adamstgBit (OP)
Legendary
 Offline
Activity: 1904
Merit: 1037
Trusted Bitcoiner
|
 |
August 07, 2011, 10:00:50 AM |
|
how do we do this?
|
|
|
|
|
|
|
Whoever mines the block which ends up containing your transaction will get its fee.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
BitcoinNotify.com
Newbie
Offline
Activity: 58
Merit: 0
|
|
August 07, 2011, 10:04:32 AM |
|
Accepting Bitcoin payments is as easy as handling HTTP requests: https://bitcoinnotify.com/accept-bitcoin-paymentsBitcoins go directly from a customer to your private wallet - no need to trust anyone, no risk of loosing Bitcoins (contrary to i.e. MyBitcoin). Feel free to PM or e-mail me if you need any help. PS. Invitation code: HoAR86OQXS |
|
|
|
|
|
wumpus
|
|
August 07, 2011, 10:08:01 AM |
|
I think the bitcoin: URL is a good start https://bitcointalk.org/index.php?topic=33490.0Sites could generate this, and the client could listen for them, so that it takes only a push of a button (or a drag/drop action, if you prefer for security reasons) to send the payment to the client. The client will then ask for confirmation before sending the payment to the network. |
Bitcoin Core developer [PGP] Warning: For most, coin loss is a larger risk than coin theft. A disk can die any time. Regularly back up your wallet through File → Backup Wallet to an external storage or the (encrypted!) cloud. Use a separate offline wallet for storing larger amounts. |
|
|
MrJoshua
Member
Offline
Activity: 76
Merit: 10
|
|
August 07, 2011, 10:10:36 AM
Last edit: August 07, 2011, 11:26:03 AM by MrJoshua |
|
If you mean how do you implement shopping carts and such with bitcoins? Then you're looking for the json interface to bitcoind: https://en.bitcoin.it/wiki/API_reference_(JSON-RPC) Note the link may not work, so cut and paste. |
The value of bitcoins is not a theory, predictions of it's failure are what is theoretical.
|
|
|
BitcoinNotify.com
Newbie
Offline
Activity: 58
Merit: 0
|
|
August 07, 2011, 10:15:25 AM |
|
If you mean how do you implement shopping cards and such with bitcoins, then you're looking for the json interface to bitcoind I would strongly discourage this approach. It requires the online store to keep the wallet online, which is extremely hard to secure properly. It also requires setting up bitcoind daemon and custom JSON/RPC integration, which is not trivial for most Merchants. It's far better to use one of existing merchants solutions. |
|
|
|
|
|
|
MrJoshua
Member
Offline
Activity: 76
Merit: 10
|
|
August 07, 2011, 10:50:20 AM |
|
If you mean how do you implement shopping cards and such with bitcoins, then you're looking for the json interface to bitcoind I would strongly discourage this approach. It requires the online store to keep the wallet online, which is extremely hard to secure properly. It also requires setting up bitcoind daemon and custom JSON/RPC integration, which is not trivial for most Merchants. It's far better to use one of existing merchants solutions. Well unfortunately you are a bit biased. After recent events the reliability of third parties to manage bitcoins must always be considered lower then managing your own wallets and security. The entire point of bitcoin is to eliminate the need for third parties, that's a security feature you should not attempt to circumvent unless you thoroughly understand and can tolerate the risks involved. Also, in point of fact. You do not need to keep a wallet that contains coins in it on the server if you are only receiving payments. You can pre-generate a number of bitcoin addresses on a secure client and load them into a database table on your site. Even if you do use a normal server side bitcoind you can also keep a local copy of the same wallet, so that you can regularly sweep money to your trading account of offline savings wallet. |
The value of bitcoins is not a theory, predictions of it's failure are what is theoretical.
|
|
|
adamstgBit (OP)
Legendary
Offline
Activity: 1904
Merit: 1037
Trusted Bitcoiner
|
|
August 07, 2011, 10:56:38 AM |
|
Accepting Bitcoin payments is as easy as handling HTTP requests: https://bitcoinnotify.com/accept-bitcoin-paymentsBitcoins go directly from a customer to your private wallet - no need to trust anyone, no risk of loosing Bitcoins (contrary to i.e. MyBitcoin). Feel free to PM or e-mail me if you need any help. PS. Invitation code: HoAR86OQXS This is the best solution! it works so well and so simple to use, i was able to sign up and use there test notification in minutes and it seems to me a very secure, no need to trust anyone! wow |
|
|
|
MrJoshua
Member
Offline
Activity: 76
Merit: 10
|
|
August 07, 2011, 11:15:13 AM |
|
This is the best solution!
