1base58
Newbie
Offline
Activity: 18
Merit: 0
|
|
July 03, 2013, 04:28:42 AM |
|
ASICMINER shares are tied to addresses. Exchanges hold the shares themselves, they are passthroughs.
We use Google's 2FA security model - you can disable 2FA without entering the code in case you lost your phone - this requires you to have a signed in session. Sessions are both IP and user agent locked.
Our site is secure against XSS attacks, as well as CSRF attacks.
Thanks for your feedback! One of the directions we may be going into is a multicurrency wallet with a built in exchange. However, we also want to focus on the core for now.
I can accept 2FA being disabled without requiring the code. It is more concerning that the 2FA secret is shown on the account details page. I believe the best practice adopted by Google / Dropbox is to not reveal the secret once enabled, and to use a new secret if 2FA was disabled then reenabled. Hey, thanks for answering my questions, and I certainly hope you support LTC in the future. You only have to read this thread to see how the lack of a secure & trusted online wallet for LTC is an opportunity for scammers and hurts the cryptocurrency community.
|
|
|
|
btc4ever
|
|
July 03, 2013, 04:46:27 AM |
|
I am glad to see this service announcement. Coincidentally, I just started a thread about using payment processors that support btc-to-email in order to implement a massive bitcoin moneybomb sending BTC to either: a) friends/family to promote awareness/adoption, and expand the btc economy. b) a single charity, to promote public image. Perhaps inputs.io can help us pull this off. https://bitcointalk.org/index.php?topic=248870.new#new
|
Psst!! Wanna make bitcoin unstoppable? Why the Only Real Way to Buy Bitcoins Is on the Streets. Avoid banks and centralized exchanges. Buy/Sell coins locally. Meet other bitcoiners and develop your network. Try localbitcoins.com or find or start a buttonwood / satoshi square in your area. Pass it on!
|
|
|
🏰 TradeFortress 🏰 (OP)
Bitcoin Veteran
VIP
Legendary
Offline
Activity: 1316
Merit: 1043
👻
|
|
July 03, 2013, 05:07:07 AM |
|
I can accept 2FA being disabled without requiring the code. It is more concerning that the 2FA secret is shown on the account details page. I believe the best practice adopted by Google / Dropbox is to not reveal the secret once enabled, and to use a new secret if 2FA was disabled then reenabled. Hey, thanks for answering my questions, and I certainly hope you support LTC in the future. You only have to read this thread to see how the lack of a secure & trusted online wallet for LTC is an opportunity for scammers and hurts the cryptocurrency community. 2FA code is now hidden entirely after it has been enabled, and a new secret is generated every time it is disabled. UI on smaller screens also fixed. You'll need to do a hard refresh. Thank you!
|
|
|
|
Inputs.io
Newbie
Offline
Activity: 5
Merit: 0
|
|
July 03, 2013, 09:44:46 AM |
|
Hi!
This is Inputs' forum account (along with Inputs.io Support).
|
|
|
|
🏰 TradeFortress 🏰 (OP)
Bitcoin Veteran
VIP
Legendary
Offline
Activity: 1316
Merit: 1043
👻
|
|
July 03, 2013, 09:47:23 AM |
|
Hi!
This is Inputs' forum account (along with Inputs.io Support).
Confirmed.
|
|
|
|
1base58
Newbie
Offline
Activity: 18
Merit: 0
|
|
July 03, 2013, 10:09:02 AM |
|
2FA code is now hidden entirely after it has been enabled, and a new secret is generated every time it is disabled. UI on smaller screens also fixed. You'll need to do a hard refresh. Thank you! That was quick It's working as expected. I see you're making changes to the front page as well. I don't know what you had in mind for the spin effect graphic, but I can say it makes my head hurt.
|
|
|
|
🏰 TradeFortress 🏰 (OP)
Bitcoin Veteran
VIP
Legendary
Offline
Activity: 1316
Merit: 1043
👻
|
|
July 03, 2013, 10:20:26 AM |
|
Tweaked it a bit and added a touch of color. Let me know what you think. If it made your head spin,
|
|
|
|
|
🏰 TradeFortress 🏰 (OP)
Bitcoin Veteran
VIP
Legendary
Offline
Activity: 1316
Merit: 1043
👻
|
|
July 03, 2013, 11:58:34 AM |
|
Your TX has been credited.
|
|
|
|
Herbert
|
|
July 03, 2013, 12:33:11 PM |
|
Your TX has been credited. Got it, thanks!
|
|
|
|
Turbonoodle
Newbie
Offline
Activity: 6
Merit: 0
|
|
July 03, 2013, 02:32:55 PM |
|
Great site!
Some questions:
1. In the Send Bitcoins page, there is a USD calculator box. Any chance you could add a preference to change it to Euro, too? Also, where are you getting the exchange rate for that?
