Pages:
Author

Topic: New, simple online wallet: www.instawallet.org - no signup required - page 9. (Read 28908 times)

legendary
Activity: 1272
Merit: 1012
howdy
Anyone else getting a timeout error? occurred at 3:11PM EST
jav
sr. member
Activity: 249
Merit: 251
Quick update: Internal payments (from one Instawallet to another) are now detected and treated differently: They are instantaneous and amounts down to 1 Satoshi are possible.
jav
sr. member
Activity: 249
Merit: 251
any plans to include a namecoin Instawallet?

Not at the moment, no.

how about allowing those small transfers from one Instawallet to another to be allowed  (i.e., the transfer is allowed if the target address is also on InstaWallet)?

Yes, I will try and tackle this soon (detecting internal transfers and dealing with them differently).
legendary
Activity: 2506
Merit: 1010
While there is no immediate resolution to the "can't send less than 0.01 BTC" using InstaWallet, how about allowing those small transfers from one Instawallet to another to be allowed  (i.e., the transfer is allowed if the target address is also on InstaWallet)?

MyBitcoin, for instance, allows internal transfers to an address for another MyBitcoin account can be an amount as low as 1 satoshi or something to that effect.

These transactions would have the additional benefit of clearing instantaneously, since they are internal to InstaWallet and not announced to the block chain.

With the API now available, I can think of a couple of uses where this would be handy.
legendary
Activity: 3920
Merit: 2349
Eadem mutata resurgo

Hi jav,

any plans to include a namecoin Instawallet?

cheers,  Smiley
legendary
Activity: 2506
Merit: 1010
I have been toying with the idea of providing an API. It will probably happen at some point, but I can't promise anything right now, there are still lots of other things in the queue.

Thanks for providing this (API functionality)!
  - http://forum.bitcoin.org/index.php?topic=26910.0
member
Activity: 84
Merit: 10
Quote
Just for the fun of it, here is what I mean by "doing the math": 16 bytes of random data is 128 bits, which means there are 2^128 = 340282366920938463463374607431768211456 possible Instawallet URLs. Let's say there are 10000 Instawallets in use (in reality the number is nowhere this large, but let's be optimistic and assume that Instawallet will grow). So you have a chance of 10000 to 2^128 to find a wallet with coins if you just guess once. To bring your chances to 50% of finding at least one wallet with coins, you need to guess about 2.359 * 10^34 times (some probability math applied here, I can elaborate if you like). Let's say you want to complete your search within one year. A year has about 3.154 * 10^16 nanoseconds. This means my server needs to serve roughly 7.48 * 10^17 requests per nanosecond to the attacker/botnet.

Do you think my server can handle this? I think we can safely wait until a few more upgrades in processing speed and bandwidth before I have to make the URLs any longer.

Actually, with a URL such as:
https://www.instawallet.org/w/tnwghY1sfQip3ia64mR2Jj

You have 62 (26*2 + 10) choose 22; i.e., 62^22 = 2.70 * 10^39 possibilities.  Or, at least, this is the math that the hacker would've had to do had you not told us that it was only 16 bytes.  :-)  And, is 10,000 a realistic figure for the number of expected active accounts?

Still though, with luck involved, anything can happen.  The hacker could get lucky and find a wallet on his very first attempt.  It's a neat idea though.  I suppose it'd be safe for a very small amount of coins exposed for a very small time (however, even then, why take on any risk if you don't have to)?  I know it's for the noobs and all, but if they're seriously going to be able to use it as a wallet, then they would want to be able to store a significant chunk for significant length of time (and I wouldn't recommend that).

Looks like this would be best used as a laundry service for advanced users (who do not mind the tiny risk for tiny amounts of time).
newbie
Activity: 11
Merit: 0
very nice idea. loads very slow for me
newbie
Activity: 14
Merit: 0
@JAV, You may also have to worry about Toolbar programs (like Alexa toolbar, Ask toolbar, Bing tool bar, Yahoo Tool Bar, Google Toolbar, lots of Firefox plugins).  I believe that some of these send URLs back to the "mother ship" to help with page rankings and site analytics.