it works so well and so simple to use, i was able to sign up and use there test notification in minutes
and it seems to me a very secure, no need to trust anyone!
wow
This is EXACTLY the kind of mistake I'm talking about. That service is not providing anything you can't easily do with a bitcoind. And it's opening you up to a HUGE security hole. Don't know that that hole is? Then that is exactly why you should not be using third party solutions. At least one security hole on this site is easy to identify, but that is not true of most 3rd party sites. You'll never know all the security liabilities. With bitcoind you know what you're getting into, and it just isn't that much harder to do a json request then to get a post notification from a 3rd party site. Tell me why are you trying to avoid using the proper API? You just don't want to read the manual? Reading the manual and learning how bitcoin works is a small price to pay for the security and reliability it can offer if used properly. |
The value of bitcoins is not a theory, predictions of it's failure are what is theoretical.
|
|
|
BitcoinNotify.com
Newbie
Offline
Activity: 58
Merit: 0
|
|
August 07, 2011, 11:25:27 AM
Last edit: August 07, 2011, 11:35:54 AM by BitcoinNotify.com |
|
This is EXACTLY the kind of mistake I'm talking about. That service is not providing anything you can't easily do with a bitcoind. With BitcoinNotify.com: - you don't need to run a bitcoind daemon on your server - you don't need to integrate custom JSON/RPC API - you don't need to keep your wallet online - you simply handle HTTP requests with purchase notifications This is a major difference in the ease of payment integration. And it's opening you up to a HUGE security hole. Don't know that that hole is? Please be specific. I suppose you don't have a full understanding of how the service works. I'll be happy to explain. Please understand BitcoinNotify is NOT a payment proxy. We never have coins. Payments go directly to the Merchant.(edited) |
|
|
|
|
BioMike
Legendary
Offline
Activity: 1658
Merit: 1001
|
|
August 07, 2011, 11:34:43 AM |
|
BitcoinNotify looks like an usable service. 2 Others: https://walletbit.com (currently writing a PHP class for this one, but requires customer to be signed up with them as well) and http://www.bitcoinpayflow.com |
|
|
|
|
adamstgBit (OP)
Legendary
Offline
Activity: 1904
Merit: 1037
Trusted Bitcoiner
|
|
August 07, 2011, 11:39:16 AM |
|
This is the best solution!
it works so well and so simple to use, i was able to sign up and use there test notification in minutes
and it seems to me a very secure, no need to trust anyone!
wow
This is EXACTLY the kind of mistake I'm talking about. That service is not providing anything you can't easily do with a bitcoind. And it's opening you up to a HUGE security hole. Don't know that that hole is? Then that is exactly why you should not be using third party solutions. At least one security hole on this site is easy to identify, but that is not true of most 3rd party sites. You'll never know all the security liabilities. With bitcoind you know what you're getting into, and it just isn't that much harder to do a json request then to get a post notification from a 3rd party site. Tell me why are you trying to avoid using the proper API? You just don't want to read the manual? Reading the manual and learning how bitcoin works is a small price to pay for the security and reliability it can offer if used properly. what is the security hole? to me the worst that can happen is BitcoinNotify goes down and the payment notification is only sent when they come back up? |
|
|
|
BitcoinNotify.com
Newbie
Offline
Activity: 58
Merit: 0
|
|
August 07, 2011, 11:43:16 AM |
|
BitcoinNotify looks like an usable service. Thanks for recognition. The major difference is that BitcoinNotify does not store your coins. Payments go directly from a customer to your private wallet (possibly disconnected from the network). On the contrary, BitcoinPayflow and WalletBit are very nicely designed but you need to trust in the perfect security of these services, as the wallets are being kept online. |
|
|
|
|
BitcoinNotify.com
Newbie
Offline
Activity: 58
Merit: 0
|
|
August 07, 2011, 11:46:38 AM |
|
to me the worst that can happen is BitcoinNotify goes down and the payment notification is only sent when they come back up? Exactly. With BitcoinNotify, the worst thing that can possibly happen to you is not receiving the notification... |
|
|
|
|
MrJoshua
Member
Offline
Activity: 76
Merit: 10
|
|
August 07, 2011, 11:52:13 AM
Last edit: August 07, 2011, 12:11:29 PM by MrJoshua |
|
This is EXACTLY the kind of mistake I'm talking about. That service is not providing anything you can't easily do with a bitcoind. With BitcoinNotify.com you don't need to keep your wallet online. This is a major difference. Securing online wallet properly is extremely hard. bitcoind can monitor the blockchain without access to your receiving wallet just as easily as a third party service. And it's opening you up to a HUGE security hole. Don't know that that hole is? Please be specific. You can expect Bitcoin payment notification in seconds after your customer clicks "Send" button in his Bitcoin client. While technically the transaction is not confirmed by the Bitcoin network, for most purposes it is practical to consider it so. Support for "confirmed" transactions is being developed for those cases when you need to be 100% sure (and do accept delays).
