Pages:
Author

Topic: New, simple online wallet: www.instawallet.org - no signup required - page 11. (Read 28908 times)

hero member
Activity: 527
Merit: 500

Quote
What happens if I now receive a payment at the old address that I was allocated first, who has control of that?

It's still yours.  From Jav's comments, it was created with a cryptographically secure PRNG, so nobody else ought to be able to guess it. As far as the site is concerned, presumably you've just got two wallets now and can use whichever you'd like, assuming you record the two "addresses."

I think he means a new bitcoin address, but the same instawallet address. So, is that old bitcoin address still tied to his account? From the information you've given (you use the bitcoin accounts feature) I would infer: yes.

Cool concept.
legendary
Activity: 3920
Merit: 2349
Eadem mutata resurgo
Hmmm, thanks for thinking this through 's'.

I haven't open/close browser tab or window or done anything that would have changed the cookies. All I did was send, and thus empty the initially assigned wallet address.

I back-paged to the one containing the initial wallet address and it has the same assigned token in the http:// field as the new one.

Edit:  further test, i deleted the cookie folder associated with instawallet and then launched another tab with the provided http link with personal token and it brings me back to correct (new) wallet address. Something else changed the wallet address after I performed the send from function, what was it?
legendary
Activity: 3920
Merit: 2349
Eadem mutata resurgo

How does the address allocation work for this?

I sent 0.02 btc to the generated address at instawallet, works okay.

Then I sent those 0.02 btc back to another bitcoin client. When I return to instawallet page a new receiving address has been generated, why does it do that?

What happens if I now receive a payment at the old address that I was allocated first, who has control of that?
legendary
Activity: 1764
Merit: 1002
cypherdoc: wait a few minutes and make sure it's really a problem.

Another concern: If someone uses an anonymizer agent like Tor, how will your "recognition" system work? It could be that it will identify the user based on the exit point, which would be a serious problem as it's likely that eventually two users will have the same exit point.

i've been waiting all day nervously watching my wallet balance.  no, they're not confirming and the receives are greyed out.
full member
Activity: 140
Merit: 101
cypherdoc: wait a few minutes and make sure it's really a problem.

Another concern: If someone uses an anonymizer agent like Tor, how will your "recognition" system work? It could be that it will identify the user based on the exit point, which would be a serious problem as it's likely that eventually two users will have the same exit point.
legendary
Activity: 1764
Merit: 1002
well, i'm having problems with it.  easy to get 2 send tx's into instawallet of .01 btc each but now can't get them out.   instawallet shows balance of zero, my btc wallet shows 2 deposits of +.01 however they are greyed out and have 0 confirms. have contacted JAV but have yet to get this fixed.
full member
Activity: 140
Merit: 101
Nice site, I like the idea a lot.

I'm a bit worried that I might put money into a wallet and then lose the address. Hypothetically, if I were able to tell you the exact balance of a wallet (and that balance were something unique like 142.41305), would you be able to send me a link?
jav
sr. member
Activity: 249
Merit: 251
It is definitely an issue-- the account code doesn't keep track of where the coins it is sending out came from, so if you accept 0-confirmation coins you're vulnerable to double-spending attacks (see, for example, the discussion of the "Finney attack" in these forums).

I see, thx for clearing that up. I would really like to keep the speedy transactions, so I have decided to still allow 0-confirmation transactions. But I implemented a server-wide rate-limit for those transactions, which should make the Finney attack not worth the effort.


Great idea, that's probably how I'm going to do it!
newbie
Activity: 50
Merit: 0
It seems you are correct, that referrer is transferred when linking to another SSL site. I will have to think about this, but as I don't have outgoing SSL links, it should be fine at the moment. Redirecting in the way you describe would be an option, but I'm not sure I like it much. I consider seeing your actual wallet link in the address bar a usability feature.

I agree that having the wallet link in your address bar is a usability feature (though it could also be done with hash fragments). Perhaps a better approach is to make sure that all outgoing links go through a redirector?

E.g. http://redirect.instawallet.org/?url=http://google.com/ -> http://google.com

This will make sure all the referrer information is cleansed before leaving the site.

Also great job. Smiley I worry what your wallet data looks like after I tried a bunch of random urls and they all worked. Sorry about that. Tongue

- shazow
legendary
Activity: 1232
Merit: 1076
Amazing idea! Love it.
legendary
Activity: 1652
Merit: 2301
Chief Scientist
This instant deposit feature is great, but you might want to wait until the funds clear before letting people withdraw it back out again.

I thought this wouldn't be an issue, but I'm not so sure anymore. I use the "account" feature of bitcoind and every wallet has its own account. My understanding was, that this will mean that the coins being sent are limited to the account as well. In that case it doesn't matter if the funds end up not confirming, because it will also invalidate the withdraw transaction. But maybe bitcoind uses coins from other accounts as well sometimes? Has someone here more insight into this?

It is definitely an issue-- the account code doesn't keep track of where the coins it is sending out came from, so if you accept 0-confirmation coins you're vulnerable to double-spending attacks (see, for example, the discussion of the "Finney attack" in these forums).

Seeing coins show up right away is a fantastic feature, though, so I'd suggest getting the 0-confirmation balance and a 3+-confirmation balance, allowing only 3+ confirmed coins to be withdrawn, and displaying the difference as 'waiting confirmation'.
jav
sr. member
Activity: 249
Merit: 251
Great to see the site being positively received. :-)

This instant deposit feature is great, but you might want to wait until the funds clear before letting people withdraw it back out again.