But Instawallet is a very nice looking site!

See http://www.google.com/privacy/faq.html#toc-terms-urls

URLs and embedded information

Some of our services, including Google Toolbar and Google Web Accelerator, send the uniform resource locators (“URLs”) of web pages that you request to Google. When you use these services, Google will receive and store the URL sent by the web sites you visit, including any personal information inserted into those URLs by the web site operator. Some Google services (such as Google Toolbar) enable you to opt-in or opt-out of sending URLs to Google, while for others (such as Google Web Accelerator) the sending of URLs to Google is intrinsic to the service. When you sign up for any such service, you will be informed clearly that the service sends URLs to Google, and whether and how you can opt-in or opt-out.

For example, when you submit information to a web page (such as a user login ID or registration information), the operator of that web site may “embed” that information – including personal information – into its URL (typically, after a question mark (“?”) in the URL). When the URL is transmitted to Google, our servers automatically store the URL, including any personal information that has been embedded after the question mark. Google does not exercise any control over these web sites or whether they embed personal information into URLs.



So does IE and I think Chrome does as well, in the case of IE its with user consent (do you want to help improve our products?).
nux
newbie
Activity: 24
Merit: 0
Does google get a new wallet each time it visits - or are these possibly users wallets that had their data reported to google via the toolbar, or possibly to alexa or any other similar company?

http://www.google.com/search?q=site:instawallet.org&hl=en&prmd=ivns&filter=0&biw=1576&bih=636&num=100
newbie
Activity: 14
Merit: 0
A very well done site, I like it.
jav
sr. member
Activity: 249
Merit: 251
PSA guys, technically this isn't any more secure than encrypting your own wallet.

Absolutely. It's most likely less secure than "encrypting your own wallet". I never advertised this as a secure way to store lots of Bitcoins. In fact, I specifically mention in the FAQ and will repeat it here: Please _do not_ store significant amount of money at Instawallet. Instawallet is all about lowering the barrier of entry and getting people started with Bitcoin quickly. It's not meant as a vault to keep your Bitcoin wealth.

Quote
The URL contains 16 bytes of random data. I hope an attacker will do the math before wasting his and my bandwidth. Right now there isn't any sophisticated throttling implemented. Let's see how long until I have to deal with some trouble maker.

This is a serious issue if someone under the control of a botnet points it at your site.  They could implement throttling on their end (so as to avoid DDOS) and yet still hit you from so many IPs.  This service's security is mere obscurity (which would be fine as *one* layer--but not the only).  You should think about at least extending the random URL out to the max size allowed (or near it).  There's no downside to that.

Just for the fun of it, here is what I mean by "doing the math": 16 bytes of random data is 128 bits, which means there are 2^128 = 340282366920938463463374607431768211456 possible Instawallet URLs. Let's say there are 10000 Instawallets in use (in reality the number is nowhere this large, but let's be optimistic and assume that Instawallet will grow). So you have a chance of 10000 to 2^128 to find a wallet with coins if you just guess once. To bring your chances to 50% of finding at least one wallet with coins, you need to guess about 2.359 * 10^34 times (some probability math applied here, I can elaborate if you like). Let's say you want to complete your search within one year. A year has about 3.154 * 10^16 nanoseconds. This means my server needs to serve roughly 7.48 * 10^17 requests per nanosecond to the attacker/botnet.

Do you think my server can handle this? I think we can safely wait until a few more upgrades in processing speed and bandwidth before I have to make the URLs any longer.

How about creating a cookie only when a user visits the main site without a specific wallet? This should solve this problem. I think deprecating the cookies will be a significant decrease in convenience and cause many lost wallets.

That's an interesting alternative, yes, I will keep it in mind. I am wondering whether this change will result in lost wallets. Are people really going to send money without making sure they can access it again? Maybe, I don't know... on the other hand, I can also construct cases where the cookie results in lost wallets: People start to rely on the site remembering them and then suddenly they get a new laptop or somehow clear their cookies and are caught by surprise that the site doesn't remember them anymore. But I will keep this issue in mind.

Am I missing something?