Do you see it now? Considering how many people trusted mybitcoin, and a startling willingness to abandon a key security feature of bitcoin I think it's important that everyone understand that security is a multifaceted problem. You need to be very conscious when you are explicitly or implicitly trusting a 3rd party. Bitcoin as a system is well designed, but you eliminate the value of that design if you start working around it buy using online wallets, merchant services etc. I'm not saying you can't use those things. But why use them if the built in tools do almost exactly the same thing more securely? If you understand how to use bitcoin, and you have a specific need for a 3rd party service, then you should also understand as well as possible what risk you are absorbing. A LOT of people on this list lost money because they failed to notice when that where circumventing their own security. Understand first. Trust second. j P.S. Note that I'm not saying this service is bad. If you know a site is bad security questions are easy to answer. I'm simply rebutting the assertion above that it is better to trust a 3rd party then the bitcoind and API. P.P.S: Exactly. With BitcoinNotify, the worst thing that can possibly happen to you is not receiving the notification...
This just proves that neither of you are considering ALL of the security issues. It's actually really hard to do. That's why you should just try to use the bitcoind system if you can. It's vetted, peer reviewed open source, and well understood by a large community who could help you if you have trouble. |
The value of bitcoins is not a theory, predictions of it's failure are what is theoretical.
|
|
|
BitcoinNotify.com
Newbie
Offline
Activity: 58
Merit: 0
|
|
August 07, 2011, 12:10:03 PM
Last edit: August 07, 2011, 12:24:51 PM by BitcoinNotify.com |
|
bitcoind can monitor the blockchain without access to your receiving wallet just as easily as a third party service. This is not the case. While bitcoind indeed monitors the whole blockchain, the JSON / RPC API gives you information only about your own addresses. Please test for example getreceivedbyaddress API call. It will work only for your addresses, not for arbitrary Bitcoin address. This means that: - either you keep your wallet online and use relatively easy JSON / RPC API... - either you you have to use the binary p2p API, which is pain in the arse and far behind capabilities of 99% Merchants, I guess. You can expect Bitcoin payment notification in seconds after your customer clicks "Send" button in his Bitcoin client. While technically the transaction is not confirmed by the Bitcoin network, for most purposes it is practical to consider it so. Support for "confirmed" transactions is being developed for those cases when you need to be 100% sure (and do accept delays).
Do you see it now? Thank you for being more precise. As explained, support for confirmed transactions is on the way. It is up to the Merchant to decide, how many confirmations he considers "safe" for which product. Bitcoin wiki itselft suggests accepting not confirmed payments for cheap / low-risk products / services. But you are right - I should make it more clear to avoid any misconceptions. (edited) |
|
|
|
|
|
indicasteve
|
|
August 07, 2011, 12:25:32 PM |
|
I thought Josh was talking about the fact that the only authorization is your IP address: All HTTP notifications are sent with the POST method from the IP 46.4.90.208.
You should check the request IP in your controller to ensure the notification actually comes from us.
