Bitcoin Forum
April 16, 2014, 08:34:03 PM *
News: ♦♦ A bug in OpenSSL, used by Bitcoin-Qt/Bitcoin Core, could allow your bitcoins to be stolen. Immediately updating Bitcoin Core to 0.9.1 is required in some cases, especially if you're using 0.9.0. Download. More info.
The same bug also affected the forum. Changing your forum password is recommended.
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 3  All
  Print  
Author Topic: btcaddr.me - Bitcoin Address Identicon  (Read 3406 times)
nelse87
Newbie
*
Offline Offline

Activity: 14



View Profile

Ignore
November 03, 2012, 05:55:52 PM
 #1

I would like to introduce project I've done after reading ThePiachu's Master Thesis (https://bitcointalk.org/index.php?action=profile;u=34743). In one of sections he writes about "Partial address collision" attack connected with bitcoin addresses. In a nutshell: given a bitcoin address we can generate address with the same prefix. As humans use to read only a few first characters of an address to validate it, malicous user may replace it with generated one and deceive user sending payment.

I believe problem can be solved using identicons. Check the site: http://btcaddr.me/ and let me know what are your thoughts.
1397680443
Hero Member
*
Offline Offline

Posts: 1397680443

View Profile Personal Message (Offline)

Ignore
1397680443
Reply with quote  #2

1397680443
Report to moderator
1397680443
Hero Member
*
Offline Offline

Posts: 1397680443

View Profile Personal Message (Offline)

Ignore
1397680443
Reply with quote  #2

1397680443
Report to moderator
      0.0065 BTC / GHs for 5 years. NO FEES!    PB Mining
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1397680443
Hero Member
*
Offline Offline

Posts: 1397680443

View Profile Personal Message (Offline)

Ignore
1397680443
Reply with quote  #2

1397680443
Report to moderator
1397680443
Hero Member
*
Offline Offline

Posts: 1397680443

View Profile Personal Message (Offline)

Ignore
1397680443
Reply with quote  #2

1397680443
Report to moderator
1397680443
Hero Member
*
Offline Offline

Posts: 1397680443

View Profile Personal Message (Offline)

Ignore
1397680443
Reply with quote  #2

1397680443
Report to moderator
Spekulatius
Hero Member
*****
Offline Offline

Activity: 868


Zappa di bibbedi boo!


View Profile WWW

Ignore
November 03, 2012, 06:07:37 PM
 #2

I just tried it, it always gives me the same identicon, no matter what address I put in. Cookies?

★☆★BITCOIN -The Documentary- The first feature-length docu on Bitcoin!★☆★
Be part of it! Be creative! Give us your best ideas, personal contributions and maybe a little donationWink
nelse87
Newbie
*
Offline Offline

Activity: 14



View Profile

Ignore
November 03, 2012, 06:09:48 PM
 #3

What addresses did you try? You can try it other way:

http://btcaddr.me/[bitcoin address here]

Maybe the form is not working in your browser - which one are you using?
Spekulatius
Hero Member
*****
Offline Offline

Activity: 868


Zappa di bibbedi boo!


View Profile WWW

Ignore
November 03, 2012, 06:13:40 PM
 #4

What addresses did you try? You can try it other way:

http://btcaddr.me/[bitcoin address here]

Maybe the form is not working in your browser - which one are you using?

Firefox 16.0.2 on windows 7

-edit-
I first entered your site by your link provided in OP, then used the input field with a random address obtained on this forum (1CoinLabF5Avpp5kor41ngn7prTFMMHFVc). Then I changed some letters and later the whole address but it still gave me the same identicon.

Now I just tried it only adding the address in the URL, like you advised and it workeed. But dont you think it is problematic that the same address gets a different icon everytime I run it? Heck, it does the same thing again now, after Im leaving the tap open for 2 minutes, it returns the same identicon no matter what address I put in the URL.


★☆★BITCOIN -The Documentary- The first feature-length docu on Bitcoin!★☆★
Be part of it! Be creative! Give us your best ideas, personal contributions and maybe a little donationWink
crazy_rabbit
Hero Member
*****
Offline Offline

Activity: 756


RUM AND CARROTS: A PIRATE LIFE FOR ME


View Profile

Ignore
November 03, 2012, 06:15:11 PM
 #5

Oh wow that is VERY COOL. That could go on so many things, right next to your payment address you can show what it *should* look like when you pay.

Is it possible to "scan" the identicon and decipher the address? Like a custom QR code?

Founder of Aeternum.in - NFC enabled, Secure, Bitcoin Cold Storage.
For the next thing in Bitcoin: http://mastercointalk.org/
nelse87
Newbie
*
Offline Offline

Activity: 14



View Profile

Ignore
November 03, 2012, 06:17:08 PM
 #6

Oh wow that is VERY COOL. That could go on so many things, right next to your payment address you can show what it *should* look like when you pay.
That's exactly the purpose of it Smiley.

Is it possible to "scan" the identicon and decipher the address? Like a custom QR code?
No, you can treat it like "visual hash" and it's not reversable.
crazy_rabbit
Hero Member
*****
Offline Offline

Activity: 756


RUM AND CARROTS: A PIRATE LIFE FOR ME


View Profile

Ignore
November 03, 2012, 06:21:37 PM
 #7

Oh wow that is VERY COOL. That could go on so many things, right next to your payment address you can show what it *should* look like when you pay.
That's exactly the purpose of it Smiley.

Is it possible to "scan" the identicon and decipher the address? Like a custom QR code?
No, you can treat it like "visual hash" and it's not reversable.

Still very cool. Do you think you could do one for Litecoin? Is the project open source?

Founder of Aeternum.in - NFC enabled, Secure, Bitcoin Cold Storage.
For the next thing in Bitcoin: http://mastercointalk.org/
nelse87
Newbie
*
Offline Offline

Activity: 14



View Profile

Ignore
November 03, 2012, 06:25:19 PM
 #8

You can use it will litecoin addresses too (even there's "btc" in domain name). To be honest, you can use it with any string as there is no input validation. It just takes a string do sha1 twice and make identicon from it.
crazy_rabbit
Hero Member
*****
Offline Offline

Activity: 756


RUM AND CARROTS: A PIRATE LIFE FOR ME


View Profile

Ignore
November 03, 2012, 06:27:37 PM
 #9

You can use it will litecoin addresses too (even there's "btc" in domain name). To be honest, you can use it with any string as there is no input validation. It just takes a string do sha1 twice and make identicon from it.

Is it open source? If not- is there an API that other sites could provide the service as well through you?

Founder of Aeternum.in - NFC enabled, Secure, Bitcoin Cold Storage.
For the next thing in Bitcoin: http://mastercointalk.org/
nelse87
Newbie
*
Offline Offline

Activity: 14



View Profile

Ignore
November 03, 2012, 06:35:55 PM
 #10

Here you have it: https://github.com/bnowotarski/btcaddr.me Smiley
streblo
Full Member
***
Offline Offline

Activity: 165


View Profile

Ignore
November 03, 2012, 10:10:16 PM
 #11

Hmm, this is neat! Kind of a way to side-step Zooko's triangle
FreeMoney
Hero Member
*****
Offline Offline

Activity: 1246


Strength in numbers


View Profile WWW

Ignore
November 03, 2012, 11:40:41 PM
 #12

This is interesting.

It seems it helps in cases where someone expects to be paying an address they have already paid, but the address has somehow been swapped out with the malicious one. If the site that was compromised is also serving the icon could that not also be swapped out for one that doesn't actually match? To guard against that the payer would need to personally check, is that what is intended?

Another solution that came to me (inspired by etotheipi) is to generate a visually distinctive address (etotheipi used an address with only capital letters). I think there are probably a lot of ways to make an address visually striking. Now that alone would not work because making another one that is striking in the same way would cost the same as the original on average, but if people remember the feel of the address plus the first 5 characters or so (which the original address producer can just let be random) then matching it would be about 58^5 times harder for an attacker.

What are some cheap but striking patterns?

An unusualy high number of triplets? (1j4U666mJJJw3QD7gggrHHH2rynFEcAAA)
A lot of numbers?
No letters or numbers with curves?
Only capitals and numbers?

Play Bitcoin Poker at sealswithclubs.eu. We're active and open to everyone.
Fjordbit
Hero Member
*****
Offline Offline

Activity: 574

firstbits.com/1kznfw


View Profile WWW

Ignore
November 04, 2012, 05:40:32 AM
 #13

I think it could work as a browser plugin, where when you mouse over an address, you would see the identicon. This would allow the user to verify quickly, but not rely on the security of the site.
kjj
Hero Member
*****
Offline Offline

Activity: 1022


Bitcoin Foundation - Lifetime Member


View Profile

Ignore
November 04, 2012, 05:46:42 AM
 #14

I think it could work as a browser plugin, where when you mouse over an address, you would see the identicon. This would allow the user to verify quickly, but not rely on the security of the site.

So, you see the correct icon for the attacker's address.  Nothing gained.

p2pcoin: a USB/CD/PXE p2pool miner - 1N8ZXx2cuMzqBYSK72X4DAy1UdDbZQNPLf - todo
I routinely ignore posters with paid advertising in their sigs.  You should too.
TheButterZone
Hero Member
*****
Offline Offline

Activity: 658


Nemo me impune lacessit


View Profile WWW

Ignore
November 04, 2012, 07:38:18 AM
 #15

Hm, I always check the beginning and end of each address. Do I still need this?

ΜΟΛΩΝ ΛΑΒΕ! I sell stuff for BTC here here and here | Flute & Violin & Piano For Sale | Voiceover for BTC | Copy editing for BTC
gpg_identity=http://pgp.thebutterzone.com | WoT feedback here & eBay feedback here | Buy BTC in San Diego, CA, or worldwide!
PayPal: Bitcoinese for "FU, I'm getting a chargeback up to 365 days later!" | Bitcoin voice chat | Utilities For Bitcoin Sellers | THE Bitcoin Sound is here.
FreeMoney
Hero Member
*****
Offline Offline

Activity: 1246


Strength in numbers


View Profile WWW

Ignore
November 04, 2012, 07:59:02 AM
 #16

I think it could work as a browser plugin, where when you mouse over an address, you would see the identicon. This would allow the user to verify quickly, but not rely on the security of the site.

So, you see the correct icon for the attacker's address.  Nothing gained.

Seems like it is only relevant when paying an address you have seen before. An optional warning in a client like "You are trying to pay an address that may look like one you have payed before, BUT YOU HAVE NEVER PAID THIS ADDRESS BEFORE. Proceed?" might accomplish this better.

Play Bitcoin Poker at sealswithclubs.eu. We're active and open to everyone.
ThePiachu
Sr. Member
****
Offline Offline

Activity: 418



View Profile WWW

Ignore
November 04, 2012, 09:35:18 AM
 #17

It seems it helps in cases where someone expects to be paying an address they have already paid, but the address has somehow been swapped out with the malicious one. If the site that was compromised is also serving the icon could that not also be swapped out for one that doesn't actually match? To guard against that the payer would need to personally check, is that what is intended?

If the image was swapped as well, then the website owner could recognize it as not being theirs (lets hope). If the original image is left, the sender can recognise it doesn't match up.

Hm, I always check the beginning and end of each address. Do I still need this?

That depends on how many characters you memorise. If it's about 10, you should be fine, otherwise creating a collision would take just a few bitcoins worth of hashing. You can read more about it in my master thesis around page 66 - https://bitcointalk.org/index.php?topic=88149 .



Also from other news, this topic is also available on Reddit:
http://www.reddit.com/r/Bitcoin/comments/12ktos/bitcoin_address_identicon_topic_a_solution/

1HWbVLhxj7bhewhyapMZpyhqWAeAhJd51E
My Bitcoin Calculator:
http://tpbitcalc.appspot.com/
cunicula
Hero Member
*****
Offline Offline

Activity: 700



View Profile

Ignore
November 04, 2012, 09:41:43 AM
 #18

I realize this has no practical purpose, but can you make the identicon into something cute?

More broadly, if you could do QR codes that are shaped like bunny rabbits and pandas, then the whole QR scheme might become more interesting to 50% of the population.

In a Society in which there is no law, and in theory no compulsion, the only arbiter of behaviour is public opinion. But public opinion, because of the tremendous urge to conformity in gregarious animals, is less tolerant than any system of law. When human beings are governed by "thou shalt not", the individual can practise a certain amount of eccentricity: when they are supposedly governed by "love" or "reason", he is under continuous pressure to make him behave and think in exactly the same way as everyone else. - George Orwell
FreeMoney
Hero Member
*****
Offline Offline

Activity: 1246


Strength in numbers


View Profile WWW

Ignore
November 04, 2012, 10:04:37 AM
 #19

I realize this has no practical purpose, but can you make the identicon into something cute?

More broadly, if you could do QR codes that are shaped like bunny rabbits and pandas, then the whole QR scheme might become more interesting to 50% of the population.

Lol.

"Mom can you send me lunch money? I'm the panda with crossed eyes holding a rainbow in its LEFT hand."

Play Bitcoin Poker at sealswithclubs.eu. We're active and open to everyone.
ThePiachu
Sr. Member
****
Offline Offline

Activity: 418



View Profile WWW

Ignore
November 04, 2012, 01:33:53 PM
 #20

I realize this has no practical purpose, but can you make the identicon into something cute?

More broadly, if you could do QR codes that are shaped like bunny rabbits and pandas, then the whole QR scheme might become more interesting to 50% of the population.

That would be quite an interesting idea, although it would probably be way harder to implement than random geometric shapes...

1HWbVLhxj7bhewhyapMZpyhqWAeAhJd51E
My Bitcoin Calculator:
http://tpbitcalc.appspot.com/
Pages: [1] 2 3  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!