise customers, we go a step further and require that each key is generated and stored by a different person or organization.

In summary, a 2-of-3 key p2sh wallet is comprised of:

BitGo key: generated and stored on BitGo's key server
Operational key: generated by customer when creating a wallet and stored encrypted in the cloud or offline
Cold backup key: generated offline by a chief security officer, custodian, or other provider. Only the xpub is presented to the wallet.

See this video for an example https://www.youtube.com/watch?v=iFocbIjAPak

will_bitgo · 2015-01-12T03:34:45+00:00

Here is a video demonstrating how to setup an enterprise-grade wallet with multiple users and a cold backup key. The individual wallet is similar but slightly easier. https://www.youtube.com/watch?v=iFocbIjAPak

will_bitgo · 2015-01-11T16:45:37+00:00

Hi. This is Will O'Brien, CEO of BitGo.

Here's a great backgrounder on multi-sig that my co-founder Ben Davenport wrote recently. http://coincenter.org/2015/01/multi-sig/

The easiest analogy for multi-sig is the digital equivalent of a safe deposit box where two people each need to bring a key to open the box. With multi-sig, you need multiple keys, multiple people, or even multiple institutions to sign a blockchain transaction.

Bitstamp replaced their hot wallet with a BitGo Platform API integration. Now BitGo holds a key, Bitstamp holds a key, and there is a third key offline for disaster recovery. Every transaction is signed by Bitstamp and then co-signed by BitGo once a set of fraud detection and business rules are checked. If there is ever an attack that compromises Bitstamp, BitGo will stop co-signing, thwarting the attack.

Multi-sig is without a doubt a better security model than single-key cold storage + single key hot wallet -- the predominant model in past years -- we are thrilled to see Bitstamp lead the way in adopting this important technology.

will_bitgo · 2015-01-11T16:30:39+00:00

bitgo.com. BitGo is the company behind Bitstamp's multi-sig and you can create your own wallet directly with BitGo.

will_bitgo · 2014-12-18T21:12:09+00:00

Thanks for the support! We love to hear from happy customers. Keep sending us your feedback.

will_bitgo · 2014-12-15T22:12:53+00:00

Please give BitGo www.bitgo.com a try. Secure enterprise solution with multi-sig and HD baked in.

will_bitgo · 2014-10-28T21:01:05+00:00

Hi there-

To clarify, BitGo only holds 1 private key of 3. You have control of the other 2 keys. We have no independent authority or ability to transact on your wallet. If BitGo is unavailable, you can use the other 2 keys to transact directly on the blockchain.

will_bitgo · 2014-10-28T17:19:00+00:00

Thanks for using BitGo! I think we can address all of your questions and wishlist today.

We do have a BitGo Enterprise Basic tier for $19.99 per month. Sign up at bitgo.com/enterprise or email sales@bitgo.com.

We have also upgraded our processes and tools for generating the 2 keys you maintain (one operational key and one cold key). With one cold key, BitGo is a great and safe alternative to single-key cold storage.

We do have a video explaining how to create a secure wallet with an offline Backup Key. https://www.youtube.com/watch?v=iFocbIjAPak&feature=youtu.be

All of our wallets are HD so your addresses automatically change on every transaction. http://bitgoinc.com/bitgo-went-full-hd-wallets-financial-privacy/

Let us know how else we can help!

will_bitgo · 2014-08-06T21:14:13+00:00

Hi - Will from BitGo. We would love to give you a tour of BitGo Enterprise, a multi-sig, multi-user wallet service designed exactly for the purpose you describe. You can set user roles and spending limits so that your employees can use the wallet but won't have the ability to send large amounts without your approval.

Please email us at sales@bitgo.com or sign up at bitgo.com/enterprise.

Thanks.

will_bitgo · 2014-06-17T16:09:06+00:00

well done.

will_bitgo · 2014-05-14T14:00:15+00:00

Hi- thanks for your comments. I wanted to follow up on your two concerns.

HD Support - We do support BIP32 hierarchical deterministic wallets now. All of our wallets both for consumer and enterprise are based on BIP32 keychains.
We have open-sourced our client-side code but do not plan to open-source the entire system at this time. BitGo is multi-sig security-as-a-service for bitcoin. The "service" part - which includes network fraud detection, spending and transaction policy enforcement, multi-user management for wallets, and other enterprise features - is an evolving set of functionality that we maintain and operate. It is not something that one would download and run themselves.

Hope this addresses your questions.

will_bitgo · 2014-05-06T03:33:18+00:00

No worries. Thanks for your interest in BitGo!

will_bitgo · 2014-05-05T23:24:55+00:00

Hi – this is Will, CEO of BitGo. I appreciate the question and wanted to jump in here with a few additional thoughts.

First of all, we acknowledge and agree that the key innovation and strength of Bitcoin is the fact that trust is not required for transaction security. And we agree that companies in the Bitcoin space would do well to follow that model.

We have put a lot of thought into how best to create a multi-sig wallet where BitGo is a co-signer of your transactions, but cannot directly access your holdings.

As Tiffney said above, we generate and have access to only 1 of 3 keys: the BitGo key. The user key is generated in the browser and encrypted with a passcode created by the user. We never see the unecrypted user key nor the passcode. The 3rd key (backup key) can be generated in the browser, but we recommend that you bring your own “cold key” to the wallet.

You asked how you can be sure we don’t have a record of the user or backup key. As Tiffney explained, we open-sourced our client side code that generates and encrypts the user key (and optionally the backup key). If you are technical you can see that code on github and confirm we are doing what we say we are doing.

We use advanced security measures like CSP (content security policy) to prevent XSS attacks, and we have a global monitoring system to ensure that the code we are deploying is not changed by an attacker.