... Someone might be able to forge a 'payment sent' request to your user's website by simple spoofing your IP address since it appears there is no authentication or token or anything sent in the POST request itself to prevent a fake payment acknowledgement. An IP address spoofing explanation is here: http://www.shaadiya.com/ask/2007/06/15/how-to-spoof-ip-address-hackers-view-and-the-way-to-protect-sites-with-this-fake/If I could spoof your address I could send fake payment acknowledgements to all your users. But, I'll be honest, I only took a quick look at your docs and I don't know your system nor have I tried it yet so maybe I'm just blowing smoke out my ass. But if I'm right, you should probably fix that. |
|
|
|
adamstgBit (OP)
Legendary
Offline
Activity: 1904
Merit: 1037
Trusted Bitcoiner
|
|
August 07, 2011, 02:06:30 PM |
|
I thought Josh was talking about the fact that the only authorization is your IP address: All HTTP notifications are sent with the POST method from the IP 46.4.90.208.
You should check the request IP in your controller to ensure the notification actually comes from us.
... Someone might be able to forge a 'payment sent' request to your user's website by simple spoofing your IP address since it appears there is no authentication or token or anything sent in the POST request itself to prevent a fake payment acknowledgement. An IP address spoofing explanation is here: http://www.shaadiya.com/ask/2007/06/15/how-to-spoof-ip-address-hackers-view-and-the-way-to-protect-sites-with-this-fake/If I could spoof your address I could send fake payment acknowledgements to all your users. But, I'll be honest, I only took a quick look at your docs and I don't know your system nor have I tried it yet so maybe I'm just blowing smoke out my ass. But if I'm right, you should probably fix that. issues worth noting. any ideas on how to fix this issues? maybe you could send me an encrypted password along with the other information. on my side once i can check the password and know its not a fake |
|
|
|
|
payb.tc
|
|
August 07, 2011, 02:08:55 PM |
|
I thought Josh was talking about the fact that the only authorization is your IP address: All HTTP notifications are sent with the POST method from the IP 46.4.90.208.
You should check the request IP in your controller to ensure the notification actually comes from us.
... Someone might be able to forge a 'payment sent' request to your user's website by simple spoofing your IP address since it appears there is no authentication or token or anything sent in the POST request itself to prevent a fake payment acknowledgement. An IP address spoofing explanation is here: http://www.shaadiya.com/ask/2007/06/15/how-to-spoof-ip-address-hackers-view-and-the-way-to-protect-sites-with-this-fake/If I could spoof your address I could send fake payment acknowledgements to all your users. But, I'll be honest, I only took a quick look at your docs and I don't know your system nor have I tried it yet so maybe I'm just blowing smoke out my ass. But if I'm right, you should probably fix that. issues worth noting. any ideas on how to fix this issues? maybe you could send me an encrypted password along with the other information. on my side once i can check the password and know its not a fake you could try reading the api documentation for liberty reserve, alertpay, etc for security ideas. |
|
|
|
|
adamstgBit (OP)
Legendary
Offline
Activity: 1904
Merit: 1037
Trusted Bitcoiner
|
|
August 07, 2011, 02:18:22 PM |
|
you could try reading the api documentation for liberty reserve, alertpay, etc for security ideas.
BitcoinNotify.com please rework your idea, in light of the issues presented i think your on the right track with the idea that you don't hold the coins you simply tell me when they have arrived once you can solve the fake IP problem i think we will be set. maybe if my site it self went and checked the block chain data, then i would only have to trust my self.... interesting... |
|
|
|
|
wumpus
|
|
August 07, 2011, 02:33:09 PM |
|
maybe if my site it self went and checked the block chain data, then i would only have to trust my self....
I think the best option would be a lightweight client that listens in on the P2P network and passively checks the block chain data and dispatches notifications for receives on a set of addresses. That prevents you from relying on a single point of failure. I mean, an external provider is easier to use, but what if bitcoinnotify is hacked? It could lie that it receives coins. The P2P network and block chain is in place exactly to prevent this kind of lying. Don't get me wrong -- I do think bitcoinnotify is a great service, especially for testing and initial development. You can always switch to your own block chain listener later. |
Bitcoin Core developer [PGP] Warning: For most, coin loss is a larger risk than coin theft. A disk can die any time. Regularly back up your wallet through File → Backup Wallet to an external storage or the (encrypted!) cloud. Use a separate offline wallet for storing larger amounts. |
|
|
|
|
|
nmat
|
|
August 07, 2011, 02:46:43 PM |
|
...
I was surprised no one mentioned bit-pay yet  |
|
|
|
|
|
indicasteve
|
|
August 07, 2011, 08:39:48 PM |
|
I thought Josh was talking about the fact that the only authorization is your IP address: All HTTP notifications are sent with the POST method from the IP 46.4.90.208.
You should check the request IP in your controller to ensure the notification actually comes from us.
... Someone might be able to forge a 'payment sent' request to your user's website by simple spoofing your IP address since it appears there is no authentication or token or anything sent in the POST request itself to prevent a fake payment acknowledgement. An IP address spoofing explanation is here: http://www.shaadiya.com/ask/2007/06/15/how-to-spoof-ip-address-hackers-view-and-the-way-to-protect-sites-with-this-fake/If I could spoof your address I could send fake payment acknowledgements to all your users. But, I'll be honest, I only took a quick look at your docs and I don't know your system nor have I tried it yet so maybe I'm just blowing smoke out my ass. But if I'm right, you should probably fix that. issues worth noting. any ideas on how to fix this issues? maybe you could send me an encrypted password along with the other information. on my side once i can check the password and know its not a fake You need to sign the messages using a secret that only the sender and receiver knows. You can do this by concatenating all the data you send into one long string then add a secrect code to the end of the string. Then you do a SHA256 hash on the string and send the hash with the data. The person on the other end who receives the data can do the same procedure ... concatenate all the data, add the secret, then get a hash. If the sender's hash == the enduser's hash then the data must have come from the sender because only you and the sender should know the secret. The secret is never sent to the receiver in the transaction. Only the hash of data+secret is sent. For further protection, add a timestamp to the data to ensure a unique hash will always be created. The receiver can also check this timestamp to ensure it is a recent transaction. For further protection against 'replay' attacks, the user can store all the hashes in a DB and reject any attempts to use the same hash twice. |
|
|
|
OgNasty
Donator
Legendary
Offline
Activity: 4732
Merit: 4239
Leading Crypto Sports Betting & Casino Platform
|
|
August 07, 2011, 08:44:45 PM |
|
|
| ..Stake.com.. | | | ▄████████████████████████████████████▄
██ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ██ ▄████▄
██ ▀▀▀▀▀▀▀▀▀▀ ██████████ ▀▀▀▀▀▀▀▀▀▀ ██ ██████
██ ██████████ ██ ██ ██████████ ██ ▀██▀
██ ██ ██ ██████ ██ ██ ██ ██ ██
██ ██████ ██ █████ ███ ██████ ██ ████▄ ██
██ █████ ███ ████ ████ █████ ███ ████████
██ ████ ████ ██████████ ████ ████ ████▀
██ ██████████ ▄▄▄▄▄▄▄▄▄▄ ██████████ ██
██ ▀▀▀▀▀▀▀▀▀▀ ██
▀█████████▀ ▄████████████▄ ▀█████████▀
▄▄▄▄▄▄▄▄▄▄▄▄███ ██ ██ ███▄▄▄▄▄▄▄▄▄▄▄▄
██████████████████████████████████████████ | | | | | | ▄▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄
█ ▄▀▄ █▀▀█▀▄▄
█ █▀█ █ ▐ ▐▌
█ ▄██▄ █ ▌ █
█ ▄██████▄ █ ▌ ▐▌
█ ██████████ █ ▐ █
█ ▐██████████▌ █ ▐ ▐▌
█ ▀▀██████▀▀ █ ▌ █
█ ▄▄▄██▄▄▄ █ ▌▐▌
█ █▐ █
█ █▐▐▌
█ █▐█
▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀█ | | | | | | ▄▄█████████▄▄
▄██▀▀▀▀█████▀▀▀▀██▄
▄█▀ ▐█▌ ▀█▄
██ ▐█▌ ██
████▄ ▄█████▄ ▄████
████████▄███████████▄████████
███▀ █████████████ ▀███
██ ███████████ ██
▀█▄ █████████ ▄█▀
▀█▄ ▄██▀▀▀▀▀▀▀██▄ ▄▄▄█▀
▀███████ ███████▀
▀█████▄ ▄█████▀
▀▀▀███▄▄▄███▀▀▀ | | | ..PLAY NOW.. |
|
|
|
adamstgBit (OP)
Legendary
Offline
Activity: 1904
Merit: 1037
Trusted Bitcoiner
|
|
August 08, 2011, 02:53:41 AM |
|
Bit-pay is now available to businesses in the United States  I'm from canada and want to price in btc and CND$ |
|
|
|
Raoul Duke
aka psy
Legendary
Offline
Activity: 1358
Merit: 1002
|
|
August 08, 2011, 03:08:33 AM |
|
