Bitcoin Forum
December 03, 2016, 11:53:40 AM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 3 »  All
  Print  
Author Topic: How To Automate Bitcoin Payments For Website Sales??  (Read 3481 times)
adamstgBit
Legendary
*
Offline Offline

Activity: 1904


Trusted Bitcoiner


View Profile WWW
August 07, 2011, 10:00:50 AM
 #1

how do we do this?

1480766020
Hero Member
*
Offline Offline

Posts: 1480766020

View Profile Personal Message (Offline)

Ignore
1480766020
Reply with quote  #2

1480766020
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480766020
Hero Member
*
Offline Offline

Posts: 1480766020

View Profile Personal Message (Offline)

Ignore
1480766020
Reply with quote  #2

1480766020
Report to moderator
BitcoinNotify.com
Jr. Member
*
Offline Offline

Activity: 58


View Profile
August 07, 2011, 10:04:32 AM
 #2

Accepting Bitcoin payments is as easy as handling HTTP requests: https://bitcoinnotify.com/accept-bitcoin-payments

Bitcoins go directly from a customer to your private wallet - no need to trust anyone, no risk of loosing Bitcoins (contrary to i.e. MyBitcoin).

Feel free to PM or e-mail me if you need any help.

PS. Invitation code: HoAR86OQXS
wumpus
Hero Member
*****
Offline Offline

Activity: 798

No Maps for These Territories


View Profile
August 07, 2011, 10:08:01 AM
 #3

I think the bitcoin: URL is a good start

https://bitcointalk.org/index.php?topic=33490.0

Sites could generate this, and the client could listen for them, so that it takes only a push of a button (or a drag/drop action, if you prefer for security reasons) to send the payment to the client. The client will then ask for confirmation before sending the payment to the network.

Bitcoin Core developer [PGP] Warning: For most, coin loss is a larger risk than coin theft. A disk can die any time. Regularly back up your wallet through FileBackup Wallet to an external storage or the (encrypted!) cloud. Use a separate offline wallet for storing larger amounts.
MrJoshua
Member
**
Offline Offline

Activity: 76


View Profile
August 07, 2011, 10:10:36 AM
 #4

If you mean how do you implement shopping carts and such with bitcoins? Then you're looking for the json interface to bitcoind:


https://en.bitcoin.it/wiki/API_reference_(JSON-RPC)

Note the link may not work, so cut and paste.


The value of bitcoins is not a theory, predictions of it's failure are what is theoretical.
BitcoinNotify.com
Jr. Member
*
Offline Offline

Activity: 58


View Profile
August 07, 2011, 10:15:25 AM
 #5

If you mean how do you implement shopping cards and such with bitcoins, then you're looking for the json interface to bitcoind

I would strongly discourage this approach. It requires the online store to keep the wallet online, which is extremely hard to secure properly. It also requires setting up bitcoind daemon and custom JSON/RPC integration, which is not trivial for most Merchants. It's far better to use one of existing merchants solutions.
Eli
Full Member
***
Offline Offline

Activity: 128



View Profile
August 07, 2011, 10:18:24 AM
 #6

How about this? PowerPoint presentation of a concept I have for Safebit and online payment.

I can assure you that the pptx is malware/spyware/virus/trojan free, but I would appreciate it if omeone other than me could scan the PowerPoint to verify that it's not stealing anyone's walletz Smiley

It basically goes like this:

Find a bitcoin://vendor.name/price/details/PGPSignature link, click on it, and this pops up in the app:


Click confirm payment and this pops to verify that you really want to send the coins to their destination:

MrJoshua
Member
**
Offline Offline

Activity: 76


View Profile
August 07, 2011, 10:50:20 AM
 #7

If you mean how do you implement shopping cards and such with bitcoins, then you're looking for the json interface to bitcoind

I would strongly discourage this approach. It requires the online store to keep the wallet online, which is extremely hard to secure properly. It also requires setting up bitcoind daemon and custom JSON/RPC integration, which is not trivial for most Merchants. It's far better to use one of existing merchants solutions.

Well unfortunately you are a bit biased.  After recent events the reliability of third parties to manage bitcoins must always be considered lower then managing your own wallets and security.  The entire point of bitcoin is to eliminate the need for third parties, that's a security feature you should not attempt to circumvent unless you thoroughly understand and can tolerate the risks involved.

