From unchained by Phil Geiger
As bitcoin continues to increase in value, so does the sophistication of attacks targeting bitcoin users. At Unchained, we recognize the need for enhanced security measures to combat these threats. Our team has been diligently working on new features that could be widely implemented to protect all bitcoin users, particularly those who rely on browser-based wallets. As far back as 11 years ago, browser extensions have been known to steal bitcoin, highlighting the persistence of browsers as a vulnerability for your life savings.
Today we’re introducing a new security feature: the ability to confirm bitcoin deposit addresses via email. This new feature is one of many tools you can use to avoid being accidentally tricked by a malicious browser-extension or other malware into sending bitcoin to the wrong address.
Building on our open source work
Our efforts to improve deposit address verification builds on four years of collaborations with leading teams, including SatoshiLabs and Ledger, to empower users to verify multisignature addresses directly using their hardware wallets. However, many users prefer to geographically separate their hardware wallets for added security, and we wanted to provide a supplemental solution to the guarantees you receive from checking physical devices.
Millions of users rely on browser-based tools, such as exchanges, and could benefit from reliable methods to confirm the validity of addresses displayed on their screens—especially when dealing with irreversible transactions. We hope that this feature inspires other browser-based bitcoin tools to implement similar features.
Why you should always confirm deposit addresses
Bitcoin transactions are immutable, so sending bitcoin to the wrong address can result in permanent loss. This is why you should always confirm your deposit address—it’s a simple way to know with higher confidence the address is valid and you aren’t sending bitcoin to an address injected by malware.
Both confirming with hardware wallets and confirming with email can help protect you from accidentally sending bitcoin to an attacker if your computer is infected with malware. However, confirming deposit addresses via email does not give you the same guarantees of confirming addresses with hardware wallets.
Additional benefits of confirming addresses with hardware wallets include:
- Confirm that you have keys to the address: Using hardware wallets ensures that the address shown is controlled by your keys.
- Verify that the address was built correctly: In multisig, you need to know that your address is 2-of-3, for example, and not 2-of-5 where an attacker has added 2 more of their keys and actually controls the funds. Only confirming on a hardware wallet gives you this guarantee.
Disclaimer: This specification is preliminary and is subject to change at any time without notice.