Bit-pay is now available to businesses in the United States I'm from canada and want to price in btc and CND$ Kris, from http://walletbit.com made a Prestashop module that supports all currencies imaginable, using a mix of TradeHill API and google currency conversion calculator Pretty slick if you ask me. |
|
|
|
|
adamstgBit (OP)
Legendary
Offline
Activity: 1904
Merit: 1037
Trusted Bitcoiner
|
|
August 08, 2011, 03:22:54 AM |
|
all considered i will go for the BitcoinNotify.com system but i will handle it in a way that i can't get burnt BitcoinNotify.com will send me a notification that a payment was sent. with that information i can tell the customer that his order has went through and is now being processed i can then check my wallet b4 i ship the item. (i think i would do this even if BitcoinNotify.com was 100% secure) 99.9% of the customer will have infact sent me the moeny 0.01% of the time i will e-mail the hacker explaining that he has to actually send me the funds b4 i send the item. i can prove that the payment was not send by looking the block chain. ... i will also consider using this http://walletbit.com |
|
|
|
kjj
Legendary
Offline
Activity: 1302
Merit: 1024
|
|
August 08, 2011, 04:29:02 AM |
|
all considered i will go for the BitcoinNotify.com system
but i will handle it in a way that i can't get burnt
BitcoinNotify.com will send me a notification that a payment was sent.
with that information i can tell the customer that his order has went through and is now being processed
i can then check my wallet b4 i ship the item. (i think i would do this even if BitcoinNotify.com was 100% secure)
99.9% of the customer will have infact sent me the moeny
0.01% of the time i will e-mail the hacker explaining that he has to actually send me the funds b4 i send the item.
i can prove that the payment was not send by looking the block chain.
People need to understand that this step is very important, and should not be delegated lightly. |
17Np17BSrpnHCZ2pgtiMNnhjnsWJ2TMqq8
I routinely ignore posters with paid advertising in their sigs. You should too.
|
|
|
BitcoinNotify.com
Newbie
Offline
Activity: 58
Merit: 0
|
|
August 09, 2011, 02:16:04 PM |
|
You need to sign the messages using a secret that only the sender and receiver knows.
You can do this by concatenating all the data you send into one long string then add a secrect code to the end of the string.
Then you do a SHA256 hash on the string and send the hash with the data.
The person on the other end who receives the data can do the same procedure ... concatenate all the data, add the secret, then get a hash.
If the sender's hash == the enduser's hash then the data must have come from the sender because only you and the sender should know the secret.
The secret is never sent to the receiver in the transaction. Only the hash of data+secret is sent.
For further protection, add a timestamp to the data to ensure a unique hash will always be created. The receiver can also check this timestamp to ensure it is a recent transaction.
For further protection against 'replay' attacks, the user can store all the hashes in a DB and reject any attempts to use the same hash twice. Thank you for pointing that out and providing an excellent solution. Indeed, if someone would be able to both spoof the IP and guess the URL fake notifications could have been sent. This is fixed now. All HTTP notifications are signed with a secret token and timestamp. This works exactly as described above by indicasteve. Here are the docs: https://bitcoinnotify.com/docs |
|
|
|
|
Serge
Legendary
Offline
Activity: 1050
Merit: 1000
|
|
August 09, 2011, 03:20:48 PM
Last edit: August 09, 2011, 03:59:48 PM by Serge |
|
With BitcoinNotify do all customers send their payments to a single bitcoin address that merchant provides?
Someone earlier in the thread mentioned "faking an IP address", could someone please explain how it's done?
I know with php's curl lib everything in http headers could be 'faked' except an IP address
|
|
|
|
|
kjj
Legendary
Offline
Activity: 1302
Merit: 1024
|
|
August 09, 2011, 03:54:47 PM |
|
With BitcoinNotify do all customers send their payments to a single bitcoin address?