Code:
https://www.instawallet.org/w/tnwghY1sfQip3ia64mR2Jj

Sure it's HTTPS which encrypts the payload, but anyone can get access to the URL. Then, if I understand the implementation, the attacker (neighbor) can drain the entire account, no?

Everything besides the host name is encrypted when you use HTTPS, including the URL.
member
Activity: 112
Merit: 10
Am I missing something?

Code:
https://www.instawallet.org/w/tnwghY1sfQip3ia64mR2Jj

Sure it's HTTPS which encrypts the payload, but anyone can get access to the URL. Then, if I understand the implementation, the attacker (neighbor) can drain the entire account, no?

Correct.
sr. member
Activity: 322
Merit: 251
FirstBits: 168Bc
Am I missing something?

Code:
https://www.instawallet.org/w/tnwghY1sfQip3ia64mR2Jj

Sure it's HTTPS which encrypts the payload, but anyone can get access to the URL. Then, if I understand the implementation, the attacker (neighbor) can drain the entire account, no?
donator
Activity: 2058
Merit: 1054
Mostly I was worried about the possible confusion that can happen when people visit a specific Instawallet linked somewhere, then later return to the site and don't notice that they are redirected to an "old" Instwallet instead of a "fresh" one.
How about creating a cookie only when a user visits the main site without a specific wallet? This should solve this problem. I think deprecating the cookies will be a significant decrease in convenience and cause many lost wallets.
legendary
Activity: 3920
Merit: 2349
Eadem mutata resurgo
PSA guys, technically this isn't any more secure than encrypting your own wallet. If a hacker/malware were on your system and found the "secret" link in your browser bookmarks or saved somewhere on your system, the hacker could just use that URL to transfer the funds to their own wallet.

Yeah, it's one more thing for the writers of malware to have to search for the secret link, but it's not out of question. Look at all the hacks and stuff that have come up. WHere there are security holes these hackers will find a way to get in and steal stuff. It didn't take them long at all to make the malware to steal wallet.dat. The level of effort it would take to adapt that malware to also search for this secret URL is trivial.

Or am I missing something?

You could encrypt the bookmark link to your instawallet ... or continually create new ones and move the money around ... get creative.

And I don't think anyone ever said it was for large holdings just your spending money when you are out and about on the net .... so you don't have to fire up the big kahuna with your savings wallet in it just to buy some socks and blow ....
legendary
Activity: 1022
Merit: 1001
Thanks for the update. Will continue to use this service Smiley
member
Activity: 84
Merit: 10
Yeah, this seems rather nifty, but I'd want a lot more details about how the unique URL is generated, what protections there are against people trying to brute-force URLs to stumble upon money, and how the server/wallets are secured before using it for anything serious.

The URL contains 16 bytes of random data. I hope an attacker will do the math before wasting his and my bandwidth. Right now there isn't any sophisticated throttling implemented. Let's see how long until I have to deal with some trouble maker.

This is a serious issue if someone under the control of a botnet points it at your site.  They could implement throttling on their end (so as to avoid DDOS) and yet still hit you from so many IPs.  This service's security is mere obscurity (which would be fine as *one* layer--but not the only).  You should think about at least extending the random URL out to the max size allowed (or near it).  There's no downside to that.
member
Activity: 112
Merit: 10
PSA guys, technically this isn't any more secure than encrypting your own wallet. If a hacker/malware were on your system and found the "secret" link in your browser bookmarks or saved somewhere on your system, the hacker could just use that URL to transfer the funds to their own wallet.

Yeah, it's one more thing for the writers of malware to have to search for the secret link, but it's not out of question. Look at all the hacks and stuff that have come up. WHere there are security holes these hackers will find a way to get in and steal stuff. It didn't take them long at all to make the malware to steal wallet.dat. The level of effort it would take to adapt that malware to also search for this secret URL is trivial.

Or am I missing something?
sr. member
Activity: 294
Merit: 252
Firstbits: 1duzy
Another update: I deprecated the whole cookie thing. Instawallet will no longer make any attempts at trying to remember you.

+1.

Good improvement.
Pages:
Jump to: