Blockchain.info - confirm IP address for callbacks

[keatonatron]

Hi all,

The documentation for the Blockchain.info Receive Payment API says we should check the IP address of the caller to make sure it came from blockchain.info -- which is obviously a good idea (very easy to spoof payment notifications otherwise!).

I programmed my callback page to get the originating IP address, get the IP of blockchain.info, and compare the two.

It failed.

After some research, I found out the blockchain.info domain name is linked to both 141.101.112.196 and 190.93.243.195, and although my script was pulling these up okay, the callback was originating from a third IP address: 82.145.55.247.

Should I assume this is the dedicated callback server and I can hardcode it into my script as the address to check for?

I tried instead to take the IP address and do a reverse lookup of the hostname to compare that to "blockchain.info", but it looks like there isn't a proper reverse entry specified (the lookup fails).

Any suggestions of the best way to implement this security?

[keatonatron]

Hoping to bring this to the top of the stack--I probably posted at a time when most of the world was asleep.

[firepacket]

A proper callback API should have a server-side shared secret field. You shouldn't have to rely on IP addresses for authentication.

[keatonatron]

A proper callback API should have a server-side shared secret field. You shouldn't have to rely on IP addresses for authentication.

Thanks for the feedback! It does allow me to pass a pre-specified parameter along with the callback, which is what I'm currently using for security. Hopefully that will be enough.

Locking it down by IP would be quite spoof-proof, but if the server's IP changed everything would stop working...

Thanks for dredging my post up to give it a proper answer