Someone earlier in the thread mentioned "faking an IP address", could someone please explain how it's done?
I know with php's curl lib everything in http headers could be 'faked' except an IP address
You have to bypass most of the network stack so you can manually build and emit packets directly at a low level, either as IP packets or ethernet frames, depending on what you need to do. You also need an ISP that doesn't do egress filtering, unless you are very close to either the recipient or the sender you are trying to spoof. There are other things you need to do too, like guess the sequence numbers so that you can make it look like you completed the three way handshake even though the SYN-ACK went somewhere else. |
17Np17BSrpnHCZ2pgtiMNnhjnsWJ2TMqq8
I routinely ignore posters with paid advertising in their sigs. You should too.
|
|
|
BitcoinNotify.com
Newbie
Offline
Activity: 58
Merit: 0
|
|
August 09, 2011, 05:57:00 PM |
|
With BitcoinNotify do all customers send their payments to a single bitcoin address that merchant provides? No, unless the Merchant really wants to. BitcoinNotify will monitor all receiving addresses submitted by the Merchant and will deliver payment notifications. Every Merchant pre-generates a set of Bitcoin receiving addresses on his own, using his Bitcoin client. This small, one-time inconvenience gives the Merchant unmatched protection compared to storing wallet on the server and generating addresses on demand. BitcoinNotify is a "keep your wallet disconnected from the network and sleep well" service for Merchants. This is in contrast to MyBitcoin and other available solutions. earlier in the thread mentioned "faking an IP address", could someone please explain how it's done? It's relatively hard but in principle possible to fake an IP address. This is why all notifications are signed with a secret token. |
|
|
|
|
Littleshop
Legendary
Offline
Activity: 1386
Merit: 1003
|
|
August 09, 2011, 06:24:23 PM |
|
Can you make bitcoin notify work with opencart?
|
|
|
|
BitcoinNotify.com
Newbie
Offline
Activity: 58
Merit: 0
|
|
August 09, 2011, 07:22:19 PM |
|
Can you make bitcoin notify work with opencart? I'd love to see a BitcoinNotify plugin for OpenCart. While personally I must focus in the core service, I can offer any help necessary to someone willing to develop such a plugin. |
|
|
|
|
MrJoshua
Member
Offline
Activity: 76
Merit: 10
|
|
August 09, 2011, 11:27:18 PM |
|
I'm hoping that this thread goes to show, that 3rd party services have security flaws, even when they say they don't. It is always you're own responsibility to verify the security of your money. You can't trust a sales pitch, however well intentioned.
I am surprised to discover that you can't check payments to random addresses remotely at the moment, so I've tried to give the dev team some encouragement to integrate that feature (which is already available in a patch).
You can use bitocind on a server and manage the funds entirely yourself. This is as easy as any web service using the json interface. You can have a duplicate of the server's wallet on your own machine, and you can manually or procedurally sweep funds from the online wallet to a more secure wallet at any time.
3rd party solutions are NEVER going to be an easier way to bitcoin security. It is not possible to know all the security issues with a 3rd party solution, without access to their entire server/software stack, and significant knowledge of possible weakness (like IP masquerading). Which is of course harder then securing your own server. You can always make your server at least as secure as any 3rd party server, and because unix security is a known problem you have lots of resources for improving it.
I think BitcoinNotify is probably a very good service that can help the bitcoin economy, and I want to see more bitcoin merchant related services. I'm glad they attempted to addressed one of the security issues quickly, but there is still the double spend attack which is quite a bit easer to exploit then IP masquerading (mybitcoin claims that is exactly what happened to them, losing more then 50% of all customers assets), and who knows how many other issues (how secure are their servers, are you really going to always check the sig on their POST request?). This may not be an issue for the OP because he can re-verify payments before shipping, but not all services have that window for additional verification. So please understand you ARE compromising your security by using a 3rd party, it is up to you to decide if the benefits out way the risk, and you must do so without a full knowledge of what risks that 3rd party is exposing you too.
As I said before, and everyone should know by now, there is no shortcut to security.
