jav (OP)
|
|
April 29, 2011, 02:21:19 PM |
|
I'm happy to announce that https://www.instawallet.org is now live. It is an online wallet service which requires no signup. When you browse to the website, a secret link is created for you, which is the only way to access your wallet. This service is mostly targeted towards people who are curious about Bitcoin and want to give it a try. These people often don't want to download software (the Bitcoin client) or even sign up for some random website (e.g. MyBitcoin). Here they can try out Bitcoin without having to jump through any of these hoops. To that end I have tried to keep everything very speedy. The balance auto-updates as soon as you receive a transaction. You can get your 0.05 BTC from the faucet and donate it to the EFF in a matter of seconds. Feedback is much appreciated! :-)
|
|
|
|
|
|
According to NIST and ECRYPT II, the cryptographic algorithms used in
Bitcoin are expected to be strong until at least 2030. (After that, it
will not be too difficult to transition to different algorithms.)
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
khal
|
|
April 29, 2011, 02:33:39 PM |
|
The link on your logo is not in https (just to avoid 1 redirection :p)
You may add the possibility to enter a password before accessing the wallet.
Otherwise, really simple, i like it (even if i won't use a shared wallet system :p).
|
|
|
|
Timo Y
Legendary
Offline
Activity: 938
Merit: 1001
bitcoin - the aerogel of money
|
|
April 29, 2011, 02:44:46 PM |
|
Great idea.
I like the speed and simplicity of the whole thing.
It's bit like keeping some cash hidden under the doormat for emergencies.
|
|
|
|
Mike Hearn
Legendary
Offline
Activity: 1526
Merit: 1129
|
|
April 29, 2011, 02:46:15 PM |
|
That's really, really great!
I totally agree that this is a much superior solution to something like MyBitcoin for casual usage.
Are you going to extend it to have other features like address books, or are you going to keep it simple?
|
|
|
|
Garrett Burgwardt
|
|
April 29, 2011, 02:48:19 PM |
|
This is excellent! Accounts don't expire, do they?
|
|
|
|
jav (OP)
|
|
April 29, 2011, 03:03:59 PM |
|
Thx for your feedback!
@khal: Thx for spotting that http logo link, I will fix it in the next update.
@Garrett: That's correct, for now those wallets are permanent and don't expire (and I will announce it earlier enough if that should ever change).
I do plan to keep it fairly simple. But I'm toying with the idea of having a sort of "Instawallet Premium" option, where you can upgrade your secret link to a proper wallet with username and password and then have features like an address book and things like that. But I definitely want to keep the quickstart experience as uncluttered as possible.
|
|
|
|
Alex Beckenham
|
|
April 29, 2011, 03:10:09 PM |
|
This instant deposit feature is great, but you might want to wait until the funds clear before letting people withdraw it back out again.
I just sent to instawallet and then immediately withdrew and I see the funds came back to my local client before the deposit even has a confirmation.
|
|
|
|
AtlasONo
|
|
April 29, 2011, 03:14:18 PM |
|
Interesting.
|
|
|
|
jimbobway
Legendary
Offline
Activity: 1304
Merit: 1014
|
|
April 29, 2011, 03:21:13 PM |
|
Best bitcoin site I've seen in a while.
|
|
|
|
Meni Rosenfeld
Donator
Legendary
Offline
Activity: 2058
Merit: 1054
|
|
April 29, 2011, 03:33:24 PM |
|
The continuation of the sentence "The easiest way to get started with Bitcoin is..." has just changed. Congratulations!
|
|
|
|
Grinder
Legendary
Offline
Activity: 1284
Merit: 1001
|
|
April 29, 2011, 03:48:27 PM |
|
I guess it can't get much easier than this Do you know if your service can be used with this pool? http://bitcointalk.org/index.php?topic=6667.0The reason why it might not is that it includes the transfer directly in the block, so it requires 120 confirmations. I see that you just show the incoming funds immediately. It would be nice if was possible to see the confirmation status for unconfirmed transfers.
|
|
|
|
theymos
Administrator
Legendary
Offline
Activity: 5180
Merit: 12900
|
|
April 29, 2011, 03:58:34 PM |
|
Probably not, since bitcoind provides no way of getting the address/account a generation output was sent to. listtransactions and getreceivedbyaddress won't do it.
|
1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
|
|
|
Insti
Sr. Member
Offline
Activity: 294
Merit: 252
Firstbits: 1duzy
|
|
April 29, 2011, 04:01:17 PM |
|
Very nice looking site.
|
|
|
|
Anonymous
Guest
|
|
April 29, 2011, 04:03:46 PM |
|
Another site to launder your bitcoins
|
|
|
|
Cusipzzz
|
|
April 29, 2011, 04:03:57 PM |
|
Nice looking implementation, well done.
|
|
|
|
skittixch
Newbie
Offline
Activity: 57
Merit: 0
|
|
April 29, 2011, 04:29:21 PM |
|
obligatory questioning of transparency follows:
Where are the wallet files kept? who has access to the physical equipment that the wallets are stored on? What kind of encryption does instawallet use? can we see the source code?
Sorry if any/all of these are answered somewhere on the site, but I can't find it yet.
Seems like a wonderful service as long as security measures are taken, and transparency is transparent.
|
|
|
|
pc
|
|
April 29, 2011, 04:35:34 PM |
|
Yeah, this seems rather nifty, but I'd want a lot more details about how the unique URL is generated, what protections there are against people trying to brute-force URLs to stumble upon money, and how the server/wallets are secured before using it for anything serious.
Definitely useful for introducing people, and the various "dropbox" and "business card" kind of scenarios that people have talked about. You can transfer money to somebody just by giving them the URL where you put their money.
|
|
|
|
bitlotto
|
|
April 29, 2011, 04:39:45 PM |
|
Pretty cool! Can't be more simple. I don't know much about website programming but isn't it possible for website's to sometimes see where you were just browsing and thereby get the address?
|
*Next Draw Feb 1* BitLotto: monthly raffle (0.25 BTC per ticket) Completely transparent and impossible to manipulate who wins. TOR TOR2WEB Donations to: 1JQdiQsjhV2uJ4Y8HFtdqteJsZhv835a8J are appreciated.
|
|
|
pc
|
|
April 29, 2011, 04:43:50 PM |
|
Pretty cool! Can't be more simple. I don't know much about website programming but isn't it possible for website's to sometimes see where you were just browsing and thereby get the address? It uses SSL, which should be good enough. The only computers that should be able to see the URL are yours and the server, and the server already has the money. Certainly it's possible that some specially-written malware on your computer could monitor for accesses to this site and steal the URL, but it could do that with the name and password of any e-wallet service, or any private keys stored on your own computer.
|
|
|
|
spenvo
|
|
April 29, 2011, 04:45:46 PM |
|
Slick implementation! I don't see any major issues on the security-side, so long as friends aren't using my computer.
Nice work!
|
|
|
|
bitlotto
|
|
April 29, 2011, 04:50:55 PM |
|
Pretty cool! Can't be more simple. I don't know much about website programming but isn't it possible for website's to sometimes see where you were just browsing and thereby get the address? It uses SSL, which should be good enough. The only computers that should be able to see the URL are yours and the server, and the server already has the money. Certainly it's possible that some specially-written malware on your computer could monitor for accesses to this site and steal the URL, but it could do that with the name and password of any e-wallet service, or any private keys stored on your own computer. Thanks for the explanation. I was thinking about TOR too, but I guess since SSL hides the address from the final node it would work. I'm starting to really like the site!
|
*Next Draw Feb 1* BitLotto: monthly raffle (0.25 BTC per ticket) Completely transparent and impossible to manipulate who wins. TOR TOR2WEB Donations to: 1JQdiQsjhV2uJ4Y8HFtdqteJsZhv835a8J are appreciated.
|
|
|
Gavin Andresen
Legendary
Offline
Activity: 1652
Merit: 2216
Chief Scientist
|
|
April 29, 2011, 05:05:28 PM |
|
Fantastic idea!
My only suggestion would be a "copy to clipboard" icon/link next to the funding address (I need to do that for ClearCoin, too-- haven't looked into how to do it yet, but github does it so I know it can be done...)
|
How often do you get the chance to work on a potentially world-changing project?
|
|
|
nextnonce
Member
Offline
Activity: 74
Merit: 10
www.minethings.com
|
|
April 29, 2011, 05:40:15 PM |
|
Pretty cool! Can't be more simple. I don't know much about website programming but isn't it possible for website's to sometimes see where you were just browsing and thereby get the address?
When you click a link on a site, most browsers send the url of the page you were just visiting to the server of site you clicked on. So, this would be an issue if instantwallet.com had links to other websites. Very nice site. I will recommend this to anyone I introduce to bitcoins.
|
BTC accepted at my browser-based MMO, Minethings.com. ~1500 active players mining now.
|
|
|
dacoinminster
Legendary
Offline
Activity: 1260
Merit: 1031
Rational Exuberance
|
|
April 29, 2011, 05:43:40 PM |
|
This service is fantastic. I probably won't use it myself, but I sent a $1 USD donation (0.39BTC) to the donation address at the bottom of the page, just for being awesome. I miss dollar parity at times like this - then I didn't have to do any math to know how much I'm sending someone. But of course I don't miss dollar parity TOO much
|
|
|
|
BitterTea
|
|
April 29, 2011, 06:15:19 PM |
|
My only suggestion would be a "copy to clipboard" icon/link next to the funding address (I need to do that for ClearCoin, too-- haven't looked into how to do it yet, but github does it so I know it can be done...) As far as I know, the only way to do this universally across browsers and operating systems is to use a flash object. Clippy is what github uses: https://github.com/mojombo/clippy
|
|
|
|
danf
Newbie
Offline
Activity: 8
Merit: 0
|
|
April 29, 2011, 06:45:38 PM |
|
When you click a link on a site, most browsers send the url of the page you were just visiting to the server of site you clicked on. So, this would be an issue if instantwallet.com had links to other websites.
This would also be an issue if Instawallet added any advertising. The site which serves the ads would have access to the URL, which would potentially be very bad.
|
|
|
|
nextnonce
Member
Offline
Activity: 74
Merit: 10
www.minethings.com
|
|
April 29, 2011, 07:09:27 PM |
|
I just noticed the link in the bottom-right to http://www.freecsstemplates.org/ I wonder how many wallets they have access to already
|
BTC accepted at my browser-based MMO, Minethings.com. ~1500 active players mining now.
|
|
|
Insti
Sr. Member
Offline
Activity: 294
Merit: 252
Firstbits: 1duzy
|
|
April 29, 2011, 07:30:27 PM |
|
Mine at least. Thanks for pointing that out... (not that I'd put any money in..)
|
|
|
|
|
theymos
Administrator
Legendary
Offline
Activity: 5180
Merit: 12900
|
|
April 29, 2011, 08:50:04 PM |
|
When you click a link on a site, most browsers send the url of the page you were just visiting to the server of site you clicked on. So, this would be an issue if instantwallet.com had links to other websites.
This doesn't happen from HTTPS sites.
|
1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
|
|
|
kristofferR
Newbie
Offline
Activity: 5
Merit: 0
|
|
April 30, 2011, 01:46:20 AM |
|
Would be cool if you could choose your own address for increased rememberability.
|
|
|
|
jav (OP)
|
|
April 30, 2011, 09:38:12 AM |
|
Great to see the site being positively received. :-) This instant deposit feature is great, but you might want to wait until the funds clear before letting people withdraw it back out again.
I thought this wouldn't be an issue, but I'm not so sure anymore. I use the "account" feature of bitcoind and every wallet has its own account. My understanding was, that this will mean that the coins being sent are limited to the account as well. In that case it doesn't matter if the funds end up not confirming, because it will also invalidate the withdraw transaction. But maybe bitcoind uses coins from other accounts as well sometimes? Has someone here more insight into this? Interesting question, I'm not sure. The balance is whatever the method "getbalance <account associated with your wallet> 0" (so minconf=0) will return. I have no idea if this is the case for these pool transactions. Where are the wallet files kept? who has access to the physical equipment that the wallets are stored on? What kind of encryption does instawallet use? can we see the source code?
Sorry if any/all of these are answered somewhere on the site, but I can't find it yet.
One of the next things I will add is some sort of FAQ list that will address these things. For now: the wallet is on a VPS, running Debian Squeeze on an un-encrypted file system. So my VPS host prgmr.com technically has access and of course I do. Besides SSL there is no encryption used, but the regular backups I will make will be encrypted. I haven't decided about the source code, so for now it remains closed. In any case: This isn't really the place to store your Bitcoin wealth! I will try my best in keeping the service stable and secure, but ultimately I want to see mostly Bitcents on these wallets. A lot needs to happen before I would trust a cloud service with a larger amount of Bitcoin to store over longer time and Instawallet is definitely not the place to do that. Yeah, this seems rather nifty, but I'd want a lot more details about how the unique URL is generated, what protections there are against people trying to brute-force URLs to stumble upon money, and how the server/wallets are secured before using it for anything serious.
The URL contains 16 bytes of random data. I hope an attacker will do the math before wasting his and my bandwidth. Right now there isn't any sophisticated throttling implemented. Let's see how long until I have to deal with some trouble maker. My only suggestion would be a "copy to clipboard" icon/link next to the funding address
Thx for the idea, I will consider implementing that! It's not specifically supported, but yes, it works at the moment and you are free to make up your own wallet URL. 1. Did you address the possibility of cross-site request forgery?
