Bitcoin Forum
June 19, 2024, 11:50:42 AM *
News: Latest Bitcoin Core release: 27.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Sending bitcoin securely from web server  (Read 565 times)
xtpu (OP)
Newbie
*
Offline Offline

Activity: 9
Merit: 0


View Profile
January 04, 2014, 06:17:42 AM
 #1

I'm developing a web application that would not only accept, but also send payments to web users.
For now, I'm using the official client (bitcoind), but I suddenly became worried about this issue:

The wallet is encrypted. So to send a payment, I need to run walletpassphrase. However, as far as I understand from the documentation, when I unlock the wallet, it becomes unlocked not just for one connection or one transaction, but for all connections / transactions. This means that if I do "walletpassphrase", "send", "walletlock", there is a small window of time when the wallet is unlocked. If someone then has access to the machine, they might be able to send a malicious transaction in that window of time without knowing the passphrase.

It would make much more sense if I provided the wallet password per-transaction. I.e. "send <wallet password> <normal send parameters>". Then, the malicious user would have to have the wallet password in order to perform the attack.

Is something like this possible with the official client? If not, can anybody recommend a client for this purpose? Or would I have to modify the source code?
Has anybody come up with solutions for this that don't involve using an external service? I see that quite a few people run gambling services with bitcoin... maybe one of them could chime in to tell us how they do it?
torusJKL
Hero Member
*****
Offline Offline

Activity: 619
Merit: 500


View Profile
January 04, 2014, 12:48:48 PM
 #2

I don't have a tutorial for you but I think the following would be a secure way to do it.

Use Armory or maybe Electrum instead of the reference bitcoind.
Those programs let you create transactions on the web server but then you will need to sign the transaction with another instance of that program.
That instance you would need to have on a different very secure server.

This way even if your web server would be hacked the only thing the hacker could do was see your transactions an create read only addresses.

If you find my post useful send some Bitcoin: 167XM1Za8aG9CdbYuHFMpL2kvPsw6uC8da
Bitrated || bitcoin-otc || Moon Bitcoin Faucet
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!