Topic: easy offline transactions - 1 BTC bounty (Read 6189 times)

I successfully used the version quoted below. Haven't tried in a while though.

You could always create a test offline address, with a tiny amount of BTC, then post a transaction from it here in case anyone will take a look at it. (I wouldn't know what to look for though).

Hello guys!

Congratulations for the development of that offline transaction implementation.

I was always worried about the "problem" with BTC's change.

Newbies are more than expected to commit that kind of mistake anytime.

Mea culpa: I've got to admit I lost a few LTC once (as a newbie then...) I was testing the "import privkey" feature in the official litecoin client in the past.

Suggestions: It would be nice if there were multiple Recipient Addresses forms in order to send transactions for more than just one BTC address.

And do not forget the "Transaction History" feature and the "Raw Transaction" generator as similiar to what's available at brainwallet.org.

Gonna follow this thread and count on this development.

Keep up the good work!

Cheers!

Has anyone successfully been able to use this? When submitting the TX to either http://blockchain.info/pushtx or https://coinb.in/send-raw-transaction.html it gets rejected. Anyone else have any luck?

what are the security implications exactly? Simply that the destination address could be altered, and then the user may overlook this when signing offline? or can other things be done by changing the blockchain data or other stuff?

Sorry, Emergenz claimed my 1BTC bounty in a private message and I donated him because I thought you left.

That was the transaction:
https://blockchain.info/es/tx/5017919fbebe0712a349e473c06018b1df87cdd2732e4f93db76cc3c5c431dc8

Yes, my ultimate goal is to get it where people can easily run *both* the online version and offline version locally, with no need to host the online version.  It's a little tricky because of the problems that exist making request to third-party websites from a locally-running javascript program.  Really, this is the only secure way to do it.  SSL for the online portion is nice but still requires the user trust the person serving the site.  Running both portions locally, on my online and offline computers, is the only way I'd consider using this project for a significant offline transaction.

Anyway, this third-party request issue is partially solveable using CORS headers, and blockchain.info has recently, and very kindly, implemented CORS headers for this type of use case.  Anyway, I worked on it some more last night but ran into some very serious issues with AngularJS (the JS framework I used) HTTP client implementation and CORS compatibility, so I've ended up using Jquery to call blockchain for unspent outputs and to push the signed transaction (which works fine).  Anyway, I still want to do some more work before I announce it ready, and although I won't get to anything tonight, I should be able to finish up this weekend.

This is cool thank you!

Hey, no worries. Good to see you may still work on it

Personally I risked using the prototype version above for my most pressing needs.

Thanks for your understanding and sorry for the inconvenience to anyone who has been waiting on this (i.e., xDan).  I'll be sure to check this thread on a regular basis now.

I'll post an announcement here tonight or tomorrow when it's ready for beta testing.

EDIT: Had to work late last night, hopefully will get to it today.

Good move - will wait for that - I think this is the right way to go and appreciate the effort (I actually wrote something similar but is much less user-friendly as it requires you to find the UTXO information manually).

After thinking about it some more, may I please ask everyone to please hold off on using any version of this?  I didn't realize anyone was still interested in it until a few hours ago.  However, it's got some bugs I want to iron out before anyone uses it.  I originally said to use my hosted version at https://bitcoin-secured.com since it was better than using an unencrypted version of the online part, but after thinking about it, I'd prefer people hold off on using it at all until after I do some additional testing tonight, when I'll have time to do so (can't shirk my work duties anymore right now).  You are of course free to do anything you want with the code, since it's MIT licensed, but I'd prefer people hold off until I can do some additional testing.

I'll make an announcement here when it's ready for beta use.

Sure - I'll wait for the updated version (as I'm watching this thread just be sure to post in it so I remember).

Python is technically not a dependency.  It's just what I used to serve it locally.  It's all static HTML, JS, and CSS, so you can run it from wherever you usually run such scripts.