Also, in point of fact. You do not need to keep a wallet that contains coins in it on the server if you are only receiving payments.  You can pre-generate a number of bitcoin addresses on a secure client and load them into a database table on your site.  Even if you do use a normal server side bitcoind you can also keep a local copy of the same wallet, so that you can regularly sweep money to your trading account of offline savings wallet.


The value of bitcoins is not a theory, predictions of it's failure are what is theoretical.
adamstgBit
Legendary
*
Offline Offline

Activity: 1904


Trusted Bitcoiner


View Profile WWW
August 07, 2011, 10:56:38 AM
 #8

Accepting Bitcoin payments is as easy as handling HTTP requests: https://bitcoinnotify.com/accept-bitcoin-payments

Bitcoins go directly from a customer to your private wallet - no need to trust anyone, no risk of loosing Bitcoins (contrary to i.e. MyBitcoin).

Feel free to PM or e-mail me if you need any help.

PS. Invitation code: HoAR86OQXS

This is the best solution!

it works so well  and so simple to use, i was able to sign up and use there test notification in minutes

and it seems to me a very secure, no need to trust anyone!

wow


MrJoshua
Member
**
Offline Offline

Activity: 76


View Profile
August 07, 2011, 11:15:13 AM
 #9


This is the best solution!

it works so well  and so simple to use, i was able to sign up and use there test notification in minutes

and it seems to me a very secure, no need to trust anyone!

wow



This is EXACTLY the kind of mistake I'm talking about. That service is not providing anything you can't easily do with a bitcoind. And it's opening you up to a HUGE security hole. Don't know that that hole is? Then that is exactly why you should not be using third party solutions.  At least one security hole on this site is easy to identify, but that is not true of most 3rd party sites.  You'll never know all the security liabilities.  With bitcoind you know what you're getting into, and it just isn't that much harder to do a json request then to get a post notification from a 3rd party site.

Tell me why are you trying to avoid using the proper API?  You just don't want to read the manual? Reading the manual and learning how bitcoin works is a small price to pay for the security and reliability it can offer if used properly.


The value of bitcoins is not a theory, predictions of it's failure are what is theoretical.
BitcoinNotify.com
Jr. Member
*
Offline Offline

Activity: 58


View Profile
August 07, 2011, 11:25:27 AM
 #10

This is EXACTLY the kind of mistake I'm talking about. That service is not providing anything you can't easily do with a bitcoind.

With BitcoinNotify.com:
- you don't need to run a bitcoind daemon on your server
- you don't need to integrate custom JSON/RPC API
- you don't need to keep your wallet online
- you simply handle HTTP requests with purchase notifications

This is a major difference in the ease of payment integration.

Quote from: MrJoshua
And it's opening you up to a HUGE security hole. Don't know that that hole is?

Please be specific.

I suppose you don't have a full understanding of how the service works.

I'll be happy to explain.

Please understand BitcoinNotify is NOT a payment proxy. We never have coins. Payments go directly to the Merchant.

(edited)
BioMike
Legendary
*
Offline Offline

Activity: 1256


View Profile
August 07, 2011, 11:34:43 AM
 #11

BitcoinNotify looks like an usable service. 2 Others:

https://walletbit.com (currently writing a PHP class for this one, but requires customer to be signed up with them as well)
and
http://www.bitcoinpayflow.com
adamstgBit
Legendary
*
Offline Offline

Activity: 1904


Trusted Bitcoiner


View Profile WWW
August 07, 2011, 11:39:16 AM
 #12


This is the best solution!

it works so well  and so simple to use, i was able to sign up and use there test notification in minutes

and it seems to me a very secure, no need to trust anyone!

wow



This is EXACTLY the kind of mistake I'm talking about. That service is not providing anything you can't easily do with a bitcoind. And it's opening you up to a HUGE security hole. Don't know that that hole is? Then that is exactly why you should not be using third party solutions.  At least one security hole on this site is easy to identify, but that is not true of most 3rd party sites.  You'll never know all the security liabilities.  With bitcoind you know what you're getting into, and it just isn't that much harder to do a json request then to get a post notification from a 3rd party site.

Tell me why are you trying to avoid using the proper API?  You just don't want to read the manual? Reading the manual and learning how bitcoin works is a small price to pay for the security and reliability it can offer if used properly.

what is the security hole?

to me the worst that can happen is BitcoinNotify goes down and the payment notification is only sent when they come back up?

