Inputs.io | Instant Payments, Offchain API, Secure Wallet, 235k+ BTC transferred - page 61.

vip

Activity: 1316

Merit: 1043

👻

Quote from: Turbonoodle on July 03, 2013, 09:32:55 AM

Great site!

Some questions:

1. In the Send Bitcoins page, there is a USD calculator box. Any chance you could add a preference to change it to Euro, too? Also, where are you getting the exchange rate for that?

2. I undestand that you can withdraw from Coinlenders back to inputs.io. You also can send instantly to just-dice, but looks like you can't send back to inputs.io wallet from there. Any plans to allow instant withdrawals from just-dice to inputs.io wallet?

1. Done. See the latest news update

2. Yes, dooglus should support that soon.

Thank you for all the feedback and suggestions. We want to make Inputs even better

(not saying we're not already the best wallet out there, heh)

🏰 TradeFortress 🏰

vip

Activity: 1316

Merit: 1043

👻

Hi Hebert,

Thank you for your comments. We support adding secrets to your callback URL. Example:

https://www.example.com/callback?sec=putSomethingHere

Use that as your callback URL. Use SSL so others will not know your secret.

It is not open to replay attacks as for record keeping purposes you should be recording all transactions including the TXID.

Herbert

hero member

Activity: 488

Merit: 500

It seems you put a lot of thought into security measures. Still it seems the callback API is somehow lacking. The only proof that the callback is actually coming from your site is the IP-Address of the sender. There are possibilities to spoof the source IP of a TCP connection, especially in a case where the attacker has access to the subnet of the receiving system (see e.g. http://www.symantec.com/connect/articles/ip-spoofing-introduction).

You should consider adding another security layer here. For example on bitcoinmonitor.net callback notifications I added a signature to the callback data which makes sure that the callback was created by the server and not someone else (see http://www.bitcoinmonitor.net/help/ -> section "security").

As the signed data does not contain a time component this is probably still prone to replay attacks of the same request with same signature and spoofed sourceIP, but at least raises the bar. And I am sure there are advanced cryptotechniques that could also close this attack vector.

whiskers75

hero member

Activity: 658

Merit: 502

Doesn't use these forums that often.

Awesome service! Yay, no more waiting for confirms.

Herbert

hero member

Activity: 488

Merit: 500

Quote from: Turbonoodle on July 03, 2013, 09:32:55 AM

2. I undestand that you can withdraw from Coinlenders back to inputs.io. You also can send instantly to just-dice, but looks like you can't send back to inputs.io wallet from there. Any plans to allow instant withdrawals from just-dice to inputs.io wallet?

I think in some thread Dooglus mentioned that withdrawal from just-dice to inputs.io will be implemented soon.

Turbonoodle

newbie

Activity: 6

Merit: 0

Great site!

Some questions:

1. In the Send Bitcoins page, there is a USD calculator box. Any chance you could add a preference to change it to Euro, too? Also, where are you getting the exchange rate for that?

2. I undestand that you can withdraw from Coinlenders back to inputs.io. You also can send instantly to just-dice, but looks like you can't send back to inputs.io wallet from there. Any plans to allow instant withdrawals from just-dice to inputs.io wallet?

Herbert

hero member

Activity: 488

Merit: 500

Quote from: 🏰 TradeFortress 🏰 on July 03, 2013, 06:58:34 AM

Quote from: Herbert on July 03, 2013, 06:53:30 AM

Created a wallet, sent 0.01 BTC to my deposit address. Transaction (https://blockchain.info/tx/f304d86fc093a178655844082211567139fdfbbd1e0a7da635b843ad21d8139b) has now 2 confirmations, but inputs.io wallet says it is still unconfirmed.
According to FAQ everything below 5BTC should be confirmed with one confirmation.

Whats up?

Your TX has been credited.

Got it, thanks!

🏰 TradeFortress 🏰

vip

Activity: 1316

Merit: 1043

👻

Quote from: Herbert on July 03, 2013, 06:53:30 AM

Created a wallet, sent 0.01 BTC to my deposit address. Transaction (https://blockchain.info/tx/f304d86fc093a178655844082211567139fdfbbd1e0a7da635b843ad21d8139b) has now 2 confirmations, but inputs.io wallet says it is still unconfirmed.
According to FAQ everything below 5BTC should be confirmed with one confirmation.

Whats up?

Your TX has been credited.

Herbert

hero member

Activity: 488

Merit: 500

Created a wallet, sent 0.01 BTC to my deposit address. Transaction (https://blockchain.info/tx/f304d86fc093a178655844082211567139fdfbbd1e0a7da635b843ad21d8139b) has now 2 confirmations, but inputs.io wallet says it is still unconfirmed.
According to FAQ everything below 5BTC should be confirmed with one confirmation.

Whats up?

🏰 TradeFortress 🏰

vip

Activity: 1316

Merit: 1043

👻

Tweaked it a bit and added a touch of color. Let me know what you think.

If it made your head spin, Cheesy

1base58

newbie

Activity: 18

Merit: 0

Quote from: 🏰 TradeFortress 🏰 on July 03, 2013, 12:07:07 AM

2FA code is now hidden entirely after it has been enabled, and a new secret is generated every time it is disabled.

UI on smaller screens also fixed. You'll need to do a hard refresh.

Thank you!

That was quick

It's working as expected.

I see you're making changes to the front page as well. I don't know what you had in mind for the spin effect graphic, but I can say it makes my head hurt.

