|
Title: bitcoin:<action>:<address>:<amount>:<comment> Web-based protocol Post by: BTCurious on November 10, 2011, 03:38:37 AM A simple integration step that I think is missing in the combined toolset is a web-based protocol. (A "bitcoin:" version of the "mailto" link)
Imagine this situation: You register for mtgox, and want to deposit some bitcoins. You go to the deposit page, fill in the amount you want to deposit. MtGox generates a bitcoin protocol link, for example: bitcoin:pay:1MtGoxAddress1es89fwSTYR:5:MtGox deposit to account BTCurious (http://bitcoin:pay:1MtGoxAddress1es89fwSTYR:5:MtGox deposit to account BTCurious) By clicking a button or the link, the data is forwarded by the browser. You have installed the default bitcoin client earlier, which registered the bitcoin protocol, so this is now sent the data. The client asks you: Quote Do you want to pay 5 Bitcoins to 1MtGoxAddress1es89fwSTYR? Payment data: "MtGox deposit to account BTCurious" Yes/No You click yes, and it's payed. You never have to copy/paste any addresses. You can connect the protocol to your favourite walletmanager, be it the standard client, or your webbased wallet. A client might also provide the ability to generate these links to send to your buddy who wants to pay you: bitcoin:pay:1JohnDoeAddress1n4e3o1tnsuy:50:You still owe me a Block, dude! I believe this would very much increase the userfriendliness of payment and address management. I propose creating a standard for this protocol. It's open for suggestions, but my initial idea is: For doing payments (webshops, deposits, inter-person payments) bitcoin:pay:<address>:<amount>:<comment> (http://bitcoin:pay:<address>:<amount>:<comment>) For saving an address in an addresslist (useful for miner payout addresses, green addresses) bitcoin:address:<address>:<comment> (http://bitcoin:address:<address>:<comment>) Title: Re: bitcoin:<action>:<address>:<amount>:<comment> Web-based protocol Post by: theymos on November 10, 2011, 03:49:28 AM This has been discussed a million times, and there are already a million different proposed URI protocols. Why is yours better?
Title: Re: bitcoin:<action>:<address>:<amount>:<comment> Web-based protocol Post by: BTCurious on November 10, 2011, 04:07:00 AM Hmm, I see you're right. I wasn't aware it was more commonly known as a URI, and searching for protocol didn't get me very far.
It makes me wonder though, why hasn't this been taken up yet? All it takes is for MtGox to agree with a bitcoin client developer, and then the majority of users could use it. The rest would then follow. If this has been discussed a million times, apparently it's clear that we actually want a URI protocol. The exact format is rather irrelevant, as long as one option reaches critical mass, it will be standardized. Why is this not yet implemented? Title: Re: bitcoin:<action>:<address>:<amount>:<comment> Web-based protocol Post by: DeathAndTaxes on November 10, 2011, 04:09:16 AM Security. Shortly after the first URI usage will be the first URI malware. Likely not something that should be rushed into. Of course it is open source so you can make a URI capable client.
Title: Re: bitcoin:<action>:<address>:<amount>:<comment> Web-based protocol Post by: BTCurious on November 10, 2011, 04:13:40 AM Security. Shortly after the first URI usage will be the first URI malware. Likely not something that should be rushed into. Of course it is open source so you can make a URI capable client. If the URI is only used in a user-mediated way, i.e., you click a payment button, and get a dialog from your client, then where is the security problem? Or do you mean script injection of some sort? Sanitizing the URI inputs shouldn't be too difficult… or am I missing something here?I might make a URI addon at some point, but I first wanted to see what the community thought about my proposal. Which is a bit moot now, since it's one of the many proposals, but yeah… Title: Re: bitcoin:<action>:<address>:<amount>:<comment> Web-based protocol Post by: Luke-Jr on November 12, 2011, 02:16:27 AM Spesmilo has supported URIs for months. The Satoshi client devs don't want to.
Title: Re: bitcoin:<action>:<address>:<amount>:<comment> Web-based protocol Post by: Gavin Andresen on November 14, 2011, 06:51:10 PM Spesmilo has supported URIs for months. The Satoshi client devs don't want to. Huh what? Version 0.5 supports drag-and-drop of bitcoin: URIs. And there's a pull request pending for click-to-pay support.Security. Shortly after the first URI usage will be the first URI malware. Likely not something that should be rushed into. Of course it is open source so you can make a URI capable client. If the URI is only used in a user-mediated way, i.e., you click a payment button, and get a dialog from your client, then where is the security problem? Or do you mean script injection of some sort? Sanitizing the URI inputs shouldn't be too difficult… or am I missing something here?One fear is bitcoin-address-rewriting malware, like the URL-rewriting phishing malware we have today. Actually, combining the two would be very effective (direct the user to a phishing site where all the bitcoin: URIs pay or donate to the scammers). We need better ways users can be certain they are paying who they think they are paying. Title: Re: bitcoin: ... Web-based protocol Post by: cjp on November 14, 2011, 07:23:11 PM I agree we have to be very careful to avoid phishing / malware attacks.
