Oh, yeah, that would be a problem indeed.
Previously these strings were passed as account names to the bitcoin client. And I think it's wiser not to trust the JSON-RPC API to properly sanitize everything in every possible edge case.
Topic: [ANN] Instawallet will we down for a few hours (Read 2505 times)
And I think it's wiser not to trust the JSON-RPC API to properly sanitize everything in every possible edge case.
I'd imagine attackers can check bitcoin keys a lot faster than they can try to access instawallets. Short ones will become more vulnerable.
Ah, I was just trying things out and it seems you can't make a new wallet with your own private part anymore? Is that intended?
How short are the short ones?Ah, I was just trying things out and it seems you can't make a new wallet with your own private part anymore? Is that intended?
Just make the calculation complex enough to where brute-forcing it would be impossible.
You used to be able to make them 1 character even.
I'd imagine attackers can check bitcoin keys a lot faster than they can try to access instawallets. Short ones will become more vulnerable.
Ah, I was just trying things out and it seems you can't make a new wallet with your own private part anymore? Is that intended?
How short are the short ones?Ah, I was just trying things out and it seems you can't make a new wallet with your own private part anymore? Is that intended?
Just make the calculation complex enough to where brute-forcing it would be impossible.
You used to be able to make them 1 character even.
And regarding the discussions about what would happen in the case Instawallet's service was to be discontinued here's what we would do :
Now all you'd need to regain control of your coins is to follow the steps using your wallet key, you'll get a private key you can import into any client, or into any service.
Even a user without any technical knowledge could use a third-party service that could perform these steps given a wallet URL, for a fee obviously, but in perfect market conditions, therefore the fee would always be as competitive as possible.
Thoughts ?
- A notice would be posted a long time in advance,
- We would generate a private key for each account, in a publicly documented way, using the wallet URL as seed,
- We'd compute the public key from the private key,
- We'd compute the address from the public key,
- We'd send the balance to this generated address,
- And that's it!
Now all you'd need to regain control of your coins is to follow the steps using your wallet key, you'll get a private key you can import into any client, or into any service.
Even a user without any technical knowledge could use a third-party service that could perform these steps given a wallet URL, for a fee obviously, but in perfect market conditions, therefore the fee would always be as competitive as possible.
Thoughts ?
That's smart.
It is very smart and only possible with bitcoin. You can go offline without people loosing access to their coins
I think this is the most noble of all possible solutions. With your solution coins people forgot will really be lost (until computers can brute force those by then weak keys). I guess I would have a problem seeing lost coins and count on x% never asking back their money. Most likely you could even get an insurance for that x% risk.
Just make the calculation complex enough to where brute-forcing it would be impossible.
Yep, just replace SHA256 by bcrypt in my original idea and we're good to go I'd imagine attackers can check bitcoin keys a lot faster than they can try to access instawallets. Short ones will become more vulnerable.
Ah, I was just trying things out and it seems you can't make a new wallet with your own private part anymore? Is that intended?
How short are the short ones?Ah, I was just trying things out and it seems you can't make a new wallet with your own private part anymore? Is that intended?
Just make the calculation complex enough to where brute-forcing it would be impossible.
I'm disappointed. At least allow us to do it at our own risk.
The point is not to protect users against themselves, I hate it when applications try to do that.The rationale behind it is to protect the backend against malicious input.
That doesn't mean we can't create whatever custom wallet ID you desire for you (and for anyone who requests so) if it makes you happy
I'd imagine attackers can check bitcoin keys a lot faster than they can try to access instawallets. Short ones will become more vulnerable.
Ah, I was just trying things out and it seems you can't make a new wallet with your own private part anymore? Is that intended?
Yes. Ah, I was just trying things out and it seems you can't make a new wallet with your own private part anymore? Is that intended?
That's part of the security improvements.
I'd imagine attackers can check bitcoin keys a lot faster than they can try to access instawallets. Short ones will become more vulnerable.
Ah, I was just trying things out and it seems you can't make a new wallet with your own private part anymore? Is that intended?
Yes. Ah, I was just trying things out and it seems you can't make a new wallet with your own private part anymore? Is that intended?
That's part of the security improvements.
I'd imagine attackers can check bitcoin keys a lot faster than they can try to access instawallets. Short ones will become more vulnerable.
Ah, I was just trying things out and it seems you can't make a new wallet with your own private part anymore? Is that intended?
Ah, I was just trying things out and it seems you can't make a new wallet with your own private part anymore? Is that intended?
And regarding the discussions about what would happen in the case Instawallet's service was to be discontinued here's what we would do :
Now all you'd need to regain control of your coins is to follow the steps using your wallet key, you'll get a private key you can import into any client, or into any service.
Even a user without any technical knowledge could use a third-party service that could perform these steps given a wallet URL, for a fee obviously, but in perfect market conditions, therefore the fee would always be as competitive as possible.
Thoughts ?
Perfect, thanks for providing a good solution to that problem. - A notice would be posted a long time in advance,
- We would generate a private key for each account, in a publicly documented way, using the wallet URL as seed,
- We'd compute the public key from the private key,
- We'd compute the address from the public key,
- We'd send the balance to this generated address,
- And that's it!
Now all you'd need to regain control of your coins is to follow the steps using your wallet key, you'll get a private key you can import into any client, or into any service.
Even a user without any technical knowledge could use a third-party service that could perform these steps given a wallet URL, for a fee obviously, but in perfect market conditions, therefore the fee would always be as competitive as possible.
Thoughts ?
And regarding the discussions about what would happen in the case Instawallet's service was to be discontinued here's what we would do :
Now all you'd need to regain control of your coins is to follow the steps using your wallet key, you'll get a private key you can import into any client, or into any service.
Even a user without any technical knowledge could use a third-party service that could perform these steps given a wallet URL, for a fee obviously, but in perfect market conditions, therefore the fee would always be as competitive as possible.
Thoughts ?
- A notice would be posted a long time in advance,
- We would generate a private key for each account, in a publicly documented way, using the wallet URL as seed,
- We'd compute the public key from the private key,
- We'd compute the address from the public key,
- We'd send the balance to this generated address,
- And that's it!
Now all you'd need to regain control of your coins is to follow the steps using your wallet key, you'll get a private key you can import into any client, or into any service.
Even a user without any technical knowledge could use a third-party service that could perform these steps given a wallet URL, for a fee obviously, but in perfect market conditions, therefore the fee would always be as competitive as possible.
Thoughts ?
That's smart.
And regarding the discussions about what would happen in the case Instawallet's service was to be discontinued here's what we would do :
Now all you'd need to regain control of your coins is to follow the steps using your wallet key, you'll get a private key you can import into any client, or into any service.
Even a user without any technical knowledge could use a third-party service that could perform these steps given a wallet URL, for a fee obviously, but in perfect market conditions, therefore the fee would always be as competitive as possible.
Thoughts ?
- A notice would be posted a long time in advance,
- We would generate a private key for each account, in a publicly documented way, using the wallet URL as seed,
- We'd compute the public key from the private key,
- We'd compute the address from the public key,
- We'd send the balance to this generated address,
- And that's it!
Now all you'd need to regain control of your coins is to follow the steps using your wallet key, you'll get a private key you can import into any client, or into any service.
Even a user without any technical knowledge could use a third-party service that could perform these steps given a wallet URL, for a fee obviously, but in perfect market conditions, therefore the fee would always be as competitive as possible.
Thoughts ?
Website is popping up warnings that "This Connection is Untrusted" which I have never seen before, and also when I try to check the certificates, there are none, and the https site is showing as unencrypted....
The connection to Instawallet is always SSL enabled.However, I forgot to add the full certificate chain in addition to the actual certificate which caused some browsers to complain, it's now fixed, you shouldn't see any warnings anymore.
BTW, currently our certificate is only valid for https://instawallet.org, and not for https://www.instawallet.org, we're in the process of getting a proper wildcard certificate.
Thank you for pointing that out
Website is popping up warnings that "This Connection is Untrusted" which I have never seen before, and also when I try to check the certificates, there are none, and the https site is showing as unencrypted....
I don't know what you mean by "some law" would kick in. There's no laws about requiring a company to provide access to digital files in the event of a shutdown, as far as I know. Correct me if I am wrong.
As another example, if you fail to pay the rent on a storage unit, your stuff cannot be reclaimed after it is auctioned off. There has to be a reasonable cutoff of time where the entity storing your stuff is no longer responsible for it. You shouldn't expect instawallet to continue to provide you access to your coins, even manual access, for the rest of your lifetime.
As another example, if you fail to pay the rent on a storage unit, your stuff cannot be reclaimed after it is auctioned off. There has to be a reasonable cutoff of time where the entity storing your stuff is no longer responsible for it. You shouldn't expect instawallet to continue to provide you access to your coins, even manual access, for the rest of your lifetime.
Ok, I always take it for granted that bitcoin is money, which it is not legally. Imagine a bank that fails to ask your name and address that wants to close down. Should they be allowed to leave with your money?
I am not a lawyer but if I borrow some $$ from you and you never ask it back I am sure there is some law regulating at which point in time the money is legally my money. This is different in different countries and as long as Bitcoin is not money, other regulations might apply but I'm pretty sure not returning the coins now would be a crime by some law even as it is only some bits.
Regardless of what laws do or do not exist, I'd just like to see clarification in the ToS about how long coins will be made available in the event of a site shutdown, what happens if the coins are lost in a hack, etc etc. Spell out all the details.
I don't know what you mean by "some law" would kick in. There's no laws about requiring a company to provide access to digital files in the event of a shutdown, as far as I know. Correct me if I am wrong.
As another example, if you fail to pay the rent on a storage unit, your stuff cannot be reclaimed after it is auctioned off. There has to be a reasonable cutoff of time where the entity storing your stuff is no longer responsible for it. You shouldn't expect instawallet to continue to provide you access to your coins, even manual access, for the rest of your lifetime.
As another example, if you fail to pay the rent on a storage unit, your stuff cannot be reclaimed after it is auctioned off. There has to be a reasonable cutoff of time where the entity storing your stuff is no longer responsible for it. You shouldn't expect instawallet to continue to provide you access to your coins, even manual access, for the rest of your lifetime.
Ok, I always take it for granted that bitcoin is money, which it is not legally. Imagine a bank that fails to ask your name and address that wants to close down. Should they be allowed to leave with your money?
I am not a lawyer but if I borrow some $$ from you and you never ask it back I am sure there is some law regulating at which point in time the money is legally my money. This is different in different countries and as long as Bitcoin is not money, other regulations might apply but I'm pretty sure not returning the coins now would be a crime by some law even as it is only some bits.
Well, I just picked an arbitrary deadline that would be acceptable to me. But I see your point. OTOH, they can't just be forced to host the site forever in the event that they want to shut it down, so what is your counter-proposal for a reasonable ToS in the event of a site shutdown?
As I said: If they really discontinue the cool service and can't (legally?) keep up the site for cash out only, I would expect to see some manual processing to kick in that would also be ok to cost a certain fee.If they post before hand that 90 days warning is their policy can you use the service and still complain?
I'm not sure I understand you right but if by time of my deposit their policy is 90ms warning, I can't complain to see my money gone, no (assuming this is not hidden in some gray on gray small print).For now they confirmed to not have a policy at all and I assume "some" law would kick in.
Also, $10 fee? So it is ok with you to take all of the small deposits?
No. Everybody should be able to reclaim his belonging at a reasonable processing fee for manually sending the coins somewhere. I assume that what you take for "small deposit" might be worth a fortune when hundreds of old nerds pay hundreds of dollars to recover data from that old backup drive no recent computer has adapters for, so the instawallet group's call center fee should be the least of their worries. By then 10$ might not even be enough for a phone call ... hmm ... dreaming again I don't know what you mean by "some law" would kick in. There's no laws about requiring a company to provide access to digital files in the event of a shutdown, as far as I know. Correct me if I am wrong.
As another example, if you fail to pay the rent on a storage unit, your stuff cannot be reclaimed after it is auctioned off. There has to be a reasonable cutoff of time where the entity storing your stuff is no longer responsible for it. You shouldn't expect instawallet to continue to provide you access to your coins, even manual access, for the rest of your lifetime.
Well, I just picked an arbitrary deadline that would be acceptable to me. But I see your point. OTOH, they can't just be forced to host the site forever in the event that they want to shut it down, so what is your counter-proposal for a reasonable ToS in the event of a site shutdown?
As I said: If they really discontinue the cool service and can't (legally?) keep up the site for cash out only, I would expect to see some manual processing to kick in that would also be ok to cost a certain fee.If they post before hand that 90 days warning is their policy can you use the service and still complain?
I'm not sure I understand you right but if by time of my deposit their policy is 90ms warning, I can't complain to see my money gone, no (assuming this is not hidden in some gray on gray small print).For now they confirmed to not have a policy at all and I assume "some" law would kick in.
Also, $10 fee? So it is ok with you to take all of the small deposits?
No. Everybody should be able to reclaim his belonging at a reasonable processing fee for manually sending the coins somewhere. I assume that what you take for "small deposit" might be worth a fortune when hundreds of old nerds pay hundreds of dollars to recover data from that old backup drive no recent computer has adapters for, so the instawallet group's call center fee should be the least of their worries. By then 10$ might not even be enough for a phone call ... hmm ... dreaming again I'd prefer your ToS say that as long as the site is running, the users' bitcoins are safe and will never be used. I'd also like to see that a warning will be posted at least 90 days prior to any known permanent shutdown of the site.
JMO, take it or leave it.
JMO, take it or leave it.
SgtSpike, you would qualify for a good scammer I guess. I mean if I don't check that site in 90 days (they can't mail me neither), they should legally own my coins without me shouting "SCAMMER"? No way!
If bitcoin goes through the roof now, they put some notice that the service will be discontinued by blabla and start walletinsta.com instead?
I would expect to have all the funds available for 10$ processing fee for years after closing the service. You can't just take your user's money. (I mean legally you might be allowed to do so after a certain time but for me bitcoin is still very much about honesty, trust and reputation ... or anarchy if you prefer that word.)
If they post before hand that 90 days warning is their policy can you use the service and still complain?
Also, $10 fee? So it is ok with you to take all of the small deposits?
Jump to: