Bitcoin Forum
December 03, 2016, 03:45:54 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: bitcoin:<action>:<address>:<amount>:<comment> Web-based protocol  (Read 1394 times)
BTCurious
Hero Member
*****
Offline Offline

Activity: 714


^SEM img of Si wafer edge, scanned 2012-3-12.


View Profile
November 10, 2011, 03:38:37 AM
 #1

A simple integration step that I think is missing in the combined toolset is a web-based protocol. (A "bitcoin:" version of the "mailto" link)

Imagine this situation:

You register for mtgox, and want to deposit some bitcoins. You go to the deposit page, fill in the amount you want to deposit. MtGox generates a bitcoin protocol link, for example:

bitcoin:pay:1MtGoxAddress1es89fwSTYR:5:MtGox deposit to account BTCurious

By clicking a button or the link, the data is forwarded by the browser. You have installed the default bitcoin client earlier, which registered the bitcoin protocol, so this is now sent the data.
The client asks you:

Quote
Do you want to pay 5 Bitcoins to 1MtGoxAddress1es89fwSTYR? Payment data: "MtGox deposit to account BTCurious"
Yes/No

You click yes, and it's payed. You never have to copy/paste any addresses. You can connect the protocol to your favourite walletmanager, be it the standard client, or your webbased wallet.

A client might also provide the ability to generate these links to send to your buddy who wants to pay you:
bitcoin:pay:1JohnDoeAddress1n4e3o1tnsuy:50:You still owe me a Block, dude!


I believe this would very much increase the userfriendliness of payment and address management.

I propose creating a standard for this protocol. It's open for suggestions, but my initial idea is:

For doing payments (webshops, deposits, inter-person payments)
bitcoin:pay:<address>:<amount>:<comment>

For saving an address in an addresslist (useful for miner payout addresses, green addresses)
bitcoin:address:<address>:<comment>

Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480779954
Hero Member
*
Offline Offline

Posts: 1480779954

View Profile Personal Message (Offline)

Ignore
1480779954
Reply with quote  #2

1480779954
Report to moderator
theymos
Administrator
Legendary
*
expert
Offline Offline

Activity: 2492


View Profile
November 10, 2011, 03:49:28 AM
 #2

This has been discussed a million times, and there are already a million different proposed URI protocols. Why is yours better?

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
BTCurious
Hero Member
*****
Offline Offline

Activity: 714


^SEM img of Si wafer edge, scanned 2012-3-12.


View Profile
November 10, 2011, 04:07:00 AM
 #3

Hmm, I see you're right. I wasn't aware it was more commonly known as a URI, and searching for protocol didn't get me very far.

It makes me wonder though, why hasn't this been taken up yet? All it takes is for MtGox to agree with a bitcoin client developer, and then the majority of users could use it. The rest would then follow.
If this has been discussed a million times, apparently it's clear that we actually want a URI protocol. The exact format is rather irrelevant, as long as one option reaches critical mass, it will be standardized.
Why is this not yet implemented?

DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218


Gerald Davis


View Profile
November 10, 2011, 04:09:16 AM
 #4

Security.  Shortly after the first URI usage will be the first URI malware.  Likely not something that should be rushed into.  Of course it is open source so you can make a URI capable client.
BTCurious
Hero Member
*****
Offline Offline

Activity: 714


^SEM img of Si wafer edge, scanned 2012-3-12.


View Profile
November 10, 2011, 04:13:40 AM
 #5

Security. Shortly after the first URI usage will be the first URI malware.  Likely not something that should be rushed into.  Of course it is open source so you can make a URI capable client.
If the URI is only used in a user-mediated way, i.e., you click a payment button, and get a dialog from your client, then where is the security problem? Or do you mean script injection of some sort? Sanitizing the URI inputs shouldn't be too difficult… or am I missing something here?

I might make a URI addon at some point, but I first wanted to see what the community thought about my proposal. Which is a bit moot now, since it's one of the many proposals, but yeah…

Luke-Jr
Legendary
*
expert
Offline Offline

Activity: 2086



View Profile
November 12, 2011, 02:16:27 AM
 #6

Spesmilo has supported URIs for months. The Satoshi client devs don't want to.

Gavin Andresen
Legendary
*
qt
Offline Offline

Activity: 1652


Chief Scientist


View Profile WWW
November 14, 2011, 06:51:10 PM
 #7

Spesmilo has supported URIs for months. The Satoshi client devs don't want to.
Huh what?  Version 0.5 supports drag-and-drop of bitcoin: URIs. And there's a pull request pending for click-to-pay support.

Security. Shortly after the first URI usage will be the first URI malware.  Likely not something that should be rushed into.  Of course it is open source so you can make a URI capable client.
If the URI is only used in a user-mediated way, i.e., you click a payment button, and get a dialog from your client, then where is the security problem? Or do you mean script injection of some sort? Sanitizing the URI inputs shouldn't be too difficult… or am I missing something here?

One fear is bitcoin-address-rewriting malware, like the URL-rewriting phishing malware we have today. Actually, combining the two would be very effective (direct the user to a phishing site where all the bitcoin: URIs pay or donate to the scammers). We need better ways users can be certain they are paying who they think they are paying.