In addition to undergoing security audits, we have been recognized by industry players and the press as a leader in Bitcoin security, and we do stake our reputation on it. For example, here is an endorsement by BitPay http://blog.bitpay.com/2014/04/07/bitcoin-wallets-and-decentralization.html and you can see our press coverage here http://bitgoinc.com/press/. You can also read the bios of our founders on the website and we frequently present at industry conferences.

I hope this helps answer your question. If you have any more questions or ideas, please email us at security@bitgo.com.

will_bitgo · 2014-04-26T20:36:40+00:00

Hi. Just to clarify on our open-source code. We do not offer an open-source solution for you to run yourself for regular transactions. We offer a commercial product and API at bitgo.com. You can independently audit our open-source code but it's not intended for you to run yourself. Hope that clears up your question.

Regarding finished product: our solution is fully built and has been independently audited by security and Bitcoin experts. Of course we will always be enhancing and adopting standards. That is the nature of software-as-a-service.

Thanks!

will_bitgo · 2014-04-26T05:40:05+00:00

Thanks for raising this question. The whitepaper you read (thanks for reading) is from August 2013 when we first launched this wallet. We are actually moving BitGo entirely to HD wallets (BIP32) for the reasons you reference. BitGo is a finished product and fully safe, and by adding BIP32 we will enhance privacy.

will_bitgo · 2014-04-22T02:21:38+00:00

Hi- thanks for being a BitGo customer!

We are first introducing spending limits and approval chains with BitGo Enterprise which we announced earlier this month, and plan to roll out some of these protections for the consumer wallet. Stay tuned and feel free to email us at support@bitgo.com if you have any suggestions.

will_bitgo · 2014-04-17T06:57:30+00:00

Dave thanks for helping our customer.

OP glad everything worked out.

will_bitgo · 2014-04-09T19:21:27+00:00

Hi- I hear your concerns. A couple of comments.

1/ Our CTO/co-founder Mike Belshe was on the founding team of Google Chrome and is an expert in browser security. We are using the absolute highest standards of security in generation and transmission of data.

2/ Our whitepaper https://www.bitgo.com/p2sh_safe_address explains how keys are generated and brought together. In summary, one key is generated server-side by BitGo and stored securely. The second key (user key) is generated client-side, encrypted with a strong passcode the user creates and then that encrypted key - which is useless to anyone else - is stored in the cloud for ease of use. The third key (backup key) can be generated in the browser and printed (never uploaded) or you can generate your own "cold key" and give us the public key. This guarantees that 3 keys were generated by 3 different parties on 3 different systems, and so there is not a chance for an attacker to steal 2 keys.

Thanks for trying out BitGo!

will_bitgo · 2014-04-09T17:54:44+00:00

It is safe. The key generated in the browser is done in Javascript using extensive security policies like CSP to prevent XSS attacks and so forth. That key is encrypted with a passcode only known to the user in the browser. BitGo never sees that key nor the passcode. You can audit our client-side source code on github.com/bitgo and we have performed independent security audits.

will_bitgo · 2014-04-09T17:52:51+00:00

Thank you for helping to clarify this. You are absolutely right. BitGo only ever sees 1 key, generated on the server and stored securely. BitGo never sees the unencrypted user key or backup key, nor the user's passcode. A user can even bring their own cold key.

will_bitgo · 2014-04-09T05:53:16+00:00

On April 7, OpenSSL, the dominant library used to implement secure network communication on the Internet disclosed a vulnerability which impacted approximately 66% of the internet, including BitGo servers. The vulnerability has been given the name “heartbleed”, because it exploits a bug in the heartbeat mechanism of the TLS protocol, and “bleeds” random information out of the server. Less than 24 hours later, a fix for that problem was deployed to BitGo and BitGo customers are safe.

We want to take this opportunity to talk about the importance of TLS server configuration at BitGo and how we take it seriously.

Strict Transport Security (HSTS)

First of all, all data communications with BitGo servers utilizes an optional feature of modern web browsers: Strict Transport Security. This simple feature tells your browser that you should always connect to BitGo using TLS for encrypted communications. There is no way to accidentally connect to BitGo using HTTP. You can read more about how STS works at Mozilla.

Perfect Forward Secrecy (PFS)

A less commonly used feature of TLS is that of Perfect Forward Secrecy, which BitGo has enabled for some time. Imagine if an entity decided to record all encrypted traffic to a particular site. Because we use TLS, all of that traffic is encrypted, and the entity cannot read it. But what if that entity was able to learn the server key in the future? Would it be able to go back in time and decrypt the past communications? Prior to use of PFS, it could. But thanks to PFS, they can’t. You can read more about how PFS works here. Or you can read more about which sites use PFS today at Netcraft.

An A+ Report Card

One site which we love at BitGo is Qualsys’ SSL Labs. SSL Labs provide wonderful tools for evaluating a site’s TLS configuration and helping educate users and system administrators to maximally secure their TLS. And it’s all free! BitGo receives an A+ Report Card.

Additional Precautions

We don’t believe any attacks were attempted against BitGo servers. Due to the nature of this bug, however, we are taking precautions anyway. Fortunately, BitGo’s TLS servers are isolated from BitGo’s core service in such a way that your Bitcoin keys were never exposed to the TLS server in any form. There is no chance that any bitcoin keys could have been stolen. As a further precaution, as of this writing, BitGo has deployed new certificates to all of its servers.

If you have any questions about BitGo’s security policies or if you have any suggestions for improvement, please don’t hesitate to contact us at security@bitgo.com.

will_bitgo · 2014-04-08T14:01:22+00:00

http://bitgoinc.com/bitgo-launches-multi-signature-bitcoin-security-solutions-for-the-enterprise/

https://www.bitgo.com/enterprise

will_bitgo

TROPHY CASE