bitcoin:<action>:<address>:<amount>:<comment> Web-based protocol

[BTCurious]

A simple integration step that I think is missing in the combined toolset is a web-based protocol. (A "bitcoin:" version of the "mailto" link)

Imagine this situation:

You register for mtgox, and want to deposit some bitcoins. You go to the deposit page, fill in the amount you want to deposit. MtGox generates a bitcoin protocol link, for example:

bitcoin:pay:1MtGoxAddress1es89fwSTYR:5:MtGox deposit to account BTCurious

By clicking a button or the link, the data is forwarded by the browser. You have installed the default bitcoin client earlier, which registered the bitcoin protocol, so this is now sent the data.
The client asks you:

Do you want to pay 5 Bitcoins to 1MtGoxAddress1es89fwSTYR? Payment data: "MtGox deposit to account BTCurious"
Yes/No

You click yes, and it's payed. You never have to copy/paste any addresses. You can connect the protocol to your favourite walletmanager, be it the standard client, or your webbased wallet.

A client might also provide the ability to generate these links to send to your buddy who wants to pay you:
bitcoin:pay:1JohnDoeAddress1n4e3o1tnsuy:50:You still owe me a Block, dude!


I believe this would very much increase the userfriendliness of payment and address management.

I propose creating a standard for this protocol. It's open for suggestions, but my initial idea is:

For doing payments (webshops, deposits, inter-person payments)
bitcoin:pay:<address>:<amount>:<comment>

For saving an address in an addresslist (useful for miner payout addresses, green addresses)
bitcoin:address:<address>:<comment>

[1713944197]

1713944197

[1713944197]

1713944197

[1713944197]

1713944197

[theymos]

This has been discussed a million times, and there are already a million different proposed URI protocols. Why is yours better?

[BTCurious]

Hmm, I see you're right. I wasn't aware it was more commonly known as a URI, and searching for protocol didn't get me very far.

It makes me wonder though, why hasn't this been taken up yet? All it takes is for MtGox to agree with a bitcoin client developer, and then the majority of users could use it. The rest would then follow.
If this has been discussed a million times, apparently it's clear that we actually want a URI protocol. The exact format is rather irrelevant, as long as one option reaches critical mass, it will be standardized.
Why is this not yet implemented?

[DeathAndTaxes]

Security.  Shortly after the first URI usage will be the first URI malware.  Likely not something that should be rushed into.  Of course it is open source so you can make a URI capable client.

[BTCurious]

Security. Shortly after the first URI usage will be the first URI malware.  Likely not something that should be rushed into.  Of course it is open source so you can make a URI capable client.

If the URI is only used in a user-mediated way, i.e., you click a payment button, and get a dialog from your client, then where is the security problem? Or do you mean script injection of some sort? Sanitizing the URI inputs shouldn't be too difficult… or am I missing something here?

I might make a URI addon at some point, but I first wanted to see what the community thought about my proposal. Which is a bit moot now, since it's one of the many proposals, but yeah…

[Luke-Jr]

Spesmilo has supported URIs for months. The Satoshi client devs don't want to.

[Gavin Andresen]

Spesmilo has supported URIs for months. The Satoshi client devs don't want to.

Huh what?  Version 0.5 supports drag-and-drop of bitcoin: URIs. And there's a pull request pending for click-to-pay support.

Security. Shortly after the first URI usage will be the first URI malware.  Likely not something that should be rushed into.  Of course it is open source so you can make a URI capable client.

If the URI is only used in a user-mediated way, i.e., you click a payment button, and get a dialog from your client, then where is the security problem? Or do you mean script injection of some sort? Sanitizing the URI inputs shouldn't be too difficult… or am I missing something here?

One fear is bitcoin-address-rewriting malware, like the URL-rewriting phishing malware we have today. Actually, combining the two would be very effective (direct the user to a phishing site where all the bitcoin: URIs pay or donate to the scammers). We need better ways users can be certain they are paying who they think they are paying.

[cjp]

I agree we have to be very careful to avoid phishing / malware attacks.

How about the following idea: whenever an URI contains an unknown bitcoin address, or whenever the name in the URI does not equal the name of the address in the address book, give the user a very clear warning that he has to verify the correctness of the new address.

In the future, this might be combined with some sort of public key infrastructure or web of trust.

[Luke-Jr]

Spesmilo has supported URIs for months. The Satoshi client devs don't want to.

Huh what?  Version 0.5 supports drag-and-drop of bitcoin: URIs.

Not compliant with the spec.

[jim618]

One way I thought of validating bitcoin uris was to do the following:

1. Say you have a bitcoin uri from a website http://bitcoinbooks.com (say it is a book you are buying)

2. Added to the bitcoin uri is a 'from' field which has a value 'bitcoinbooks.com'

3. The client then does a call to a service endpoint based at:    https://bitcoinbooks.com/uriValidator?<the value of the bitcoin uri>
    The suffix 'uriValidator' is a standard service endpoint used by everyone and https is used to prevent MITM attacks.

4. If bitcoinbooks.com actually created that bitcoin uri it just replies 'true', else 'false'.

5. bitcoinbooks.com is shown to the user on the ui as: green if validated, red if not validated.

This gives the user confidence that the uri is what it appears to be i.e it came from the site it appears to.
It also gives the user confidence that the uri is still 'alive' (maybe it is a special offer ending at midnight or there is a time-to-live on it)

It also gives the bitcoinbooks.com site some useful feedback too, but that is not particularly security related.

[Gavin Andresen]

Not compliant with the spec.

You mean the wiki page that describes an overly-complicated scheme with your pet feature that nobody else likes (hexadecimal amounts)?

And that we're all ignoring because we don't feel like getting into wiki editing wars with you (see the history from 9 May)?

[Deafboy]

One fear is bitcoin-address-rewriting malware

And so it can rewrite plaintext address on webpage.
I have allready firefox addon installed which recognize bitcoin addresses and makes hyperlinks to block explorer.

[btc_artist]

I for one think that having this click to pay functionality is needed, even if it increases the possibility of malware attacks.

[BTCurious]

I for one think that having this click to pay functionality is needed, even if it increases the possibility of malware attacks.

It is severely lacking in the accessibility of bitcoin in general. I'm not quite sure how to easily make it secure(-ish) though.

[Luke-Jr]

You mean the wiki page that describes an overly-complicated scheme with your pet feature that nobody else likes (hexadecimal amounts)?

No, I mean the wiki page that describes a simple future-compatible scheme that the community agreed on earlier this year, and decimal trolls decided to object to months later, despite it not hurting the ability to use (in fact, it is even better for) decimal units.

[BTCurious]

Link please?


Also, any mention of the tonal system sort of seems like a joke, to be honest. Maybe it's not, but that's the impression that I got when I first saw it.

[Luke-Jr]

Link please?

https://en.bitcoin.it/wiki/URI_Scheme