2. I undestand that you can withdraw from Coinlenders back to inputs.io. You also can send instantly to just-dice, but looks like you can't send back to inputs.io wallet from there. Any plans to allow instant withdrawals from just-dice to inputs.io wallet?
|
|
|
|
Herbert
|
|
July 03, 2013, 02:43:30 PM |
|
2. I undestand that you can withdraw from Coinlenders back to inputs.io. You also can send instantly to just-dice, but looks like you can't send back to inputs.io wallet from there. Any plans to allow instant withdrawals from just-dice to inputs.io wallet?
I think in some thread Dooglus mentioned that withdrawal from just-dice to inputs.io will be implemented soon.
|
|
|
|
whiskers75
|
|
July 03, 2013, 05:41:15 PM |
|
Awesome service! Yay, no more waiting for confirms.
|
|
|
|
Herbert
|
|
July 03, 2013, 06:48:59 PM |
|
It seems you put a lot of thought into security measures. Still it seems the callback API is somehow lacking. The only proof that the callback is actually coming from your site is the IP-Address of the sender. There are possibilities to spoof the source IP of a TCP connection, especially in a case where the attacker has access to the subnet of the receiving system (see e.g. http://www.symantec.com/connect/articles/ip-spoofing-introduction). You should consider adding another security layer here. For example on bitcoinmonitor.net callback notifications I added a signature to the callback data which makes sure that the callback was created by the server and not someone else (see http://www.bitcoinmonitor.net/help/ -> section "security"). As the signed data does not contain a time component this is probably still prone to replay attacks of the same request with same signature and spoofed sourceIP, but at least raises the bar. And I am sure there are advanced cryptotechniques that could also close this attack vector.
|
|
|
|
🏰 TradeFortress 🏰 (OP)
Bitcoin Veteran
VIP
Legendary
Offline
Activity: 1316
Merit: 1043
👻
|
|
July 03, 2013, 11:52:25 PM |
|
Hi Hebert, Thank you for your comments. We support adding secrets to your callback URL. Example: https://www.example.com/callback?sec=putSomethingHereUse that as your callback URL. Use SSL so others will not know your secret. It is not open to replay attacks as for record keeping purposes you should be recording all transactions including the TXID.
|
|
|
|
🏰 TradeFortress 🏰 (OP)
Bitcoin Veteran
VIP
Legendary
Offline
Activity: 1316
Merit: 1043
👻
|
|
July 04, 2013, 03:26:51 AM |
|
Great site!
Some questions:
1. In the Send Bitcoins page, there is a USD calculator box. Any chance you could add a preference to change it to Euro, too? Also, where are you getting the exchange rate for that?
2. I undestand that you can withdraw from Coinlenders back to inputs.io. You also can send instantly to just-dice, but looks like you can't send back to inputs.io wallet from there. Any plans to allow instant withdrawals from just-dice to inputs.io wallet?
1. Done. See the latest news update 2. Yes, dooglus should support that soon. Thank you for all the feedback and suggestions. We want to make Inputs even better (not saying we're not already the best wallet out there, heh)
|
|
|
|
dillpicklechips
|
|
July 04, 2013, 03:52:23 AM |
|
Very cool site.
A feature that I think would be popular is having a unique inputs.io address for each user. Then inputs.io users can have short little addresses for sending BTC to each other as long as they both have accounts. (Also helps publicity because a side effect will be that people will put input.io addresses in their signature)
I'd love something short like: "h8be" Then I can say: sent payment to input.io user h8be!
Keep up the good work.
|
|
|
|
🏰 TradeFortress 🏰 (OP)
Bitcoin Veteran
VIP
Legendary
Offline
Activity: 1316
Merit: 1043
👻
|
|
July 04, 2013, 07:13:59 AM |
|
Very cool site.
A feature that I think would be popular is having a unique inputs.io address for each user. Then inputs.io users can have short little addresses for sending BTC to each other as long as they both have accounts. (Also helps publicity because a side effect will be that people will put input.io addresses in their signature)
I'd love something short like: "h8be" Then I can say: sent payment to input.io user h8be!
Keep up the good work.
Implemented usernames! Mine is gladoscc / https://inputs.io/u/gladoscc
|
|
|
|
tinus42
|
|
July 04, 2013, 11:13:19 AM |
|
Looks great. I will consider using this for small payments (I won't use any online service to keep serious amounts of coins).
Would be nice that when sending an amount for the total of the wallet the fee is deducted automatically and you see the max. withdrawable amount so you don't have to use a calculator.
BTW is there also going to be an Android app?
|
|
|
|
dillpicklechips
|
|
July 04, 2013, 02:36:43 PM |
|
Any chance of a stats page? I'm most interested in watching off the chain transactions and shared wallet size!
|
|
|
|
|