Can you hold off for a day?  Or else update it tomorrow?  I'll be making some significant changes tonight, like better error handling, etc.

And again, I'll note that I have an SSL-encrypted version at https://bitcoin-secured.com that includes signed MD5 hashes of the offline code for download.

Okay - found the repository (https://github.com/esbullington/bitcoin-secured) - apart from Python any other dependencies?

Thanks for the offer!  The source is on github (I'm esbullington on github, the link is somewhere above), so please feel free to do so, but I do have it on https://bitcoin-secured.com which is SSL.  It's just down for a few minutes while I'm updating it.  So I'll have it back on an SSL-enabled site real soon.

Users who use the online portion of bitcoin-secured hosted by a third-party should make sure that

1)  It's SSL-encryped
2)  It's someone you trust

The best way to run the online portion is locally, simply by going to the `bitcoin-secured/online` directory and then running: python -m SimpleHTTPServer

The site will then be available at localhost:8000

Since blockchain.info is now using CORS, this should work, but I've not yet tested it (working as fast as I can to do so).

PS: Please note that I have signed MD5 hashes of the offline code that can be downloaded at: https://bitcoin-secured.com/#/download

If you have the source on say github then I will be happy to grab it and put it somewhere under https://ciyam.org.

Good news.  blockchain.info now supports CORS so I can connect directly to them while I'm finalizing my own local database of unspent ouputs for bitcoin-secured.  I'll try to push the new version out tonight.  Right now, the script relies on Yahoo to relay the request, which means that blockchain.info's API request limit is quickly reached if a lot of people use it.  This will solve that problem.

NOTICE: bitcoin-secured will be offline shortly will I update it to supports blockchain.info's CORS.  While it's down, please be aware that if you use a non-SSL link for the online version of this software, it's very vulnerable to someone swapping out your Bitcoin address for another.  Either use https://bitcoin-secured.com when it's back up or run it locally (on localhost).  Or wait for someone else to host it on an SSL-enabled URL.

Thanks, Polvos.  I appreciate it.  Which address did you send it to?  I see xDan's bounty but not any others.

The online version currently takes the unspent transactions from the blockchain.info API, although I'm testing my own local database of unspent outputs so that I'm not reliant on an external site for the unspent outcomes.  The problem with the local bitcoin-qt/bitcoind is that it doesn't track arbitrary Bitcoin addresses' unspent outcomes, only the addresses in the local wallet.  So you have to build an external db of those outputs.

Thanks, xDan.  I appreciate it.  Sorry for being offline for a while -- I didn't realize this was still being discussed.  I had an out-of-state family member in the ICU for a week, and then a family member's funeral about 1000 miles away.  So I've been out town for most of the past few weeks.

The reason I still hadn't announced the software was that I haven't had enough time to test it to the fullest extent.  But if people really want to use the implementation as is (early alpha), I'd recommend using this link I've put up for the online portion (if you decide not to run that locally).  It's the same as the copy posted above but it's over SSL:

https://bitcoin-secured.com

Since the link that emergenz posted is not SSL-encrypted, it could pose a big risk for these types of transactions.  Someone could easily swap out Bitcoin addresses of the non-SSL link using mitm.  The site I put up above is SSL-encryped.  If you're comfortable using alpha quality software, you can ignore the notice since this is the same implementation as emergenz posted (except he had removed my alpha software notice or used an earlier version).

Since there is interest, I'll try to test this some more and remove the alpha warning.  But please realize that this is all alpha quality software (including the copy of the program posted by emergenz), and I can make no guarantees.  Personally, I use and recommend Armory for offline signing of significant amounts at this point, although I may move to my implementation as my main offline signer after some additional work and testing.

EDIT: After thinking about it, I'd recommend that no one use any version of this software until I have some more time to look over it tonight (28 May 2013).  I'll post here tomorrow when it's ready.

It is taken from blockchain.info. Here is the relevant line from main1.js:


All you need to use the offline wallet is a bitcoin address and its private key, you don't need any additional software.