PSA guys, technically this isn't any more secure than encrypting your own wallet.
Absolutely. It's most likely less secure than "encrypting your own wallet". I never advertised this as a secure way to store lots of Bitcoins. In fact, I specifically mention in the FAQ and will repeat it here: Please _do not_ store significant amount of money at Instawallet. Instawallet is all about lowering the barrier of entry and getting people started with Bitcoin quickly. It's not meant as a vault to keep your Bitcoin wealth.
The URL contains 16 bytes of random data. I hope an attacker will do the math before wasting his and my bandwidth. Right now there isn't any sophisticated throttling implemented. Let's see how long until I have to deal with some trouble maker.
This is a serious issue if someone under the control of a botnet points it at your site. They could implement throttling on their end (so as to avoid DDOS) and yet still hit you from so many IPs. This service's security is mere obscurity (which would be fine as *one* layer--but not the only). You should think about at least extending the random URL out to the max size allowed (or near it). There's no downside to that.
Just for the fun of it, here is what I mean by "doing the math": 16 bytes of random data is 128 bits, which means there are 2^128 = 340282366920938463463374607431768211456 possible Instawallet URLs. Let's say there are 10000 Instawallets in use (in reality the number is nowhere this large, but let's be optimistic and assume that Instawallet will grow). So you have a chance of 10000 to 2^128 to find a wallet with coins if you just guess once. To bring your chances to 50% of finding at least one wallet with coins, you need to guess about 2.359 * 10^34 times (some probability math applied here, I can elaborate if you like). Let's say you want to complete your search within one year. A year has about 3.154 * 10^16 nanoseconds. This means my server needs to serve roughly 7.48 * 10^17 requests per nanosecond to the attacker/botnet.
Do you think my server can handle this? I think we can safely wait until a few more upgrades in processing speed and bandwidth before I have to make the URLs any longer.
How about creating a cookie only when a user visits the main site without a specific wallet? This should solve this problem. I think deprecating the cookies will be a significant decrease in convenience and cause many lost wallets.
That's an interesting alternative, yes, I will keep it in mind. I am wondering whether this change will result in lost wallets. Are people really going to send money without making sure they can access it again? Maybe, I don't know... on the other hand, I can also construct cases where the cookie results in lost wallets: People start to rely on the site remembering them and then suddenly they get a new laptop or somehow clear their cookies and are caught by surprise that the site doesn't remember them anymore. But I will keep this issue in mind.
Am I missing something?
https://www.instawallet.org/w/tnwghY1sfQip3ia64mR2Jj
Sure it's HTTPS which encrypts the payload, but anyone can get access to the URL. Then, if I understand the implementation, the attacker (neighbor) can drain the entire account, no?
Everything besides the host name is encrypted when you use HTTPS, including the URL.