Title: Blockchain.info - confirm IP address for callbacks Post by: keatonatron on May 22, 2013, 10:37:41 AM Hi all,
The documentation for the Blockchain.info Receive Payment API says we should check the IP address of the caller to make sure it came from blockchain.info -- which is obviously a good idea (very easy to spoof payment notifications otherwise!). I programmed my callback page to get the originating IP address, get the IP of blockchain.info, and compare the two. It failed. After some research, I found out the blockchain.info domain name is linked to both 141.101.112.196 and 190.93.243.195, and although my script was pulling these up okay, the callback was originating from a third IP address: 82.145.55.247. Should I assume this is the dedicated callback server and I can hardcode it into my script as the address to check for? I tried instead to take the IP address and do a reverse lookup of the hostname to compare that to "blockchain.info", but it looks like there isn't a proper reverse entry specified (the lookup fails). Any suggestions of the best way to implement this security? Title: Re: Blockchain.info - confirm IP address for callbacks Post by: keatonatron on May 23, 2013, 02:55:29 AM Hoping to bring this to the top of the stack--I probably posted at a time when most of the world was asleep.
Title: Re: Blockchain.info - confirm IP address for callbacks Post by: firepacket on May 27, 2013, 06:17:00 AM A proper callback API should have a server-side shared secret field. You shouldn't have to rely on IP addresses for authentication.
Title: Re: Blockchain.info - confirm IP address for callbacks Post by: keatonatron on May 27, 2013, 02:02:18 PM A proper callback API should have a server-side shared secret field. You shouldn't have to rely on IP addresses for authentication. Thanks for the feedback! It does allow me to pass a pre-specified parameter along with the callback, which is what I'm currently using for security. Hopefully that will be enough. Locking it down by IP would be quite spoof-proof, but if the server's IP changed everything would stop working... Thanks for dredging my post up to give it a proper answer ;D |