BitcoinNotify.com
Jr. Member
*
Offline Offline

Activity: 58


View Profile
August 07, 2011, 11:43:16 AM
 #13

BitcoinNotify looks like an usable service.

Thanks for recognition.

Quote from: BioMike
https://walletbit.com (currently writing a PHP class for this one, but requires customer to be signed up with them as well)
and
http://www.bitcoinpayflow.com

The major difference is that BitcoinNotify does not store your coins.

Payments go directly from a customer to your private wallet (possibly disconnected from the network).

On the contrary, BitcoinPayflow and WalletBit are very nicely designed but you need to trust in the perfect security of these services, as the wallets are being kept online.
BitcoinNotify.com
Jr. Member
*
Offline Offline

Activity: 58


View Profile
August 07, 2011, 11:46:38 AM
 #14

Quote from: adamstgBit
to me the worst that can happen is BitcoinNotify goes down and the payment notification is only sent when they come back up?

Exactly. With BitcoinNotify, the worst thing that can possibly happen to you is not receiving the notification...
MrJoshua
Member
**
Offline Offline

Activity: 76


View Profile
August 07, 2011, 11:52:13 AM
 #15

This is EXACTLY the kind of mistake I'm talking about. That service is not providing anything you can't easily do with a bitcoind.

With BitcoinNotify.com you don't need to keep your wallet online. This is a major difference. Securing online wallet properly is extremely hard.

bitcoind can monitor the blockchain without access to your receiving wallet just as easily as a third party service.

Quote from: MrJoshua
And it's opening you up to a HUGE security hole. Don't know that that hole is?


Please be specific.

Quote
You can expect Bitcoin payment notification in seconds after your customer clicks "Send" button in his Bitcoin client. While technically the transaction is not confirmed by the Bitcoin network, for most purposes it is practical to consider it so. Support for "confirmed" transactions is being developed for those cases when you need to be 100% sure (and do accept delays).

Do you see it now?

Considering how many people trusted mybitcoin, and a startling willingness to abandon a key security feature of bitcoin I think it's important that everyone understand that security is a multifaceted problem. You need to be very conscious when you are explicitly or implicitly trusting a 3rd party.  Bitcoin as a system is well designed, but you eliminate the value of that design if you start working around it buy using online wallets, merchant services etc.  

I'm not saying you can't use those things.  But why use them if the built in tools do almost exactly the same thing more securely? If you understand how to use bitcoin, and you have a specific need for a 3rd party service, then you should also understand as well as possible what risk you are absorbing.  A LOT of people on this list lost money because they failed to notice when that where circumventing their own security.  

Understand first. Trust second.

j

P.S. Note that I'm not saying this service is bad.  If you know a site is bad security questions are easy to answer.  I'm simply rebutting the assertion above that it is better to trust a 3rd party then the bitcoind and API.

P.P.S:
Exactly. With BitcoinNotify, the worst thing that can possibly happen to you is not receiving the notification...

This just proves that neither of you are considering ALL of the security issues.  It's actually really hard to do. That's why you should just try to use the bitcoind system if you can.  It's vetted, peer reviewed open source, and well understood by a large community who could help you if you have trouble.

The value of bitcoins is not a theory, predictions of it's failure are what is theoretical.
BitcoinNotify.com
Jr. Member
*
Offline Offline

Activity: 58


View Profile
August 07, 2011, 12:10:03 PM
 #16

Quote from: MrJoshua
bitcoind can monitor the blockchain without access to your receiving wallet just as easily as a third party service.

This is not the case. While bitcoind indeed monitors the whole blockchain, the JSON / RPC API gives you information only about your own addresses.

Please test for example getreceivedbyaddress API call. It will work only for your addresses, not for arbitrary Bitcoin address.

This means that:
- either you keep your wallet online and use relatively easy JSON / RPC API...
- either you you have to use the binary p2p API, which is pain in the arse and far behind capabilities of 99% Merchants, I guess.

Quote from: MrJoshua
Quote
You can expect Bitcoin payment notification in seconds after your customer clicks "Send" button in his Bitcoin client. While technically the transaction is not confirmed by the Bitcoin network, for most purposes it is practical to consider it so. Support for "confirmed" transactions is being developed for those cases when you need to be 100% sure (and do accept delays).

Do you see it now?

Thank you for being more precise.