How about the following idea: whenever an URI contains an unknown bitcoin address, or whenever the name in the URI does not equal the name of the address in the address book, give the user a very clear warning that he has to verify the correctness of the new address. In the future, this might be combined with some sort of public key infrastructure or web of trust. Title: Re: bitcoin:<action>:<address>:<amount>:<comment> Web-based protocol Post by: Luke-Jr on November 14, 2011, 08:50:04 PM Spesmilo has supported URIs for months. The Satoshi client devs don't want to. Huh what? Version 0.5 supports drag-and-drop of bitcoin: URIs.Title: Re: bitcoin:<action>:<address>:<amount>:<comment> Web-based protocol Post by: jim618 on November 14, 2011, 09:10:22 PM One way I thought of validating bitcoin uris was to do the following:
1. Say you have a bitcoin uri from a website http://bitcoinbooks.com (say it is a book you are buying) 2. Added to the bitcoin uri is a 'from' field which has a value 'bitcoinbooks.com' 3. The client then does a call to a service endpoint based at: https://bitcoinbooks.com/uriValidator?<the value of the bitcoin uri> The suffix 'uriValidator' is a standard service endpoint used by everyone and https is used to prevent MITM attacks. 4. If bitcoinbooks.com actually created that bitcoin uri it just replies 'true', else 'false'. 5. bitcoinbooks.com is shown to the user on the ui as: green if validated, red if not validated. This gives the user confidence that the uri is what it appears to be i.e it came from the site it appears to. It also gives the user confidence that the uri is still 'alive' (maybe it is a special offer ending at midnight or there is a time-to-live on it) It also gives the bitcoinbooks.com site some useful feedback too, but that is not particularly security related. Title: Re: bitcoin:<action>:<address>:<amount>:<comment> Web-based protocol Post by: Gavin Andresen on November 14, 2011, 09:28:27 PM Not compliant with the spec. You mean the wiki page that describes an overly-complicated scheme with your pet feature that nobody else likes (hexadecimal amounts)?And that we're all ignoring because we don't feel like getting into wiki editing wars with you (see the history from 9 May)? Title: Re: bitcoin:<action>:<address>:<amount>:<comment> Web-based protocol Post by: Deafboy on November 14, 2011, 09:35:30 PM Quote One fear is bitcoin-address-rewriting malware And so it can rewrite plaintext address on webpage.I have allready firefox addon installed which recognize bitcoin addresses and makes hyperlinks to block explorer. Title: Re: bitcoin:<action>:<address>:<amount>:<comment> Web-based protocol Post by: btc_artist on November 14, 2011, 10:05:30 PM I for one think that having this click to pay functionality is needed, even if it increases the possibility of malware attacks.
Title: Re: bitcoin:<action>:<address>:<amount>:<comment> Web-based protocol Post by: BTCurious on November 14, 2011, 10:09:56 PM I for one think that having this click to pay functionality is needed, even if it increases the possibility of malware attacks. It is severely lacking in the accessibility of bitcoin in general. I'm not quite sure how to easily make it secure(-ish) though.Title: Re: bitcoin:<action>:<address>:<amount>:<comment> Web-based protocol Post by: Luke-Jr on November 14, 2011, 11:01:49 PM You mean the wiki page that describes an overly-complicated scheme with your pet feature that nobody else likes (hexadecimal amounts)? No, I mean the wiki page that describes a simple future-compatible scheme that the community agreed on earlier this year, and decimal trolls decided to object to months later, despite it not hurting the ability to use (in fact, it is even better for) decimal units.Title: Re: bitcoin:<action>:<address>:<amount>:<comment> Web-based protocol Post by: BTCurious on November 14, 2011, 11:16:01 PM Link please?
Also, any mention of the tonal system sort of seems like a joke, to be honest. Maybe it's not, but that's the impression that I got when I first saw it. Title: Re: bitcoin:<action>:<address>:<amount>:<comment> Web-based protocol Post by: Luke-Jr on November 16, 2011, 04:39:37 PM Link please? https://en.bitcoin.it/wiki/URI_Scheme |