Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added CoinJar as a web wallet resource. #737

Closed
wants to merge 2 commits into from
Closed

Added CoinJar as a web wallet resource. #737

wants to merge 2 commits into from

Conversation

shibco
Copy link

@shibco shibco commented Feb 6, 2015

Pretty straightforward! Added appropriate information as directed.

@harding harding added the Wallets label Feb 7, 2015
@shibco
Copy link
Author

shibco commented Feb 10, 2015

Hi all, any progress on this?

@harding
Copy link
Contributor

harding commented Feb 10, 2015

@helveticade I haven't had a chance to perform a review yet, but I just took a quick look. One blocking issue is that CoinJar doesn't seem to support HSTS for its servers. You can see this for yourself by clicking on one of the results from this page, scrolling to the Protocol Details section, and looking at the item named "Strict Transport Security (HSTS)". For CoinJar's servers, it says, "No".

According to our policy, "websites serving executable code or requiring authentication must use HSTS with a max-age of at least 180 days."

Are you able to ask CoinJar to enable HSTS on their servers? Based on some of the other features they use on their servers, I don't think it would be complicated for them.

@harding
Copy link
Contributor

harding commented Feb 10, 2015

@helveticade oh, I forgot to say: thanks for submitting this wallet proposal!

@ghost1542
Copy link
Contributor

For the record, the current CEO of Coinjar (Zhou Tong) was previously the CEO of bitcoinica, a service that suffered significant failures. So I wasn't sure if Coinjar could be added as per this requirement:

No indication that users have been harmed considerably
by any issue in relation to the wallet

However, unless I'm mistaken somewhere or someone disagrees, I think the following facts could be enough to say Coinjar could pass (or eventually pass) this requirement (note: I haven't reviewed other requirements).

  • Coinjar is a different service run by a different team, not just a rebranding.
  • Coinjar is operating since nearly 2 years without apparent issues.
  • Accusations against Zhou Tong apparently weren't founded [1] despite initial suspicions [2]

[1] https://bitcoinmagazine.com/1805/bitcoinica-stolen-from-again/
[2] https://bitcointalk.org/index.php?topic=95738.0

@shibco
Copy link
Author

shibco commented Mar 31, 2015

Sorry it's taken a while to get back to you about this.

CoinJar is in the process of implementing HSTS and stronger password policies.

@saivann, you're right to be concerned about the questions re: Ryan Zhou's past. The three points you mention are well reasoned. If I can add to this – Ryan is a co-founder but is not the CEO, and shares the responsibilities of the company with others.

You guys rock for your diligence here, btw. I'll post an update when HSTS is implemented.

@shibco
Copy link
Author

shibco commented May 12, 2015

Hi all!

CoinJar has updated with HSTS support and stronger password policies! Are we able to merge this PR now or do you need more info?

@harding
Copy link
Contributor

harding commented May 16, 2015

@helveticade no one is currently available to review CoinJar. (Sorry.) I'm going to tag this as help needed until someone is available. Thanks for your patience.

@crwatkins crwatkins mentioned this pull request Oct 23, 2015
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Wallets
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@shibco @harding @ghost1542 @Cobra-Bitcoin