As explained, support for confirmed transactions is on the way. It is up to the Merchant to decide, how many confirmations he considers "safe" for which product. Bitcoin wiki itselft suggests accepting not confirmed payments for cheap / low-risk products / services.

But you are right - I should make it more clear to avoid any misconceptions.

(edited)
indicasteve
Full Member
***
Offline Offline

Activity: 140



View Profile WWW
August 07, 2011, 12:25:32 PM
 #17

I thought Josh was talking about the fact that the only authorization is your IP address:

Quote
All HTTP notifications are sent with the POST method from the IP 46.4.90.208.

You should check the request IP in your controller to ensure the notification actually comes from us.
...
Quote

Someone might be able to forge a 'payment sent' request to your user's website by simple spoofing your IP address since it appears there is no authentication or token or anything sent in the POST request itself to prevent a fake payment acknowledgement.

An IP address spoofing explanation is here:
http://www.shaadiya.com/ask/2007/06/15/how-to-spoof-ip-address-hackers-view-and-the-way-to-protect-sites-with-this-fake/

If I could spoof your address I could send fake payment acknowledgements to all your users.

But, I'll be honest, I only took a quick look at your docs and I don't know your system nor have I tried it yet so maybe I'm just blowing smoke out my ass.

But if I'm right, you should probably fix that.


Art Express!  Native American Art, Crafts and Weapons!  coingig.com/ArtExpress
adamstgBit
Legendary
*
Offline Offline

Activity: 1904


Trusted Bitcoiner


View Profile WWW
August 07, 2011, 02:06:30 PM
 #18

I thought Josh was talking about the fact that the only authorization is your IP address:

Quote
All HTTP notifications are sent with the POST method from the IP 46.4.90.208.

You should check the request IP in your controller to ensure the notification actually comes from us.
...
Quote

Someone might be able to forge a 'payment sent' request to your user's website by simple spoofing your IP address since it appears there is no authentication or token or anything sent in the POST request itself to prevent a fake payment acknowledgement.

An IP address spoofing explanation is here:
http://www.shaadiya.com/ask/2007/06/15/how-to-spoof-ip-address-hackers-view-and-the-way-to-protect-sites-with-this-fake/

If I could spoof your address I could send fake payment acknowledgements to all your users.

But, I'll be honest, I only took a quick look at your docs and I don't know your system nor have I tried it yet so maybe I'm just blowing smoke out my ass.

But if I'm right, you should probably fix that.



issues worth noting.

any ideas on how to fix this issues?

maybe you could send me an encrypted password along with the other information.
on my side once i can check the password and know its not a fake



payb.tc
Hero Member
*****
Offline Offline

Activity: 812



View Profile
August 07, 2011, 02:08:55 PM
 #19

I thought Josh was talking about the fact that the only authorization is your IP address:

Quote
All HTTP notifications are sent with the POST method from the IP 46.4.90.208.

You should check the request IP in your controller to ensure the notification actually comes from us.
...
Quote

Someone might be able to forge a 'payment sent' request to your user's website by simple spoofing your IP address since it appears there is no authentication or token or anything sent in the POST request itself to prevent a fake payment acknowledgement.

An IP address spoofing explanation is here:
http://www.shaadiya.com/ask/2007/06/15/how-to-spoof-ip-address-hackers-view-and-the-way-to-protect-sites-with-this-fake/

If I could spoof your address I could send fake payment acknowledgements to all your users.

But, I'll be honest, I only took a quick look at your docs and I don't know your system nor have I tried it yet so maybe I'm just blowing smoke out my ass.

But if I'm right, you should probably fix that.



issues worth noting.

any ideas on how to fix this issues?

maybe you could send me an encrypted password along with the other information.
on my side once i can check the password and know its not a fake




you could try reading the api documentation for liberty reserve, alertpay, etc for security ideas.
adamstgBit
Legendary
*
Offline Offline

Activity: 1904


Trusted Bitcoiner


View Profile WWW
August 07, 2011, 02:18:22 PM
 #20

Quote

you could try reading the api documentation for liberty reserve, alertpay, etc for security ideas.


BitcoinNotify.com please rework your idea, in light of the issues presented

i think your on the right track with the idea that you don't hold the coins you simply tell me when they have arrived

once you can solve the fake IP problem i think we will be set.

maybe if my site it self went and checked the block chain data, then i would only have to trust my self....

interesting...

Pages: [1] 2 3 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!