[ask] best practices accepting bitcoin for a website with bitcoind

[buffett]

i want start accepting bitcoin for my website with bitcoind.

my question is, what is the best way to generate new address for receiving btc? should i create a new address and assign to new account for every transaction? or it better to create a new address assigned to main account?

which way is better for security and performance? one account with ton of addresses, or ton of accounts with 1 address per account.

and when do i need to perform a backup? after new address created? after receiving fund? after sending fund?

thanks

[Kazimir]

1. Do not host your wallet or private keys on your webserver, just addresses.

2. DO NOT HOST YOUR WALLET OR PRIVATE KEYS ON YOUR WEBSERVER, JUST ADDRESSES.

3. Generate your address + private keys offline / remotely, i.e. on a different physical location than your webserver. Thus allowing your webserver to retrieve new addresses as needed, without exposing access to your private keys anywhere.

4. Use a new address for each payment/order. This way you can always check if a specific payment has been made or a specific order has been paid. With one address per account, you cannot clearly distinguish between payments for different orders.

5. Instead of generating private keys + addresses on the fly, you could pregenerate a few thousand addresses / private key pairs, and backup those. Backup again whenever creating (and before using) new keys + addresses and increase volume as needed.

6. On the webserver end, just backup your order/payment/account database just like you would now. Before or after receiving doesn't matter, that is already backed up in the blockchain And before or after sending fund does not apply here, as per rules 1 and 2.

[davout]

What's best for security and performance is to not use bitcoind at all.
Generate your adresses deterministically instead, dem libs are out there.

[buffett]

What's best for security and performance is to not use bitcoind at all.
Generate your adresses deterministically instead, dem libs are out there.

how to check incoming transfer then?

[davout]

how to check incoming transfer then?

You need to monitor the addresses on which you are expecting payments.
This can be achieved in a variety of ways, blockchain has an API, you could plug in to an electrum server, do some polling, it really depends on your use case.
Another suggestion : don't allow addresses to be valid permanently if possible, tell your users the addresses have a finite lifetime, so you can rotate the master public seeds regularly.

[coinrevo]

What are the standard packages used for this? I've spend some time with the python-bitcoin RPC and libbitcoin which is somewhat more "user friendly".

[buffett]

how to check incoming transfer then?

You need to monitor the addresses on which you are expecting payments.
This can be achieved in a variety of ways, blockchain has an API, you could plug in to an electrum server, do some polling, it really depends on your use case.
Another suggestion : don't allow addresses to be valid permanently if possible, tell your users the addresses have a finite lifetime, so you can rotate the master public seeds regularly.

blockchain receive payment API  is very slow and ugly.

what is the best way to monitor ton of addresses without hosting the wallet in the same server?

if bitcoind hosted it is very easy to just call rpc request: listtransactions \* 1000

and why electrum server, what are the differences compared to bitcoind?

thanks

[kostagr33k]

This post may help you find a way to monitor transactions .. However you would need to know all addresses you want to monitor unlike with bitcoind running your wallet for monitoring:

http://bitcoin.stackexchange.com/questions/4601/how-can-i-read-information-from-the-blockchain


Would be interested in knowing which method you choose and how it goes!


Kosta

[davout]

you would need to know all addresses you want to monitor

That's a good practice, with unexpiring addresses you monitor a constantly growing set.

[Altoidnerd]

Just to be clear, is this a discussion of best practices for a website wishing to accept bitcoin payments specifically WITHOUT the use of a payment processing service such as bitpay or coinbase?