The Bitcoin private keys are created and encrypted on the user's machine, in JavaScript (Chrome extension available).
Those companies have custody of the user's private keys, meaning that there exists the potential for government seizure / hacking theft of users' coins.
In other words, exactly like the first Bitcoin wallet ever created (Satoshi's), but less secure (subject to the JavaScript being MITM'd, something breaking out of its JS sandbox and getting your private keys, keys being recovered from de-allocated memory because they can't be wiped by JS, etc.)
I'm just not a big fan of blockchain.info, so I have a strong reaction to midas's gushing above. What does blockchain.info do that "wasn't possible before"? It can't take credit for Bitcoin itself. It's like an online bank? Doesn't seem very innovative in that sense.
Again, the things that might seem like pluses (being able to access your bitcoins from any computer with an internet connection and a browser; keeping your own keys) are also really dangerous. I'd rather just use an actual application that lets me keep my own keys, without being subject to the browser's attack surface.
Heh, just noticed you work for Blockchain Ltd. I may have been a bit nicer in my last comment had I noticed. Anyway, it's worth noting that your users are still vulnerable to a Lavabit-style seizure (or hack from anyone) of your private keys, with the intent of pushing out modified JS to seize coins or track users. It's my understanding that the purpose of the Chrome extension is to prevent tampering[1], but if the authorities are really serious, they could also coerce/compromise Chrome Web Store into putting out a malicious update, signed by your seized private key.
Which authorities and laws is the company subject to?