I thought this wouldn't be an issue, but I'm not so sure anymore. I use the "account" feature of bitcoind and every wallet has its own account. My understanding was, that this will mean that the coins being sent are limited to the account as well. In that case it doesn't matter if the funds end up not confirming, because it will also invalidate the withdraw transaction. But maybe bitcoind uses coins from other accounts as well sometimes? Has someone here more insight into this?

I guess it can't get much easier than this Smiley Do you know if your service can be used with this pool? https://bitcointalksearch.org/topic/350-ghs-eligius-experimental-pool-almost-feeless-pps-hoppers-welcome-6667

Interesting question, I'm not sure. The balance is whatever the method "getbalance 0" (so minconf=0) will return. I have no idea if this is the case for these pool transactions.

Where are the wallet files kept?
who has access to the physical equipment that the wallets are stored on?
What kind of encryption does instawallet use?
can we see the source code?

Sorry if any/all of these are answered somewhere on the site, but I can't find it yet.

One of the next things I will add is some sort of FAQ list that will address these things. For now: the wallet is on a VPS, running Debian Squeeze on an un-encrypted file system. So my VPS host prgmr.com technically has access and of course I do. Besides SSL there is no encryption used, but the regular backups I will make will be encrypted. I haven't decided about the source code, so for now it remains closed.

In any case: This isn't really the place to store your Bitcoin wealth! I will try my best in keeping the service stable and secure, but ultimately I want to see mostly Bitcents on these wallets. A lot needs to happen before I would trust a cloud service with a larger amount of Bitcoin to store over longer time and Instawallet is definitely not the place to do that.

Yeah, this seems rather nifty, but I'd want a lot more details about how the unique URL is generated, what protections there are against people trying to brute-force URLs to stumble upon money, and how the server/wallets are secured before using it for anything serious.

The URL contains 16 bytes of random data. I hope an attacker will do the math before wasting his and my bandwidth. Right now there isn't any sophisticated throttling implemented. Let's see how long until I have to deal with some trouble maker.

My only suggestion would be a "copy to clipboard" icon/link next to the funding address

Thx for the idea, I will consider implementing that!

Is typing in your own wallet code a supported feature?
https://www.instawallet.org/w/free_bitcoins

It's not specifically supported, but yes, it works at the moment and you are free to make up your own wallet URL.

1.  Did you address the possibility of cross-site request forgery?

Maybe not to its full extend. You need to provide the wallet identifier when making a payment, but maybe this could be scripted with JavaScript after being redirect to the wallet URL? I will tighten up security in this area, thx for the pointer. Again, I don't recommend people to store large amounts of money there, so that CSRF would be worthwhile, but of course I appreciate the trust in the service if someone ends up doing it anyway.

2.  Though the standard is somewhat vague, the traditional interpretation of RFC 2616 is that Referrer: headers are permitted from HTTPS content as long as the target uses SSL as well.  I don't know offhand how each different modern browser reacts by default, but I disagree with Theymos that it's not a concern in general.

2a.  To address this issue partly, it would be fairly easy to continue to permit pages to be accessed using an address in the URL but to redirect the user immediately to a page that doesn't include it there, either storing it in the session or including it as a hidden form parameter.

It seems you are correct, that referrer is transferred when linking to another SSL site. I will have to think about this, but as I don't have outgoing SSL links, it should be fine at the moment. Redirecting in the way you describe would be an option, but I'm not sure I like it much. I consider seeing your actual wallet link in the address bar a usability feature.

4.  Are the addresses generated using a secure PRNG?  If it's an ordinary PRNG, it wouldn't be hard to guess addresses.

What is an "ordinary PRNG" for you? I use Python's os.urandom() which I would consider pretty "ordinary", but I have checked the documentation which claims that it returns "random bytes suitable for cryptographic use".
newbie
Activity: 5
Merit: 0
Would be cool if you could choose your own address for increased rememberability.
administrator
Activity: 5222
Merit: 13032
When you click a link on a site, most browsers send the url of the page you were just visiting to the server of site you clicked on.  So, this would be an issue if instantwallet.com had links to other websites.

This doesn't happen from HTTPS sites.
sr. member
Activity: 294
Merit: 252
Firstbits: 1duzy

Is typing in your own wallet code a supported feature?

https://www.instawallet.org/w/free_bitcoins
sr. member
Activity: 294
Merit: 252
Firstbits: 1duzy
I just noticed the link in the bottom-right to http://www.freecsstemplates.org/  I wonder how many wallets they have access to already  Grin

Mine at least. Thanks for pointing that out...
(not that I'd put any money in..)

member
Activity: 74
Merit: 11
www.minethings.com
I just noticed the link in the bottom-right to http://www.freecsstemplates.org/  I wonder how many wallets they have access to already  Grin
newbie
Activity: 8
Merit: 0
When you click a link on a site, most browsers send the url of the page you were just visiting to the server of site you clicked on.  So, this would be an issue if instantwallet.com had links to other websites.

This would also be an issue if Instawallet added any advertising. The site which serves the ads would have access to the URL, which would potentially be very bad.
sr. member
Activity: 294
Merit: 252
My only suggestion would be a "copy to clipboard" icon/link next to the funding address (I need to do that for ClearCoin, too-- haven't looked into how to do it yet, but github does it so I know it can be done...)

As far as I know, the only way to do this universally across browsers and operating systems is to use a flash object. Sad

Clippy is what github uses: https://github.com/mojombo/clippy
legendary
Activity: 1260
Merit: 1031
Rational Exuberance
This service is fantastic. I probably won't use it myself, but I sent a $1 USD donation (0.39BTC) to the donation address at the bottom of the page, just for being awesome.

I miss dollar parity at times like this - then I didn't have to do any math to know how much I'm sending someone. But of course I don't miss dollar parity TOO much Wink
Pages:
Jump to: