Bitcoin Forum
November 12, 2024, 04:32:41 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Risks when publishing 'static' bitcoin addresses on the web  (Read 1946 times)
swinewine (OP)
Newbie
*
Offline Offline

Activity: 44
Merit: 0



View Profile WWW
December 14, 2010, 10:49:50 AM
 #1

Hi Guys,

We am working a web app that will involve giving users a bitcoin address to receive coins. I am wondering what are the dangers of publishing a 'static' bitcoin address on the users profile page of our site. Should we dynamically create address's for our users for each transaction or is it would it be ok to just give them a static address? I would like to know what kind of difficulties (malicious attacks??) might arise should we use static addresses ....

Your knowledge and expertise on this topic would be greatly appreciated as I am relatively a bitcoin noob  Smiley

Thanks guys,

BC
mndrix
Michael Hendricks
VIP
Sr. Member
*
Offline Offline

Activity: 447
Merit: 258


View Profile
December 14, 2010, 03:00:32 PM
 #2

One risk of using a static address is that everyone knows how much has been sent to that address.  For example, one can see how much bitcoin has been donated to the EFF because they use a static address.  Each user has his own personal preference about such information being publicly available.

I'm also new to this, but I understand that no malicious attacks are possible given only a Bitcoin address.  Unless you consider free money malicious Smiley
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1140


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
December 14, 2010, 04:38:14 PM
 #3

Maybe someone can publish some sample code for producing a brand new address "on the fly" from a web site, then transmit the corresponding public/private key pair to the person who is supposed to receive the funds.  Example, it could e-mail that information, encrypted with a public key belonging to the intended recipient.  There would need to be a way in the bitcoin client to easily import that into the wallet.dat.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
davout
Legendary
*
Offline Offline

Activity: 1372
Merit: 1008


1davout


View Profile WWW
December 14, 2010, 04:44:47 PM
 #4

What exactly are you trying to acomplish here ?

If you use the accounts feature of the bitcoin client you can generate as much addresses as you want for a given user.

If you want example code you should state which language you want the example in Smiley


casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1140


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
December 14, 2010, 04:49:00 PM
 #5

What exactly are you trying to acomplish here ?


To put a donate button on a website that generates a brand new address on demand for everyone who wants to donate, so all the donors don't donate to a common address that can tie everyone together.

If there was a language of choice, perhaps it would be Javascript, so it happened all in the browser.  Of course there has to be some way to get the generated keypair to the recipient, like e-mail or whatever, but somebody else can figure that out.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
Gavin Andresen
Legendary
*
qt
Offline Offline

Activity: 1652
Merit: 2301


Chief Scientist


View Profile WWW
December 14, 2010, 05:01:24 PM
 #6

What exactly are you trying to acomplish here ?


To put a donate button on a website that generates a brand new address on demand for everyone who wants to donate, so all the donors don't donate to a common address that can tie everyone together.

If there was a language of choice, perhaps it would be Javascript, so it happened all in the browser.  Of course there has to be some way to get the generated keypair to the recipient, like e-mail or whatever, but somebody else can figure that out.

Simplest way:

Call getaccountaddress "charity_name"  when you generate the web page.  You'll get the same address over and over, until somebody donates.  Then you'll get a new address.

Then periodically call:
  getbalance "charity_name"
... and if the balance is greater than zero, call:
  sendfrom "charity_name" charity_real_bitcoin_address amount

... to send the charity the accumulated coins.

If you deal with several charities this way, AND you're bundling up several donations before forwarding the coins to the charity, then it'll be hard to connect donors to particular charities.

How often do you get the chance to work on a potentially world-changing project?
FatherMcGruder
Sr. Member
****
Offline Offline

Activity: 322
Merit: 250



View Profile WWW
December 14, 2010, 07:20:16 PM
 #7

If you deal with several charities this way, AND you're bundling up several donations before forwarding the coins to the charity, then it'll be hard to connect donors to particular charities.

What the receiver intends not merely to obfuscate the senders, but also his income?

Use my Trade Hill referral code: TH-R11519

Check out bitcoinity.org and Ripple.

Shameless display of my bitcoin address:
1Hio4bqPUZnhr2SWi4WgsnVU1ph3EkusvH
davout
Legendary
*
Offline Offline

Activity: 1372
Merit: 1008


1davout


View Profile WWW
December 15, 2010, 01:11:31 PM
 #8

As soon as the person receiving donations spends the coins in larger amounts than the donations it will be possible to link the addresses together with the BBE.

FreeMoney
Legendary
*
Offline Offline

Activity: 1246
Merit: 1016


Strength in numbers


View Profile WWW
December 15, 2010, 01:49:15 PM
 #9

As soon as the person receiving donations spends the coins in larger amounts than the donations it will be possible to link the addresses together with the BBE.

Do you mean because coins will be sent from multiple addresses?

Can't this be avoided by spending exactly the amount received from one address?

Get 18BTC from 1Nk... and 10BTC from 1Lo... so you don't spend 20 because that will link them, you send 18 to mtgox then you send 10 to mtgox then you cash out 26 at some point later and sell 2 for USD or whatever.

Maybe I miss your point though.

Play Bitcoin Poker at sealswithclubs.eu. We're active and open to everyone.
davout
Legendary
*
Offline Offline

Activity: 1372
Merit: 1008


1davout


View Profile WWW
December 15, 2010, 02:30:40 PM
 #10

As soon as the person receiving donations spends the coins in larger amounts than the donations it will be possible to link the addresses together with the BBE.

Do you mean because coins will be sent from multiple addresses?

Can't this be avoided by spending exactly the amount received from one address?

Get 18BTC from 1Nk... and 10BTC from 1Lo... so you don't spend 20 because that will link them, you send 18 to mtgox then you send 10 to mtgox then you cash out 26 at some point later and sell 2 for USD or whatever.

Maybe I miss your point though.

No Smiley
You got my point perfectly ! Transferring to MtGox is a perfect counter measure since everything gets pooled.
However mt gox would then be aware of that. But that might be acceptable.

Just wanted to point out the fact that the one-address-per-payment solution is a good start but definitely sufficient to achieve a good level of anonymity

Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!