🏰 TradeFortress 🏰

vip

Activity: 1316

Merit: 1043

👻

Quote from: Inputs.io on July 03, 2013, 04:44:46 AM

Hi!

This is Inputs' forum account (along with Inputs.io Support).

Confirmed.

Inputs.io

newbie

Activity: 5

Merit: 0

Hi!

This is Inputs' forum account (along with Inputs.io Support).

🏰 TradeFortress 🏰

vip

Activity: 1316

Merit: 1043

👻

Quote from: 1base58 on July 02, 2013, 11:28:42 PM

I can accept 2FA being disabled without requiring the code. It is more concerning that the 2FA secret is shown on the account details page. I believe the best practice adopted by Google / Dropbox is to not reveal the secret once enabled, and to use a new secret if 2FA was disabled then reenabled.

Hey, thanks for answering my questions, and I certainly hope you support LTC in the future. You only have to read this thread to see how the lack of a secure & trusted online wallet for LTC is an opportunity for scammers and hurts the cryptocurrency community.

2FA code is now hidden entirely after it has been enabled, and a new secret is generated every time it is disabled.

UI on smaller screens also fixed. You'll need to do a hard refresh.

Thank you!

btc4ever

sr. member

Activity: 321

Merit: 250

I am glad to see this service announcement.

Coincidentally, I just started a thread about using payment processors that support btc-to-email in order to implement a massive bitcoin moneybomb sending BTC to either:
a) friends/family to promote awareness/adoption, and expand the btc economy.
b) a single charity, to promote public image.

Perhaps inputs.io can help us pull this off.

https://bitcointalk.org/index.php?topic=248870.new#new

1base58

newbie

Activity: 18

Merit: 0

Quote from: 🏰 TradeFortress 🏰 on July 02, 2013, 11:02:13 PM

ASICMINER shares are tied to addresses. Exchanges hold the shares themselves, they are passthroughs.

We use Google's 2FA security model - you can disable 2FA without entering the code in case you lost your phone - this requires you to have a signed in session. Sessions are both IP and user agent locked.

Our site is secure against XSS attacks, as well as CSRF attacks.

Thanks for your feedback! One of the directions we may be going into is a multicurrency wallet with a built in exchange. However, we also want to focus on the core for now.

I can accept 2FA being disabled without requiring the code. It is more concerning that the 2FA secret is shown on the account details page. I believe the best practice adopted by Google / Dropbox is to not reveal the secret once enabled, and to use a new secret if 2FA was disabled then reenabled.

Hey, thanks for answering my questions, and I certainly hope you support LTC in the future. You only have to read this thread to see how the lack of a secure & trusted online wallet for LTC is an opportunity for scammers and hurts the cryptocurrency community.

🏰 TradeFortress 🏰

vip

Activity: 1316

Merit: 1043

👻

ASICMINER shares are tied to addresses. Exchanges hold the shares themselves, they are passthroughs.

We use Google's 2FA security model - you can disable 2FA without entering the code in case you lost your phone - this requires you to have a signed in session. Sessions are both IP and user agent locked.

Our site is secure against XSS attacks, as well as CSRF attacks.

Thanks for your feedback! One of the directions we may be going into is a multicurrency wallet with a built in exchange. However, we also want to focus on the core for now.

1base58

newbie

Activity: 18

Merit: 0

Quote from: 🏰 TradeFortress 🏰 on July 02, 2013, 10:26:35 PM

Our format is unique. All real (not system mixed) deposits to your address are credited. You control your private keys and can sign messages. Your spending comes from different addresses.

What this means is it gives you the privacy of a shared wallet, while allowing you to do things like hold ASICMINER shares to your address.

How would this work? ASICMINER shares are issued/traded on btct.co and bitfunder so holding them in a wallet doesn't make sense to me.

I'm also interested whether you are considering support for other cryptocurrencies, in a similar manner allowing for offchain transactions where the recipient selects their preferred currency to deposit into their wallet.

Also, regarding security I don't believe it is sensible to show the 2FA secret on the account details page once 2FA has been enabled. This opens up potential for a CSS attack or loggers (keys + screens) to circumvent 2FA.

EDIT: Also disabling 2FA should require entering the code, a single click to disable 2FA is weak.

dillpicklechips

hero member

Activity: 994

Merit: 507

Quote from: 🏰 TradeFortress 🏰 on July 02, 2013, 10:53:18 PM

Quote from: dillpicklechips on July 02, 2013, 10:32:21 PM

But you have to have the private keys too if I'm using other BTC when I'm sending?

Right. Theoretically, we can spend everyone's coins, but that is true for other services too (even the client JS ones) and it makes very little business sense to do so.

Thanks. I just wasn't sure if it was a shared wallet or not. Are withdrawals guaranteed that the coins don't come from any of your deposit addresses or is it just unlikely?

🏰 TradeFortress 🏰

vip

Activity: 1316

Merit: 1043

👻

Quote from: dillpicklechips on July 02, 2013, 10:32:21 PM

But you have to have the private keys too if I'm using other BTC when I'm sending?

Right. Theoretically, we can spend everyone's coins, but that is true for other services too (even the client JS ones) and it makes very little business sense to do so. If you think I'm here to scam people, check out CoinLenders - our total deposits have been going down for a while (3500 BTC less from peak) due to competition, but I make money from the spread on lending and investments, not scamming.

Topic: Inputs.io | Instant Payments, Offchain API, Secure Wallet, 235k+ BTC transferred - page 61. (Read 158152 times)