Understand first, trust second, and if you must trust someone trust a security professional who is working for you.
j
|
The value of bitcoins is not a theory, predictions of it's failure are what is theoretical.
|
|
|
|
nmat
|
|
August 10, 2011, 12:55:07 AM |
|
You are also compromising security if you don't trust a 3rd party. Not everyone is talented enough to secure a server properly. There must be a balance between these two things. It's not just "3rd party is all wrong, don't trust them".
|
|
|
|
|
BitcoinLocator
Newbie
Offline
Activity: 31
Merit: 0
|
|
August 10, 2011, 01:19:01 AM |
|
You are also compromising security if you don't trust a 3rd party. Not everyone is talented enough to secure a server properly. There must be a balance between these two things. It's not just "3rd party is all wrong, don't trust them".
And who's to say the 3rd party is any better at securing their servers? You just don't know. The only time you can actually be demonstrably more secure by using a 3rd party is if the 3rd party provides an SLA (Service Level Agreement) that you can legally enforce in your jurisdiction wherein they agree to become liable for your losses if they screw up, only then is the risk transferred and you don't need to know if they have security flaws. |
|
|
|
|
BitcoinNotify.com
Newbie
Offline
Activity: 58
Merit: 0
|
|
August 11, 2011, 07:58:49 AM |
|
3rd party solutions are NEVER going to be an easier way to bitcoin security. You can always make your server at least as secure as any 3rd party server, and because unix security is a known problem you have lots of resources for improving it. I'm afraid most merchants are not security experts and operate on a string budget. They need to outsource IT anyway. The most common choice is probably between hiring a student or using an existing 3rd party solution. Please get real. |
|
|
|
|
BitcoinNotify.com
Newbie
Offline
Activity: 58
Merit: 0
|
|
August 15, 2011, 04:49:32 PM |
|
You can expect Bitcoin payment notification in seconds after your customer clicks "Send" button in his Bitcoin client. While technically the transaction is not confirmed by the Bitcoin network, for most purposes it is practical to consider it so. Support for "confirmed" transactions is being developed for those cases when you need to be 100% sure (and do accept delays).
Do you see it now? Considering how many people trusted mybitcoin, and a startling willingness to abandon a key security feature of bitcoin I think it's important that everyone understand that security is a multifaceted problem. are now fully supported in BitcoinNotify. Merchant decides how many confirmations are "enough" for his/her purpose. It is also possible to order notifications on several confirmation levels, i.e. 0/unconfirmed for visual payment acceptance in the store, and 6 confirmations for actually shipping the item. PS @MrJoshua: thanks for stressing the importance of security in this thread. |
|
|
|
|
|
nmat
|
|
August 15, 2011, 06:55:46 PM |
|
Bit-pay is now available to businesses in the United States I'm from canada and want to price in btc and CND$ I think bit-pay is internationally available if you choose to receive your payments in bitcois and not in USD. |
|
|
|
|
|
Steve
|
|
August 15, 2011, 09:16:44 PM |
|
Bit-pay is now available to businesses in the United States I'm from canada and want to price in btc and CND$ I think bit-pay is internationally available if you choose to receive your payments in bitcois and not in USD. That is correct...despite what our FAQ currently says. Regarding the decision whether to do it yourself or outsource the payment processing, someone ultimately has to implement it. I certainly don't discourage anyone from managing and hosting it themselves if you have the time and the skill. For bit-pay, our goal is to make it easy and secure for merchants that choose to outsource their payment processing. We will also provide integration with a number of third party shopping carts as well as accounting systems. And, we handle currency exchange for merchants that want to accept bitcoins from customers, but need to receive dollars (and soon other currencies). We payout a merchant's entire balance once per day (subject to minimums) via ACH direct deposit or bitcoin transaction (for bitcoin, we may soon offer an option of paying out hourly if there is a minimum balance). We are not a wallet service and do not allow merchants to accumulate a significant balance in their merchant account (which also means that at any given point in time, we typically have very few bitcoins in our online wallet). |
|
|
|
|
Steve
|
|
August 17, 2011, 12:24:47 AM |
|
Our JSON API is now available along with command line utilities that provide an easy to use client interface. The command line tools can be used as is, customized or as examples for people that want to integrate directly with the JSON API. The documentation is here: https://bit-pay.com/downloads/bitpayApi-0.1.pdf(we've also updated the FAQ to clarify the question about international merchants) |
|
|
|
|