Maybe not to its full extend. You need to provide the wallet identifier when making a payment, but maybe this could be scripted with JavaScript after being redirect to the wallet URL? I will tighten up security in this area, thx for the pointer. Again, I don't recommend people to store large amounts of money there, so that CSRF would be worthwhile, but of course I appreciate the trust in the service if someone ends up doing it anyway. 2. Though the standard is somewhat vague, the traditional interpretation of RFC 2616 is that Referrer: headers are permitted from HTTPS content as long as the target uses SSL as well. I don't know offhand how each different modern browser reacts by default, but I disagree with Theymos that it's not a concern in general.
2a. To address this issue partly, it would be fairly easy to continue to permit pages to be accessed using an address in the URL but to redirect the user immediately to a page that doesn't include it there, either storing it in the session or including it as a hidden form parameter.
It seems you are correct, that referrer is transferred when linking to another SSL site. I will have to think about this, but as I don't have outgoing SSL links, it should be fine at the moment. Redirecting in the way you describe would be an option, but I'm not sure I like it much. I consider seeing your actual wallet link in the address bar a usability feature. 4. Are the addresses generated using a secure PRNG? If it's an ordinary PRNG, it wouldn't be hard to guess addresses.
What is an "ordinary PRNG" for you? I use Python's os.urandom() which I would consider pretty "ordinary", but I have checked the documentation which claims that it returns "random bytes suitable for cryptographic use".
|
|
|
|
Gavin Andresen
Legendary
Offline
Activity: 1652
Merit: 2216
Chief Scientist
|
|
April 30, 2011, 10:58:32 PM |
|
This instant deposit feature is great, but you might want to wait until the funds clear before letting people withdraw it back out again.
I thought this wouldn't be an issue, but I'm not so sure anymore. I use the "account" feature of bitcoind and every wallet has its own account. My understanding was, that this will mean that the coins being sent are limited to the account as well. In that case it doesn't matter if the funds end up not confirming, because it will also invalidate the withdraw transaction. But maybe bitcoind uses coins from other accounts as well sometimes? Has someone here more insight into this? It is definitely an issue-- the account code doesn't keep track of where the coins it is sending out came from, so if you accept 0-confirmation coins you're vulnerable to double-spending attacks (see, for example, the discussion of the "Finney attack" in these forums). Seeing coins show up right away is a fantastic feature, though, so I'd suggest getting the 0-confirmation balance and a 3+-confirmation balance, allowing only 3+ confirmed coins to be withdrawn, and displaying the difference as 'waiting confirmation'.
|
How often do you get the chance to work on a potentially world-changing project?
|
|
|
genjix
Legendary
Offline
Activity: 1232
Merit: 1072
|
|
April 30, 2011, 11:57:43 PM |
|
Amazing idea! Love it.
|
|
|
|
shazow
Newbie
Offline
Activity: 50
Merit: 0
|
|
May 01, 2011, 12:55:39 AM |
|
It seems you are correct, that referrer is transferred when linking to another SSL site. I will have to think about this, but as I don't have outgoing SSL links, it should be fine at the moment. Redirecting in the way you describe would be an option, but I'm not sure I like it much. I consider seeing your actual wallet link in the address bar a usability feature.
I agree that having the wallet link in your address bar is a usability feature (though it could also be done with hash fragments). Perhaps a better approach is to make sure that all outgoing links go through a redirector? E.g. http://redirect.instawallet.org/?url=http://google.com/ -> http://google.comThis will make sure all the referrer information is cleansed before leaving the site. Also great job. I worry what your wallet data looks like after I tried a bunch of random urls and they all worked. Sorry about that. - shazow
|
|
|
|
jav (OP)
|
|
May 01, 2011, 08:37:01 PM |
|
It is definitely an issue-- the account code doesn't keep track of where the coins it is sending out came from, so if you accept 0-confirmation coins you're vulnerable to double-spending attacks (see, for example, the discussion of the "Finney attack" in these forums).
I see, thx for clearing that up. I would really like to keep the speedy transactions, so I have decided to still allow 0-confirmation transactions. But I implemented a server-wide rate-limit for those transactions, which should make the Finney attack not worth the effort. Great idea, that's probably how I'm going to do it!
|
|
|
|
Ian Maxwell
|
|
May 01, 2011, 09:18:48 PM |
|
Nice site, I like the idea a lot.
I'm a bit worried that I might put money into a wallet and then lose the address. Hypothetically, if I were able to tell you the exact balance of a wallet (and that balance were something unique like 142.41305), would you be able to send me a link?
|
|
|
|
cypherdoc
Legendary
Offline
Activity: 1764
Merit: 1002
|
|
May 02, 2011, 12:42:13 AM |
|
well, i'm having problems with it. easy to get 2 send tx's into instawallet of .01 btc each but now can't get them out. instawallet shows balance of zero, my btc wallet shows 2 deposits of +.01 however they are greyed out and have 0 confirms. have contacted JAV but have yet to get this fixed.
|
|
|
|
Ian Maxwell
|
|
May 02, 2011, 02:18:35 AM |
|
cypherdoc: wait a few minutes and make sure it's really a problem.
Another concern: If someone uses an anonymizer agent like Tor, how will your "recognition" system work? It could be that it will identify the user based on the exit point, which would be a serious problem as it's likely that eventually two users will have the same exit point.
|
|
|
|
cypherdoc
Legendary
Offline
Activity: 1764
Merit: 1002
|
|
May 02, 2011, 02:23:25 AM |
|
cypherdoc: wait a few minutes and make sure it's really a problem.
Another concern: If someone uses an anonymizer agent like Tor, how will your "recognition" system work? It could be that it will identify the user based on the exit point, which would be a serious problem as it's likely that eventually two users will have the same exit point.
i've been waiting all day nervously watching my wallet balance. no, they're not confirming and the receives are greyed out.
|
|
|
|
marcus_of_augustus
Legendary
Offline
Activity: 3920
Merit: 2348
Eadem mutata resurgo
|
|
May 02, 2011, 04:11:18 AM |
|
How does the address allocation work for this?
I sent 0.02 btc to the generated address at instawallet, works okay.
Then I sent those 0.02 btc back to another bitcoin client. When I return to instawallet page a new receiving address has been generated, why does it do that?
What happens if I now receive a payment at the old address that I was allocated first, who has control of that?
|
|
|
|
marcus_of_augustus
Legendary
Offline
Activity: 3920
Merit: 2348
Eadem mutata resurgo
|
|
May 02, 2011, 04:31:12 AM Last edit: May 02, 2011, 04:45:42 AM by moa |
|
Hmmm, thanks for thinking this through 's'.
I haven't open/close browser tab or window or done anything that would have changed the cookies. All I did was send, and thus empty the initially assigned wallet address.
I back-paged to the one containing the initial wallet address and it has the same assigned token in the http:// field as the new one.
Edit: further test, i deleted the cookie folder associated with instawallet and then launched another tab with the provided http link with personal token and it brings me back to correct (new) wallet address. Something else changed the wallet address after I performed the send from function, what was it?
|
|
|
|
asdf
|
|
May 02, 2011, 07:40:58 AM |
|
What happens if I now receive a payment at the old address that I was allocated first, who has control of that?
It's still yours. From Jav's comments, it was created with a cryptographically secure PRNG, so nobody else ought to be able to guess it. As far as the site is concerned, presumably you've just got two wallets now and can use whichever you'd like, assuming you record the two "addresses." I think he means a new bitcoin address, but the same instawallet address. So, is that old bitcoin address still tied to his account? From the information you've given (you use the bitcoin accounts feature) I would infer: yes. Cool concept.
|
|
|
|
jav (OP)
|
|
May 02, 2011, 08:10:59 AM |
|
Another concern: If someone uses an anonymizer agent like Tor, how will your "recognition" system work? It could be that it will identify the user based on the exit point, which would be a serious problem as it's likely that eventually two users will have the same exit point.
The recognition system works with cookies. Cookies are stored locally by your browser, so as long as your are using the same browser to come back to the website, it doesn't matter whether you use Tor or not. I'm a bit worried that I might put money into a wallet and then lose the address. Hypothetically, if I were able to tell you the exact balance of a wallet (and that balance were something unique like 142.41305), would you be able to send me a link?
I'm sorry, but I would probably not want to that, no. Remember, Bitcoin transactions are public. Somebody else might - maybe with some additional clues - figure out that some Bitcoin address belongs to Instawallet and can just look up the balance on blockexplorer.com. I guess it would be ok if you would tell me the correct balance plus the last couple of characters from your secret link. Just write that down somewhere, to be safe. well, i'm having problems with it. easy to get 2 send tx's into instawallet of .01 btc each but now can't get them out. instawallet shows balance of zero, my btc wallet shows 2 deposits of +.01 however they are greyed out and have 0 confirms. have contacted JAV but have yet to get this fixed.
Please give this at least 24h to sort itself out. If you quickly send coins back in forth, then these transactions look very "spammy" to the Bitcoin network and can potentially take a long time to be confirmed. How does the address allocation work for this?
I sent 0.02 btc to the generated address at instawallet, works okay.
Then I sent those 0.02 btc back to another bitcoin client. When I return to instawallet page a new receiving address has been generated, why does it do that?
What happens if I now receive a payment at the old address that I was allocated first, who has control of that?
Every Bitcoin address you ever saw on your Instawallet page will always be yours and you can still receive payments there. asdf explained it right: You have one specific Instawallet URL, which is tied to an account in the Bitcoin wallet. The Bitcoin daemon automatically assigns a fresh Bitcoin address to an account once it receives or sends out a transaction. The old ones continue to be associated with that account though, so they will still work. It's kind of an un-intended side effect of using the account feature right now. I can understand how it can be confusing that the addresses change from time to time and I will probably soon put code in that will just keep the address static. But for now: Don't worry about changing Bitcoin addresses, they are still all tied to your Instawallet URL.
|
|
|
|
marcus_of_augustus
Legendary
Offline
Activity: 3920
Merit: 2348
Eadem mutata resurgo
|
|
May 02, 2011, 08:42:42 AM |
|
jav: Every Bitcoin address you ever saw on your Instawallet page will always be yours and you can still receive payments there. asdf explained it right: You have one specific Instawallet URL, which is tied to an account in the Bitcoin wallet. The Bitcoin daemon automatically assigns a fresh Bitcoin address to an account once it receives or sends out a transaction. The old ones continue to be associated with that account though, so they will still work.
It's kind of an un-intended side effect of using the account feature right now. I can understand how it can be confusing that the addresses change from time to time and I will probably soon put code in that will just keep the address static. But for now: Don't worry about changing Bitcoin addresses, they are still all tied to your Instawallet URL.
Okay that makes sense. So even though I can no longer see that address it may still be receiving for my Instawallet. Maybe just list on the Instawallet page (on a pull-down button?) every bitcoin address that can receive to that Instawallet account? Nice work btw.
|
|
|
|
cypherdoc
Legendary
Offline
Activity: 1764
Merit: 1002
|
|
May 02, 2011, 01:42:08 PM |
|
Another concern: If someone uses an anonymizer agent like Tor, how will your "recognition" system work? It could be that it will identify the user based on the exit point, which would be a serious problem as it's likely that eventually two users will have the same exit point.
The recognition system works with cookies. Cookies are stored locally by your browser, so as long as your are using the same browser to come back to the website, it doesn't matter whether you use Tor or not. I'm a bit worried that I might put money into a wallet and then lose the address. Hypothetically, if I were able to tell you the exact balance of a wallet (and that balance were something unique like 142.41305), would you be able to send me a link?
I'm sorry, but I would probably not want to that, no. Remember, Bitcoin transactions are public. Somebody else might - maybe with some additional clues - figure out that some Bitcoin address belongs to Instawallet and can just look up the balance on blockexplorer.com. I guess it would be ok if you would tell me the correct balance plus the last couple of characters from your secret link. Just write that down somewhere, to be safe. well, i'm having problems with it. easy to get 2 send tx's into instawallet of .01 btc each but now can't get them out. instawallet shows balance of zero, my btc wallet shows 2 deposits of +.01 however they are greyed out and have 0 confirms. have contacted JAV but have yet to get this fixed.
Please give this at least 24h to sort itself out. If you quickly send coins back in forth, then these transactions look very "spammy" to the Bitcoin network and can potentially take a long time to be confirmed. How does the address allocation work for this?
I sent 0.02 btc to the generated address at instawallet, works okay.
Then I sent those 0.02 btc back to another bitcoin client. When I return to instawallet page a new receiving address has been generated, why does it do that?
What happens if I now receive a payment at the old address that I was allocated first, who has control of that?
Every Bitcoin address you ever saw on your Instawallet page will always be yours and you can still receive payments there. asdf explained it right: You have one specific Instawallet URL, which is tied to an account in the Bitcoin wallet. The Bitcoin daemon automatically assigns a fresh Bitcoin address to an account once it receives or sends out a transaction. The old ones continue to be associated with that account though, so they will still work. It's kind of an un-intended side effect of using the account feature right now. I can understand how it can be confusing that the addresses change from time to time and I will probably soon put code in that will just keep the address static. But for now: Don't worry about changing Bitcoin addresses, they are still all tied to your Instawallet URL. JAV, how long do i have to wait? i had my client connected all afternoon yesterday w/o any effect.
|
|
|
|
cypherdoc
Legendary
Offline
Activity: 1764
Merit: 1002
|
|
May 02, 2011, 02:11:47 PM |
|
Another concern: If someone uses an anonymizer agent like Tor, how will your "recognition" system work? It could be that it will identify the user based on the exit point, which would be a serious problem as it's likely that eventually two users will have the same exit point.
