Windows IIS Web Wallet

[doof]

Motivation
Love or hate Microsoft Windows, enterprise and large business run it and continue to adopt Windows and Microsoft products [1][2][3].   While there are a lot of good LAMP products, I believe there needs to more Windows based solutions for enterprise adoption.  Enterprise will require a wallet that runs on premises, using technology stacks they currently use like Microsoft SQL Server, SSRS and OLAP Cubes, BizTalk, Forefront.

Design goals
 

• Run on Windows Server 2008R2 and above
• Run as a web app on IIS 7 and above
• Be secured by existing corporate authentication providers, like Active Directory
• Configurable by existing sys admins, using familiar interfaces (MMC, Web.config)
• Log go sources like Event Viewer
• Backup of private keys inline with existing backup solutions
• Be estensibile via JSON Restful and SOAP interfaces
• Cross browser HTML5 web interface, with "hackable" urls

I have been working on a c# MVC web app to meet the above requirements.  The node runs as a Windows Service and exposes WCF endpoints too.  The application users AD groups to secure the site and features. 

There are still a lot of features I won't to add and a few bugs to fix, before I publish the source code.





[1] ME Bank Adopts SQL Server and Windows Server 2012 http://www.microsoft.com/australia/presspass/post/ME-Bank-Adopts-SQL-and-Windows-Server-2012
[2] ING Bank http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=710000001710
[3] Bank of Queensland BizTalk http://www.itnews.com.au/News/267460,bank-of-queensland-finance-rebuilds-it-systems.aspx

[patricktim]

need more info on how secure is Web Wallet?

[doof]

Sure, at the moment it interfaces with bitcoind using RPC.  That is secured by standard procedures, i.e., only allowing RPC calls from localhost or an internal subnet.

The IIS server should only allow https from internal too.  

As mentioned, there is a lot todo, one tasking being an installer guide.   Enterprise sys admins would apply their own standard firewall, encrypting web.config etc and IIS hardening procedures too.   Note that bitcoin.conf persists RPC username and password in plain text, so it is up to the sys admin to harden the server.

[doof]

Thanks for your opinions gweedo.   A web based currency needs web based wallets.  Your comments are as backward thinking as banks who stated in the 90's they would never do online banking.

[doof]

"Also you do know that PHP runs just fine under IIS so yeah I don't see any purpose to this project"  Exactly what a PHP developer would say.  When a Bank runs a team of c# developers, there is a very real reason for this project.   

From a consultant, thats a very immature comment.

[grau]

Thanks for your opinions gweedo.   A web based currency needs web based wallets.  Your comments are as backward thinking as banks who stated in the 90's they would never do online banking.

Having a web interface is fine. Having bitcoins (the keys) stored on a the web site for thousands of user is exactly backward thinking of online banking that we want to leave behind.

Bitcoin should be owned by the user in secure devices like TREZOR and web applications should only help them to follow, prepare, report ... but not sign for them.

[doof]

Thanks grau.  I plan on swapping out bitciond later for a open source c# implementation that I am involved with and has been posted here.  The project isn't designed to be a multi wallet solution.  The web interface should only be exposed on an internal network.

A hardware appliance would be an ideal solution.

[grau]

Well most banks run java backends not C# or php.

correct.

I worked in a few big banks and never met PHP.
C# was sometimes used on the desktop, but never on a backend. Have not seen IIS either.

[flower1024]

Well most banks run java backends not C# or php.

correct.

I worked in a few big banks and never met PHP.
C# was sometimes used on the desktop, but never on a backend. Have not seen IIS either.

same here...
though i saw COBOL and perl in the backend too (and some REALLY ugly terminal to web converter ughhh)

[nasamanBoy]

That the latter are right, COBOL and Perl in the backend too.....

[Cyrus]

COBOL still used around here as well in banks/insurance companies backends.

[r3wt]

COBOL still used around here as well in banks/insurance companies backends.

True, i'm enrolling in college and the advisor recommended i take the course on cobol for enterprise development/software engineering.

[artw1982]

Being a C# developer I love seeing this project. However, I do agree that hot wallets are a huge risk. Keeping everyone's coin in a single wallet.dat is scary. What if you were to write a class that generated the keys in memory, encrypted them with the users password as key, then save each users wallet to it's own .dat file. Never storing their password. Not using the bitcoind at all for key generation.

If you're looking for someone to collaborate with or discuss ideas with I can help.

[flower1024]

Being a C# developer I love seeing this project. However, I do agree that hot wallets are a huge risk. Keeping everyone's coin in a single wallet.dat is scary. What if you were to write a class that generated the keys in memory, encrypted them with the users password as key, then save each users wallet to it's own .dat file. Never storing their password. Not using the bitcoind at all for key generation.

If you're looking for someone to collaborate with or discuss ideas with I can help.

blockchain.info's does this and it works quite well
but i would never put all my coins in one basket again.

what i might use: a balance watcher which allows to send by providing a privkey. after sending i would not use this address ever again

[DeathAndTaxes]

Any progress on this.  Going to put it up on github? Curious to see the implementation.  While I don't like public eWallets I can see this being useful on a corporate intranet.