Topic: New, simple online wallet: www.instawallet.org - no signup required - page 9. (Read 28908 times)

Anyone else getting a timeout error? occurred at 3:11PM EST

Quick update: Internal payments (from one Instawallet to another) are now detected and treated differently: They are instantaneous and amounts down to 1 Satoshi are possible.

Not at the moment, no.


Yes, I will try and tackle this soon (detecting internal transfers and dealing with them differently).

While there is no immediate resolution to the "can't send less than 0.01 BTC" using InstaWallet, how about allowing those small transfers from one Instawallet to another to be allowed  (i.e., the transfer is allowed if the target address is also on InstaWallet)?

MyBitcoin, for instance, allows internal transfers to an address for another MyBitcoin account can be an amount as low as 1 satoshi or something to that effect.

These transactions would have the additional benefit of clearing instantaneously, since they are internal to InstaWallet and not announced to the block chain.

With the API now available, I can think of a couple of uses where this would be handy.

Hi jav,

any plans to include a namecoin Instawallet?

cheers, 

Thanks for providing this (API functionality)!
  - http://forum.bitcoin.org/index.php?topic=26910.0

Actually, with a URL such as:
https://www.instawallet.org/w/tnwghY1sfQip3ia64mR2Jj

You have 62 (26*2 + 10) choose 22; i.e., 62^22 = 2.70 * 10^39 possibilities.  Or, at least, this is the math that the hacker would've had to do had you not told us that it was only 16 bytes.  :-)  And, is 10,000 a realistic figure for the number of expected active accounts?

Still though, with luck involved, anything can happen.  The hacker could get lucky and find a wallet on his very first attempt.  It's a neat idea though.  I suppose it'd be safe for a very small amount of coins exposed for a very small time (however, even then, why take on any risk if you don't have to)?  I know it's for the noobs and all, but if they're seriously going to be able to use it as a wallet, then they would want to be able to store a significant chunk for significant length of time (and I wouldn't recommend that).

Looks like this would be best used as a laundry service for advanced users (who do not mind the tiny risk for tiny amounts of time).

very nice idea. loads very slow for me

So does IE and I think Chrome does as well, in the case of IE its with user consent (do you want to help improve our products?).

Does google get a new wallet each time it visits - or are these possibly users wallets that had their data reported to google via the toolbar, or possibly to alexa or any other similar company?

http://www.google.com/search?q=site:instawallet.org&hl=en&prmd=ivns&filter=0&biw=1576&bih=636&num=100

A very well done site, I like it.

Absolutely. It's most likely less secure than "encrypting your own wallet". I never advertised this as a secure way to store lots of Bitcoins. In fact, I specifically mention in the FAQ and will repeat it here: Please _do not_ store significant amount of money at Instawallet. Instawallet is all about lowering the barrier of entry and getting people started with Bitcoin quickly. It's not meant as a vault to keep your Bitcoin wealth.


Just for the fun of it, here is what I mean by "doing the math": 16 bytes of random data is 128 bits, which means there are 2^128 = 340282366920938463463374607431768211456 possible Instawallet URLs. Let's say there are 10000 Instawallets in use (in reality the number is nowhere this large, but let's be optimistic and assume that Instawallet will grow). So you have a chance of 10000 to 2^128 to find a wallet with coins if you just guess once. To bring your chances to 50% of finding at least one wallet with coins, you need to guess about 2.359 * 10^34 times (some probability math applied here, I can elaborate if you like). Let's say you want to complete your search within one year. A year has about 3.154 * 10^16 nanoseconds. This means my server needs to serve roughly 7.48 * 10^17 requests per nanosecond to the attacker/botnet.

Do you think my server can handle this? I think we can safely wait until a few more upgrades in processing speed and bandwidth before I have to make the URLs any longer.


That's an interesting alternative, yes, I will keep it in mind. I am wondering whether this change will result in lost wallets. Are people really going to send money without making sure they can access it again? Maybe, I don't know... on the other hand, I can also construct cases where the cookie results in lost wallets: People start to rely on the site remembering them and then suddenly they get a new laptop or somehow clear their cookies and are caught by surprise that the site doesn't remember them anymore. But I will keep this issue in mind.


Everything besides the host name is encrypted when you use HTTPS, including the URL.

Correct.

Am I missing something?


Sure it's HTTPS which encrypts the payload, but anyone can get access to the URL. Then, if I understand the implementation, the attacker (neighbor) can drain the entire account, no?

How about creating a cookie only when a user visits the main site without a specific wallet? This should solve this problem. I think deprecating the cookies will be a significant decrease in convenience and cause many lost wallets.

You could encrypt the bookmark link to your instawallet ... or continually create new ones and move the money around ... get creative.

And I don't think anyone ever said it was for large holdings just your spending money when you are out and about on the net .... so you don't have to fire up the big kahuna with your savings wallet in it just to buy some socks and blow ....

Thanks for the update. Will continue to use this service

The URL contains 16 bytes of random data. I hope an attacker will do the math before wasting his and my bandwidth. Right now there isn't any sophisticated throttling implemented. Let's see how long until I have to deal with some trouble maker.