Author

Topic: Blockchain.info - confirm IP address for callbacks (Read 1632 times)

sr. member
Activity: 308
Merit: 250
Jack of oh so many trades.
A proper callback API should have a server-side shared secret field. You shouldn't have to rely on IP addresses for authentication.

Thanks for the feedback! It does allow me to pass a pre-specified parameter along with the callback, which is what I'm currently using for security. Hopefully that will be enough.

Locking it down by IP would be quite spoof-proof, but if the server's IP changed everything would stop working...

Thanks for dredging my post up to give it a proper answer  Grin
newbie
Activity: 7
Merit: 0
A proper callback API should have a server-side shared secret field. You shouldn't have to rely on IP addresses for authentication.
sr. member
Activity: 308
Merit: 250
Jack of oh so many trades.
Hoping to bring this to the top of the stack--I probably posted at a time when most of the world was asleep.
sr. member
Activity: 308
Merit: 250
Jack of oh so many trades.
Hi all,

The documentation for the Blockchain.info Receive Payment API says we should check the IP address of the caller to make sure it came from blockchain.info -- which is obviously a good idea (very easy to spoof payment notifications otherwise!).

I programmed my callback page to get the originating IP address, get the IP of blockchain.info, and compare the two.

It failed.

After some research, I found out the blockchain.info domain name is linked to both 141.101.112.196 and 190.93.243.195, and although my script was pulling these up okay, the callback was originating from a third IP address: 82.145.55.247.

Should I assume this is the dedicated callback server and I can hardcode it into my script as the address to check for?

I tried instead to take the IP address and do a reverse lookup of the hostname to compare that to "blockchain.info", but it looks like there isn't a proper reverse entry specified (the lookup fails).

Any suggestions of the best way to implement this security?
Jump to: