Geeze only 98% saturation??? You could still shovel a page or two out with that!! *ducks*

I also want to know exactly how this works.  If the encrypted blob is just sent then all anyone ever needs to do is visit the wallet URL one time and they have your encrypted blob.

Reportedly, Google harvests all URLs pasted into Chrome (as the URL bar and search bar is the same, and their server determines if it is an url).  Possibly they also harvest URLs from Google Mail (when you email the url to yourself).  This is probably how 3000 Instawallet URLs became searchable on Google.

Still down for me.  Is it still down for everyone else as well?

the source code is here: https://github.com/blockchain/My-Wallet/blob/master/wallet.js

the wallet clientside javascript sends the 2FA and the ID over and gets an encrypted wallet blob back - the password is never sent to blockchain.info

Sounds like enabling 2FA does defend against a certain class of offline attacks, especially when your wallet has an easily guessable identifier.

Will

Yup - this is also specifically stated in the help pages:

What if an attacker knows my wallet identifier?

If you do not have two factor authentication enabled, the attacker can gain access to your encrypted wallet data. The attacker can then attempt to decrypt your wallet by brute force. Whether or not the attacker would be successful depends on how secure your password is.

What it doesn't really emphasise is that wallet nickname == wallet identifier so if you've used e.g. a public wallet nickname (bitcointalk forum name) and haven't enabled 2FA then this does lower the bar for an attacker to perform an offline bruteforce.
 
Will

I personally use Lastpass for the site, including a 2FA Gauth as I trust Lastpass.

Blockchain.info seems down? I just get a CloudFlare page saying it's down and no cached version is available... right when I wanted to login to my wallet...

Correct this is the primary purpose of blockchain 2FA. Which Scenario? It prevents someone being bale to attempt to bruteforce the wallet if they know the alias or guid.


Could be many things. Is her PC clean? Is her email secure? She might have visited a phishing sites (some based on domain misspellings). Does she reuse the password on other sites?

Did she purchase and import the private key from somewhere? some sites encourage you to import a private key containing purchased coins.


I think a good way to counter this would be for blockchain to recognise the browser the normally logs into the wallet and challenge unknown browsers by confirming an email or SMS code. This would place less emphasis on the need to keep the alias or guid secure.