How often do you get the chance to work on a potentially world-changing project?
cjp
Full Member
***
Offline Offline

Activity: 210



View Profile WWW
November 14, 2011, 07:23:11 PM
 #8

I agree we have to be very careful to avoid phishing / malware attacks.

How about the following idea: whenever an URI contains an unknown bitcoin address, or whenever the name in the URI does not equal the name of the address in the address book, give the user a very clear warning that he has to verify the correctness of the new address.

In the future, this might be combined with some sort of public key infrastructure or web of trust.

Donate to: 1KNgGhVJx4yKupWicMenyg6SLoS68nA6S8
http://cornwarecjp.github.io/amiko-pay/
Luke-Jr
Legendary
*
expert
Offline Offline

Activity: 2086



View Profile
November 14, 2011, 08:50:04 PM
 #9

Spesmilo has supported URIs for months. The Satoshi client devs don't want to.
Huh what?  Version 0.5 supports drag-and-drop of bitcoin: URIs.
Not compliant with the spec.

jim618
Legendary
*
Offline Offline

Activity: 1708



View Profile WWW
November 14, 2011, 09:10:22 PM
 #10

One way I thought of validating bitcoin uris was to do the following:

1. Say you have a bitcoin uri from a website http://bitcoinbooks.com (say it is a book you are buying)

2. Added to the bitcoin uri is a 'from' field which has a value 'bitcoinbooks.com'

3. The client then does a call to a service endpoint based at:    https://bitcoinbooks.com/uriValidator?<the value of the bitcoin uri>
    The suffix 'uriValidator' is a standard service endpoint used by everyone and https is used to prevent MITM attacks.

4. If bitcoinbooks.com actually created that bitcoin uri it just replies 'true', else 'false'.

5. bitcoinbooks.com is shown to the user on the ui as: green if validated, red if not validated.

This gives the user confidence that the uri is what it appears to be i.e it came from the site it appears to.
It also gives the user confidence that the uri is still 'alive' (maybe it is a special offer ending at midnight or there is a time-to-live on it)

It also gives the bitcoinbooks.com site some useful feedback too, but that is not particularly security related.

MultiBit HD   Lightweight desktop client.                    Bitcoin Solutions Ltd   Bespoke software. Consultancy.
Gavin Andresen
Legendary
*
qt
Offline Offline

Activity: 1652


Chief Scientist


View Profile WWW
November 14, 2011, 09:28:27 PM
 #11

Not compliant with the spec.
You mean the wiki page that describes an overly-complicated scheme with your pet feature that nobody else likes (hexadecimal amounts)?

And that we're all ignoring because we don't feel like getting into wiki editing wars with you (see the history from 9 May)?


How often do you get the chance to work on a potentially world-changing project?
Deafboy
Hero Member
*****
Offline Offline

Activity: 484



View Profile WWW
November 14, 2011, 09:35:30 PM
 #12

Quote
One fear is bitcoin-address-rewriting malware
And so it can rewrite plaintext address on webpage.
I have allready firefox addon installed which recognize bitcoin addresses and makes hyperlinks to block explorer.
btc_artist
Full Member
***
Offline Offline

Activity: 154


Bitcoin!


View Profile WWW
November 14, 2011, 10:05:30 PM
 #13

I for one think that having this click to pay functionality is needed, even if it increases the possibility of malware attacks.

BTC: 1CDCLDBHbAzHyYUkk1wYHPYmrtDZNhk8zf
LTC: LMS7SqZJnqzxo76iDSEua33WCyYZdjaQoE
BTCurious
Hero Member
*****
Offline Offline

Activity: 714


^SEM img of Si wafer edge, scanned 2012-3-12.


View Profile
November 14, 2011, 10:09:56 PM
 #14

I for one think that having this click to pay functionality is needed, even if it increases the possibility of malware attacks.
It is severely lacking in the accessibility of bitcoin in general. I'm not quite sure how to easily make it secure(-ish) though.

Luke-Jr
Legendary
*
expert
Offline Offline

Activity: 2086



View Profile
November 14, 2011, 11:01:49 PM
 #15

You mean the wiki page that describes an overly-complicated scheme with your pet feature that nobody else likes (hexadecimal amounts)?
No, I mean the wiki page that describes a simple future-compatible scheme that the community agreed on earlier this year, and decimal trolls decided to object to months later, despite it not hurting the ability to use (in fact, it is even better for) decimal units.

BTCurious
Hero Member
*****
Offline Offline

Activity: 714


^SEM img of Si wafer edge, scanned 2012-3-12.


View Profile
November 14, 2011, 11:16:01 PM
 #16

Link please?


Also, any mention of the tonal system sort of seems like a joke, to be honest. Maybe it's not, but that's the impression that I got when I first saw it.

Luke-Jr
Legendary
*
expert
Offline Offline

Activity: 2086



View Profile
November 16, 2011, 04:39:37 PM
 #17

Link please?
https://en.bitcoin.it/wiki/URI_Scheme

Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!