The recognition system works with cookies. Cookies are stored locally by your browser, so as long as your are using the same browser to come back to the website, it doesn't matter whether you use Tor or not. I'm a bit worried that I might put money into a wallet and then lose the address. Hypothetically, if I were able to tell you the exact balance of a wallet (and that balance were something unique like 142.41305), would you be able to send me a link?
I'm sorry, but I would probably not want to that, no. Remember, Bitcoin transactions are public. Somebody else might - maybe with some additional clues - figure out that some Bitcoin address belongs to Instawallet and can just look up the balance on blockexplorer.com. I guess it would be ok if you would tell me the correct balance plus the last couple of characters from your secret link. Just write that down somewhere, to be safe. well, i'm having problems with it. easy to get 2 send tx's into instawallet of .01 btc each but now can't get them out. instawallet shows balance of zero, my btc wallet shows 2 deposits of +.01 however they are greyed out and have 0 confirms. have contacted JAV but have yet to get this fixed.
Please give this at least 24h to sort itself out. If you quickly send coins back in forth, then these transactions look very "spammy" to the Bitcoin network and can potentially take a long time to be confirmed. How does the address allocation work for this?
I sent 0.02 btc to the generated address at instawallet, works okay.
Then I sent those 0.02 btc back to another bitcoin client. When I return to instawallet page a new receiving address has been generated, why does it do that?
What happens if I now receive a payment at the old address that I was allocated first, who has control of that?
Every Bitcoin address you ever saw on your Instawallet page will always be yours and you can still receive payments there. asdf explained it right: You have one specific Instawallet URL, which is tied to an account in the Bitcoin wallet. The Bitcoin daemon automatically assigns a fresh Bitcoin address to an account once it receives or sends out a transaction. The old ones continue to be associated with that account though, so they will still work. It's kind of an un-intended side effect of using the account feature right now. I can understand how it can be confusing that the addresses change from time to time and I will probably soon put code in that will just keep the address static. But for now: Don't worry about changing Bitcoin addresses, they are still all tied to your Instawallet URL. JAV, how long do i have to wait? i had my client connected all afternoon yesterday w/o any effect. my client show the 2 receives of .01 btc greyed out; what does that mean?
|
|
|
|
cypherdoc
Legendary
Offline
Activity: 1764
Merit: 1002
|
|
May 02, 2011, 06:14:51 PM |
|
never mind JAV; those two .01 btc confirmed
|
|
|
|
pc
|
|
May 03, 2011, 12:27:06 PM |
|
I don't know if this might just give people a false sense of security, but you might want a robots.txt excluding your wallet URLs. Google has several wallets indexed now, although there were no bitcoins in any of the ones I saw. I think the main concern might be a user hearing about Instawallet, Googling for it, and then clicking through to a specific wallet URL without realizing it, and then anyone else could get to it the same way. Maybe a warning based on referrer would be good enough, though. If you leave wallets indexable, it gives users a quick way to see if their secret URL has gotten out anywhere, I suppose.
|
|
|
|
deadlizard
Member
Offline
Activity: 112
Merit: 11
|
|
May 03, 2011, 01:46:43 PM |
|
google-analytics? ....... afaik that gives google access to every page that it runs on
|
|
|
|
jav (OP)
|
|
May 03, 2011, 03:04:59 PM |
|
I don't know if this might just give people a false sense of security, but you might want a robots.txt excluding your wallet URLs. Google has several wallets indexed now, although there were no bitcoins in any of the ones I saw. Aw, nice... yeah, whenever their robot comes back it gets a fresh wallet. =) Thx for pointing that out, I will set up a robots.txt. The problem with people clicking through to a specific Instawallet is a valid concern (I had one person using the /w/free_bitcoins link posted by Insti in this thread, transfer 0.01 BTC there and then wondered when it disappeared) and there is no point in spamming the search index anyway. google-analytics? ....... afaik that gives google access to every page that it runs on Yes, that's correct. And while I consider my Analytics data to be pretty secure, it's an unnecessary risk, I agree. I will move to a local-only log analysis tool soon and then delete the Google Analytics data set.
|
|
|
|
Ian Maxwell
|
|
May 10, 2011, 04:34:48 PM |
|
@jav: How much access do you have to money in an instawallet? It wouldn't surprise me if it's possible to arrange things so you have no access at all. One way would be to randomly generate the URL for each new wallet, but derive keypairs deterministically from that URL, and not keep a record of the URL on your end. (Of course you'd have web server logs, but you could purge them of sensitive data on a regular basis.)
On the legal end, this may protect you from things like bank regulations that might eventually be applied to Bitcoin, since you wouldn't actually be holding anything yourself---just hosting a web application.
On the security end, it would dramatically reduce user risk---even if your server were physically stolen or destroyed, it would be possible for your users to recover their bitcoins and impossible for anyone else to steal them.
|
|
|
|
jav (OP)
|
|
May 11, 2011, 03:00:24 PM |
|
@jav: How much access do you have to money in an instawallet? It wouldn't surprise me if it's possible to arrange things so you have no access at all. One way would be to randomly generate the URL for each new wallet, but derive keypairs deterministically from that URL, and not keep a record of the URL on your end. (Of course you'd have web server logs, but you could purge them of sensitive data on a regular basis.)
That's an interesting idea and it should be possibly in theory. I don't think it's very practical at the moment, though. It would probably require large changes to bitcoind, to support frequent imports and removals of private keys for the temporary time that the user is logged on. And it would still be kind of a kludge, as the user is still vulnerable during the time he is accessing the Instawallet. I agree though, that it would have many benefits. I think the WebCoin project does some interesting work in this regard, going so far as completely preventing the server from seeing the private keys at all. It should be interesting to see what they can come up with and their software might eventually be a better backend for the Instawallet site.
|
|
|
|
jav (OP)
|
|
May 19, 2011, 02:23:12 PM |
|
Quick update: All traces of Google Analytics have been removed. I also tackled the biggest source of user confusion: changing Bitcoin addresses. The address you see on your Instawallet will from now on not change anymore.
So far everything seems to run fine. More updates (including a FAQ) will follow.
|
|
|
|
foo
|
|
May 23, 2011, 09:45:44 AM |
|
Would you consider creating a namecoin version of instawallet?
|
I know this because Tyler knows this.
|
|
|
gigabytecoin
|
|
May 23, 2011, 10:53:05 AM |
|
Nice! I likey! Keep up the good work!
|
|
|
|
zef
Member
Offline
Activity: 90
Merit: 10
|
|
May 23, 2011, 01:36:12 PM |
|
Is it possible for someone to generate addresses locally and inputting them to your site, sort of like a brute force way to find random wallets? I noticed the url is different from the wallet address, which is good, but I would still be concerned about an attack like that.
|
|
|
|
jerfelix
|
|
May 23, 2011, 09:40:33 PM |
|
@JAV, You may also have to worry about Toolbar programs (like Alexa toolbar, Ask toolbar, Bing tool bar, Yahoo Tool Bar, Google Toolbar, lots of Firefox plugins). I believe that some of these send URLs back to the "mother ship" to help with page rankings and site analytics. But Instawallet is a very nice looking site! See http://www.google.com/privacy/faq.html#toc-terms-urls URLs and embedded information
Some of our services, including Google Toolbar and Google Web Accelerator, send the uniform resource locators (“URLs”) of web pages that you request to Google. When you use these services, Google will receive and store the URL sent by the web sites you visit, including any personal information inserted into those URLs by the web site operator. Some Google services (such as Google Toolbar) enable you to opt-in or opt-out of sending URLs to Google, while for others (such as Google Web Accelerator) the sending of URLs to Google is intrinsic to the service. When you sign up for any such service, you will be informed clearly that the service sends URLs to Google, and whether and how you can opt-in or opt-out.
