April 28th 2014
In the MultiBit 0.5.18 release there are two changes we have made to improve the safety of your private keys:
Recently a user found that one of their private keys was incorrect and Mike Hearn, a core Bitcoin developer, kindly performed forensics on the issue. He discovered that the user had performed an import of a Blockchain.info encrypted wallet backup into MultiBit which had resulted in a corrupted private key.
Unfortunately the original import file is no longer available for study. Blockchain.info developers were asked if anything had changed in their export formats recently but nothing has. As a result the exact cause of the error cannot be precisely established. The error was not repeatable within the available time for the investigation.
It is of critical importance that private keys are kept secret and safe. Therefore to avoid this happening to any user in the future we have removed the ability to import Blockchain.info 'json' and 'json.aes' wallet backups into MultiBit.
In the early days of Bitcoin this functionality helped improve the resilience of the Bitcoin ecosystem. Should Blockchain.info be subject to a concerted attack (such as a denial of service attack or similar) users would have been able to migrate their private keys into MultiBit. Over time Bitcoin has matured and this is no longer necessary. With HD wallets private key imports will all but disappear.
For some time there have been alternate ways to recover Blockchain.info private keys. One example is Blockchain.info's own static wallet decryption page. Users can keep a local copy of this page on a secure machine for emergency use.
Overall, by removing this outdated option from MultiBit we close down a potential error path for our users and thus further improve reliability.
So far we have seen only a single case of this particular error occurring. It is entirely natural for MultiBit users who have also imported private keys from Blockchain.info to want to check that their wallet is OK. To support our users in this we have added an integrity checking utility into MultiBit 0.5.18. It can be accessed through "Tools | Check Private Keys".
This utility crosschecks the wallet's private keys with the wallet's receiving addresses by recalculating everything from scratch and reporting any issues.
Here are some related articles: