Is there an alternative to MultiBit?

-4

As of a few days ago, Bitcoin.org offers MultiBit instead of Bitcoin-Qt on its website: http://bitcoin.org/en/choose-your-wallet

I do not wish to install MultiBit because it requires Sun Java to be preinstalled.

As we all know, Sun Java is full of security holes/exploits and according to The H Security at http://www.h-online.com/security/ Oracle has not patched all of them. How can we trust our money with using a software that has full of security issues? (Note: Sun Java is proprietary software and end users are at the mercy of Oracle when it comes to fixing bugs.)

I hope the developers of MultiBit will drop the Java prerequisite in their next software version.

user5556

Posted 2013-07-06T10:05:40.470

Reputation: 179

3Security issues in Java aren't really relevant for desktop programs, as desktop programs already have full access to your computer. – Tom van der Woerdt – 2013-07-06T11:50:08.837

If you want an open source alternative to the Oracle JDK there is also OpenJDK (for Linux). https://en.wikipedia.org/wiki/OpenJDK

– jim618 – 2013-07-06T15:31:18.813

@Tom van der Woerdt: It doesn't matter whether desktop programs already have full access to my PC. If Java has security issues, it has issues. – user5556 – 2013-07-07T10:59:19.920

@jim618: I'm using Microsoft Windows 7. I don't think OpenJDK has support for Microsoft Windows. – user5556 – 2013-07-07T11:00:40.033

1@user5556 The Java browser plugin has security issues, not the JRE itself. – Tom van der Woerdt – 2013-07-07T11:19:24.097

2@user5556 With that logic about Java, you should stop using windows then since it has security vulnerabilities. Oracle's insecure browser plugin has absolutely nothing to do with the security of Java – TheLQ – 2013-07-09T02:16:55.410

@TheLQ: The difference between Microsoft and Oracle is that the former issues patches on a regular basis (the second Tuesday of the month) and almost immediately or the day after for the most important/significant security holes. – user5556 – 2013-07-10T12:02:42.147

Also, if you care about things being proprietary then why do you even use Windows instead of Linux... – stommestack – 2013-07-10T19:39:29.357

@Jop: You got me wrong. I am not against using proprietary software. It is only when companies like Oracle which does not take security issues seriously (as compared to Microsoft) that I hesitate using Sun Java. – user5556 – 2013-07-15T11:55:09.533

This is more of a continuation of the question than an answer, but I have to ask: (I understand that Java "in the browser" is the security problem, not the desktop version. However, I have not used Java in a long time.) MultiBit says it is good for Mac OSX 10.3 through 10.8. I have 10.4. On installing MultiBit I got an alert telling me I need Java 1.6 and that I have 1.5 (I see 1.42 and 5.0, not 1.5). I tried MultiBit 4.x and got the same alert. The question: Where can I find the version of Java that will work? Oracle says the latest version requires OSX 10.7 or later, and "previous" does not – None – 2013-08-12T22:38:44.113

@newtoBTC You can update Java to 6 using Software Update. – stommestack – 2013-08-13T07:27:34.190

Answers

As per the comments to your main question, it is mainly the Java browser plugin that is the problem. I advise you not to be have that running.

Java for a desktop application is more like a supporting library to the applications you are installing. The usage is different.

It is a good idea to be security conscious with Bitcoin software - the question to ask is: How can rogue code get to run on my machine ?

If you download MultiBit from https://multibit.org (and check its SHA256 hash and/or signature) and download the JDK from a reputable source then you know what you are running.

All that being said, if you still do not want to install Java then I would have a look at Electrum (http://electrum.org) and see that meets your needs.

jim618

Posted 2013-07-06T10:05:40.470

Reputation: 3 205

1If you download MultiBit from https://multibit.org (and check its SHA256 hash and/or signature) and download the JDK from a reputable source then you know what you are running I'm using Microsoft Windows 7 and the only Java that is available for it is Oracle's. Sadly the company has not fully patched all the security holes revealed so far. – user5556 – 2013-07-07T11:04:24.720

1I have just surfed to Electrum's website. It seems that it only offers online wallet. I prefer to store my Bitcoins on my PC, not on some remote server. I can't afford to take any risks. – user5556 – 2013-07-07T11:22:06.740

@user5556 Here's an open source JDK: https://github.com/alexkasko/openjdk-unofficial-builds#openjdk-unofficial-installers-for-windows-linux-and-mac-os-x It doesn't have the browser plugin and thus not the security issues.

– stommestack – 2013-08-13T07:29:28.417

@user5556: In Electrum the bitcoins are stored on your PC. You just use them with the help of a remote server for convenience, but it cannot take them, and you can use them without the remote server. – Meni Rosenfeld – 2013-08-13T08:24:35.670

If Java is your only concern, just use MultiBit. It is safe to install Java. It's a common myth that Java is insecure. It is not. Only the browser plugin of Java is insecure. So, just install Java and then disable its browser plugin.

EDIT: The makers of Multibit confirm this.

EDIT: Also, you say Java is proprietary software. It is. However, Sun made an open source version of it, OpenJDK. It doesn't include the browser plugin. In case you don't use Linux or BSD: It's only for Linux and BSD however, but the closed one (that is also availible for Windows and Mac OS X) is largely based on the same source code, according to OpenJDK's webpage.

You also say "I hope the developers of MultiBit will drop the Java prerequisite in their next software version.". I hope you realise that would require a total (and unnecessary) rewrite of MultiBit?

stommestack

Posted 2013-07-06T10:05:40.470

Reputation: 286

@Pieter Wuille and Jop: If I were the chief developer of MultiBit, I would definitely rewrite the whole software. Why? Security must be the most important consideration especially when we are talking about money and how to store them safely. – user5556 – 2013-07-10T11:59:23.273

@user5556 You didn't read my answer except for the last line didn't you? Java isn't insecure, it's only the browser plugin. It's completely safe to install it. Just remove the browser plugin afterwards – stommestack – 2013-07-10T12:12:23.173

@user5556 Seriously, there is no point in not writing a piece of software in Java just because of the non-existent security problem – stommestack – 2013-07-10T12:30:17.077

+1 for @Jop for clarifying the java is insecure myth. Java on website is insecure, Java on desktops is not. – spuder – 2013-08-13T01:34:05.020

Most of you got this wrong!

When it comes to BitCoin, security must come first. It has become the target of many black hats lately.

While it is true that most of the security concerns with Java are based around the browser plugin, with MultiBit the issue is even worse - because what bitcoin clients (even multibit) do is they connect to IRC to gather network updates, and they work as both a network client (connect to other nodes and ask for data) and as a server (ready to give data to others). This makes the user even more vulnerable, because they might not even know that they are running in fact a server software on their desktop. Note: it is possible Multibit doesn't have the server part as it doesn't store the whole chain, that would not help much, though.

Zviratko

Posted 2013-07-06T10:05:40.470

Reputation: 1

Multibit is a thin SPV client, so it does not act as a server. Nevertheless, it is a complex network application, so it's certainly appropriate to be concerned about the security of both the application code itself and the underlaying technology (Java) as well. Just the fact that the "web plugin Java" is the vulnerable one does not mean the "desktop Java" is bulletproof. The only way to find out is to audit the code, which is obviously not feasible with the original (nonfree) Java VM implementation. – Jozef – 2014-10-19T12:30:51.397