For example, when you submit information to a web page (such as a user login ID or registration information), the operator of that web site may “embed” that information – including personal information – into its URL (typically, after a question mark (“?”) in the URL). When the URL is transmitted to Google, our servers automatically store the URL, including any personal information that has been embedded after the question mark. Google does not exercise any control over these web sites or whether they embed personal information into URLs.
|
|
|
|
luv2drnkbr
|
|
May 24, 2011, 12:06:13 PM |
|
Could you implement some kind of thing like Mt. Gox's API where I could send BTC by just opening a URL, and then as long as enough BTC were in my wallet, it would send them. Something like: https://www.instawallet.org/w/wallet-address/send.php?sendtoaddress=&amount=That way, guys like me who have basically no programming knowledge at all could still have a way to automate things. Like I plan on writing an autohotkey script that might utilize a feature like that.
|
|
|
|
jav (OP)
|
|
May 24, 2011, 01:19:07 PM |
|
Would you consider creating a namecoin version of instawallet?
I think Namecoin is a very interesting project, but would prefer to focus my resources just on the Bitcoin side of things for now. Is it possible for someone to generate addresses locally and inputting them to your site, sort of like a brute force way to find random wallets? I noticed the url is different from the wallet address, which is good, but I would still be concerned about an attack like that.
Knowing the Bitcoin address of a wallet doesn't improve your chances of guessing an Instawallet, if that's what you mean. As to randomly trying Instawallet URLs: the search space is big enough, that this won't get you anywhere. @JAV, You may also have to worry about Toolbar programs (like Alexa toolbar, Ask toolbar, Bing tool bar, Yahoo Tool Bar, Google Toolbar, lots of Firefox plugins). I believe that some of these send URLs back to the "mother ship" to help with page rankings and site analytics.
Thx for the heads up, but how do you propose I should deal with them? It seems to me, that if people want to send their private data to a cloud service, it's up to them whether they trust that provider. I'm not the only service that uses secret URLs. You can, for example, create YouTube videos that can only be accessed through a private link. As far as I know, these services also don't deal specifically with toolbars. But I will mention it in the upcoming FAQ. Could you implement some kind of thing like Mt. Gox's API where I could send BTC by just opening a URL, and then as long as enough BTC were in my wallet, it would send them.
I have been toying with the idea of providing an API. It will probably happen at some point, but I can't promise anything right now, there are still lots of other things in the queue.
|
|
|
|
jerfelix
|
|
May 24, 2011, 02:53:54 PM |
|
@JAV, You may also have to worry about Toolbar programs (like Alexa toolbar, Ask toolbar, Bing tool bar, Yahoo Tool Bar, Google Toolbar, lots of Firefox plugins). I believe that some of these send URLs back to the "mother ship" to help with page rankings and site analytics.
Thx for the heads up, but how do you propose I should deal with them? It seems to me, that if people want to send their private data to a cloud service, it's up to them whether they trust that provider. I'm not the only service that uses secret URLs. You can, for example, create YouTube videos that can only be accessed through a private link. As far as I know, these services also don't deal specifically with toolbars. But I will mention it in the upcoming FAQ. Yup. You are right - lots of people do it. I think a warning in your FAQ or terms and conditions is sufficient. I think the difference is that you are dealing with money, while YouTube is just dealing with videos. (Not that personal videos can't be a lot more valuable than the 1 BTC that someone might have in their instawallet,...) Although you are only dealing with small amounts of Bitcoins, I can imagine the temptation at one of the suppliers to be great, in that a rogue Google / Alexa / Yahoo employee can attack ALL of the tiny stored amounts, and potentially get a lot of cash. Or worse, maybe one of these sites publishes to the internet "Frequently accessed pages on the site instawallet.com" and lists a bunch of them. Then a random stranger on the internet could rob the bank of many pennies. I think someone can use Yahoo API to find the 1000 most popular pages on a website, which might be exactly the hack needed. I'm not saying you shouldn't go forward with the project. I love the idea. But it's something to think about. Maybe some security experts can give their opinion. --- Here's another attack that may or may not be an issue. There's a tricky way for one site to access your browser history - specifically, it can see whether you have or have not visited a specific page. I don't THINK that will be a problem for you (as they'd have to guess the exact page), but it popped into my head as I was typing this. See http://infinity-infinity.com/2009/06/sniffing-browser-history-with-css/ which is the page that also mentioned that Yahoo API can give you the 1000 most popular pages on a site. Anyway... as long as people treat it like "disposable money" to play with, then no biggie. But your site could lose credibility or you may need to shut down, if you get hacked in one of these fashions, so it's something to consider. Hope I'm being helpful in pointing out things that you may figure out preventions for!
|
|
|
|
jav (OP)
|
|
June 10, 2011, 03:10:34 PM |
|
I just rolled out a small update to support balances of less than 0.01 BTC. I was hoping to also include the ability to send transaction smaller than 0.01 BTC, but with the current state of the RPC interface regarding fee handling and the rules surrounding "dust spam" this is still somewhat problematic. I have a more detailed post about the issues and a proposal for a more flexible solution over in the Development board: http://forum.bitcoin.org/index.php?topic=14571.0 .
|
|
|
|
jav (OP)
|
|
June 23, 2011, 04:27:24 PM |
|
Another update: I deprecated the whole cookie thing. Instawallet will no longer make any attempts at trying to remember you. Please note: This means that it's now up to you to make sure you have a bookmark or similar to find your way back.
I thought it was a nice convenience function, but I have reconsidered this decision. Mostly I was worried about the possible confusion that can happen when people visit a specific Instawallet linked somewhere, then later return to the site and don't notice that they are redirected to an "old" Instwallet instead of a "fresh" one.
So starting from now on no new cookies will be set. But old cookies will continue to work until they expire (will take a while) or you clear them manually.
|
|
|
|
Insti
Sr. Member
Offline
Activity: 294
Merit: 252
Firstbits: 1duzy
|
|
June 24, 2011, 06:09:02 AM |
|
Another update: I deprecated the whole cookie thing. Instawallet will no longer make any attempts at trying to remember you.
+1. Good improvement.
|
|
|
|
Capitan
Member
Offline
Activity: 112
Merit: 10
|
|
June 24, 2011, 06:37:48 AM |
|
PSA guys, technically this isn't any more secure than encrypting your own wallet. If a hacker/malware were on your system and found the "secret" link in your browser bookmarks or saved somewhere on your system, the hacker could just use that URL to transfer the funds to their own wallet.
Yeah, it's one more thing for the writers of malware to have to search for the secret link, but it's not out of question. Look at all the hacks and stuff that have come up. WHere there are security holes these hackers will find a way to get in and steal stuff. It didn't take them long at all to make the malware to steal wallet.dat. The level of effort it would take to adapt that malware to also search for this secret URL is trivial.
Or am I missing something?
|
|
|
|
johanatan
Member
Offline
Activity: 84
Merit: 10
|
|
June 24, 2011, 06:38:28 AM |
|
Yeah, this seems rather nifty, but I'd want a lot more details about how the unique URL is generated, what protections there are against people trying to brute-force URLs to stumble upon money, and how the server/wallets are secured before using it for anything serious.
The URL contains 16 bytes of random data. I hope an attacker will do the math before wasting his and my bandwidth. Right now there isn't any sophisticated throttling implemented. Let's see how long until I have to deal with some trouble maker. This is a serious issue if someone under the control of a botnet points it at your site. They could implement throttling on their end (so as to avoid DDOS) and yet still hit you from so many IPs. This service's security is mere obscurity (which would be fine as *one* layer--but not the only). You should think about at least extending the random URL out to the max size allowed (or near it). There's no downside to that.
|
1GjRUzZfDCBHeCyJk6av3pXYS9VKjCvQTQ
|
|
|
Oldminer
Legendary
Offline
Activity: 1022
Merit: 1001
|
|
June 24, 2011, 06:41:33 AM |
|
Thanks for the update. Will continue to use this service
|
|
|
|
marcus_of_augustus
Legendary
Offline
Activity: 3920
Merit: 2348
Eadem mutata resurgo
|
|
June 24, 2011, 06:56:08 AM |
|
PSA guys, technically this isn't any more secure than encrypting your own wallet. If a hacker/malware were on your system and found the "secret" link in your browser bookmarks or saved somewhere on your system, the hacker could just use that URL to transfer the funds to their own wallet.
Yeah, it's one more thing for the writers of malware to have to search for the secret link, but it's not out of question. Look at all the hacks and stuff that have come up. WHere there are security holes these hackers will find a way to get in and steal stuff. It didn't take them long at all to make the malware to steal wallet.dat. The level of effort it would take to adapt that malware to also search for this secret URL is trivial.
Or am I missing something?
You could encrypt the bookmark link to your instawallet ... or continually create new ones and move the money around ... get creative. And I don't think anyone ever said it was for large holdings just your spending money when you are out and about on the net .... so you don't have to fire up the big kahuna with your savings wallet in it just to buy some socks and blow ....
|
|
|
|
Meni Rosenfeld
Donator
Legendary
Offline
Activity: 2058
Merit: 1054
|
|
June 24, 2011, 07:57:12 AM |
|
Mostly I was worried about the possible confusion that can happen when people visit a specific Instawallet linked somewhere, then later return to the site and don't notice that they are redirected to an "old" Instwallet instead of a "fresh" one.
How about creating a cookie only when a user visits the main site without a specific wallet? This should solve this problem. I think deprecating the cookies will be a significant decrease in convenience and cause many lost wallets.
|
|
|
|
netrin
Sr. Member
Offline
Activity: 322
Merit: 251
FirstBits: 168Bc
|
|
June 24, 2011, 03:47:40 PM |
|
Am I missing something? https://www.instawallet.org/w/tnwghY1sfQip3ia64mR2Jj Sure it's HTTPS which encrypts the payload, but anyone can get access to the URL. Then, if I understand the implementation, the attacker (neighbor) can drain the entire account, no?
|
|
|
|
Capitan
Member
Offline
Activity: 112
Merit: 10
|
|
June 24, 2011, 04:27:51 PM |
|
Am I missing something? https://www.instawallet.org/w/tnwghY1sfQip3ia64mR2Jj Sure it's HTTPS which encrypts the payload, but anyone can get access to the URL. Then, if I understand the implementation, the attacker (neighbor) can drain the entire account, no? Correct.
|
|
|
|
jav (OP)
|
|
June 24, 2011, 05:45:09 PM |
|
PSA guys, technically this isn't any more secure than encrypting your own wallet.
Absolutely. It's most likely less secure than "encrypting your own wallet". I never advertised this as a secure way to store lots of Bitcoins. In fact, I specifically mention in the FAQ and will repeat it here: Please _do not_ store significant amount of money at Instawallet. Instawallet is all about lowering the barrier of entry and getting people started with Bitcoin quickly. It's not meant as a vault to keep your Bitcoin wealth. The URL contains 16 bytes of random data. I hope an attacker will do the math before wasting his and my bandwidth. Right now there isn't any sophisticated throttling implemented. Let's see how long until I have to deal with some trouble maker.
This is a serious issue if someone under the control of a botnet points it at your site. They could implement throttling on their end (so as to avoid DDOS) and yet still hit you from so many IPs. This service's security is mere obscurity (which would be fine as *one* layer--but not the only). You should think about at least extending the random URL out to the max size allowed (or near it). There's no downside to that. Just for the fun of it, here is what I mean by "doing the math": 16 bytes of random data is 128 bits, which means there are 2^128 = 340282366920938463463374607431768211456 possible Instawallet URLs. Let's say there are 10000 Instawallets in use (in reality the number is nowhere this large, but let's be optimistic and assume that Instawallet will grow). So you have a chance of 10000 to 2^128 to find a wallet with coins if you just guess once. To bring your chances to 50% of finding at least one wallet with coins, you need to guess about 2.359 * 10^34 times (some probability math applied here, I can elaborate if you like). Let's say you want to complete your search within one year. A year has about 3.154 * 10^16 nanoseconds. This means my server needs to serve roughly 7.48 * 10^17 requests per nanosecond to the attacker/botnet. Do you think my server can handle this? I think we can safely wait until a few more upgrades in processing speed and bandwidth before I have to make the URLs any longer. How about creating a cookie only when a user visits the main site without a specific wallet? This should solve this problem. I think deprecating the cookies will be a significant decrease in convenience and cause many lost wallets.
That's an interesting alternative, yes, I will keep it in mind. I am wondering whether this change will result in lost wallets. Are people really going to send money without making sure they can access it again? Maybe, I don't know... on the other hand, I can also construct cases where the cookie results in lost wallets: People start to rely on the site remembering them and then suddenly they get a new laptop or somehow clear their cookies and are caught by surprise that the site doesn't remember them anymore. But I will keep this issue in mind. Am I missing something? https://www.instawallet.org/w/tnwghY1sfQip3ia64mR2Jj Sure it's HTTPS which encrypts the payload, but anyone can get access to the URL. Then, if I understand the implementation, the attacker (neighbor) can drain the entire account, no? Everything besides the host name is encrypted when you use HTTPS, including the URL.
|
|
|
|
smartcardguy
Newbie
Offline
Activity: 14
Merit: 0
|
|
June 24, 2011, 05:56:57 PM |
|
A very well done site, I like it.
|
|
|
|
|
smartcardguy
Newbie
Offline
Activity: 14
Merit: 0
|
|
June 24, 2011, 06:12:02 PM |
|
@JAV, You may also have to worry about Toolbar programs (like Alexa toolbar, Ask toolbar, Bing tool bar, Yahoo Tool Bar, Google Toolbar, lots of Firefox plugins). I believe that some of these send URLs back to the "mother ship" to help with page rankings and site analytics. But Instawallet is a very nice looking site! See http://www.google.com/privacy/faq.html#toc-terms-urls URLs and embedded information
Some of our services, including Google Toolbar and Google Web Accelerator, send the uniform resource locators (“URLs”) of web pages that you request to Google. When you use these services, Google will receive and store the URL sent by the web sites you visit, including any personal information inserted into those URLs by the web site operator. Some Google services (such as Google Toolbar) enable you to opt-in or opt-out of sending URLs to Google, while for others (such as Google Web Accelerator) the sending of URLs to Google is intrinsic to the service. When you sign up for any such service, you will be informed clearly that the service sends URLs to Google, and whether and how you can opt-in or opt-out.
For example, when you submit information to a web page (such as a user login ID or registration information), the operator of that web site may “embed” that information – including personal information – into its URL (typically, after a question mark (“?”) in the URL). When the URL is transmitted to Google, our servers automatically store the URL, including any personal information that has been embedded after the question mark. Google does not exercise any control over these web sites or whether they embed personal information into URLs. So does IE and I think Chrome does as well, in the case of IE its with user consent (do you want to help improve our products?).
|
|
|
|
anybodyelseNOW
Newbie
Offline
Activity: 11
Merit: 0
|
|
June 24, 2011, 06:24:36 PM |
|
very nice idea. loads very slow for me
|
|
|
|
johanatan
Member
Offline
Activity: 84
Merit: 10
|
|
June 24, 2011, 07:36:20 PM |
|
Just for the fun of it, here is what I mean by "doing the math": 16 bytes of random data is 128 bits, which means there are 2^128 = 340282366920938463463374607431768211456 possible Instawallet URLs. Let's say there are 10000 Instawallets in use (in reality the number is nowhere this large, but let's be optimistic and assume that Instawallet will grow). So you have a chance of 10000 to 2^128 to find a wallet with coins if you just guess once. To bring your chances to 50% of finding at least one wallet with coins, you need to guess about 2.359 * 10^34 times (some probability math applied here, I can elaborate if you like). Let's say you want to complete your search within one year. A year has about 3.154 * 10^16 nanoseconds. This means my server needs to serve roughly 7.48 * 10^17 requests per nanosecond to the attacker/botnet.
Do you think my server can handle this? I think we can safely wait until a few more upgrades in processing speed and bandwidth before I have to make the URLs any longer.
Actually, with a URL such as: https://www.instawallet.org/w/tnwghY1sfQip3ia64mR2JjYou have 62 (26*2 + 10) choose 22; i.e., 62^22 = 2.70 * 10^39 possibilities. Or, at least, this is the math that the hacker would've had to do had you not told us that it was only 16 bytes. :-) And, is 10,000 a realistic figure for the number of expected active accounts? Still though, with luck involved, anything can happen. The hacker could get lucky and find a wallet on his very first attempt. It's a neat idea though. I suppose it'd be safe for a very small amount of coins exposed for a very small time (however, even then, why take on any risk if you don't have to)? I know it's for the noobs and all, but if they're seriously going to be able to use it as a wallet, then they would want to be able to store a significant chunk for significant length of time (and I wouldn't recommend that). Looks like this would be best used as a laundry service for advanced users (who do not mind the tiny risk for tiny amounts of time).
|
1GjRUzZfDCBHeCyJk6av3pXYS9VKjCvQTQ
|
|
|
Stephen Gornick
Legendary
Offline
Activity: 2506
Merit: 1010
|
|
July 11, 2011, 07:10:30 AM |
|
I have been toying with the idea of providing an API. It will probably happen at some point, but I can't promise anything right now, there are still lots of other things in the queue. Thanks for providing this (API functionality)! - http://forum.bitcoin.org/index.php?topic=26910.0
|
|
|
|
marcus_of_augustus
Legendary
Offline
Activity: 3920
Merit: 2348
Eadem mutata resurgo
|
|
July 11, 2011, 08:30:01 AM |
|
Hi jav, any plans to include a namecoin Instawallet? cheers,
|
|
|
|
Stephen Gornick
Legendary
Offline
Activity: 2506
Merit: 1010
|
|
July 11, 2011, 09:35:23 AM |
|
While there is no immediate resolution to the "can't send less than 0.01 BTC" using InstaWallet, how about allowing those small transfers from one Instawallet to another to be allowed (i.e., the transfer is allowed if the target address is also on InstaWallet)?
MyBitcoin, for instance, allows internal transfers to an address for another MyBitcoin account can be an amount as low as 1 satoshi or something to that effect.
These transactions would have the additional benefit of clearing instantaneously, since they are internal to InstaWallet and not announced to the block chain.
With the API now available, I can think of a couple of uses where this would be handy.
|
|
|
|
jav (OP)
|
|
July 11, 2011, 02:46:27 PM |
|
any plans to include a namecoin Instawallet?
Not at the moment, no. how about allowing those small transfers from one Instawallet to another to be allowed (i.e., the transfer is allowed if the target address is also on InstaWallet)?
Yes, I will try and tackle this soon (detecting internal transfers and dealing with them differently).
|
|
|
|
jav (OP)
|
|
July 13, 2011, 04:20:10 PM |
|
Quick update: Internal payments (from one Instawallet to another) are now detected and treated differently: They are instantaneous and amounts down to 1 Satoshi are possible.
|
|
|
|
naypalm
Legendary
Offline
Activity: 1272
Merit: 1012
howdy
|
|
July 15, 2011, 07:11:54 PM |
|
Anyone else getting a timeout error? occurred at 3:11PM EST
|
|
|
|
bbit
Legendary
Offline
Activity: 1330
Merit: 1000
Bitcoin
|
|
July 15, 2011, 08:04:20 PM |
|
this site has bit the dust ... I wonder if anyone lost bitcoins ?
|
|
|
|
qikaifu
Full Member
Offline
Activity: 168
Merit: 100
God creats math and math creats bitcoin.
|
|
July 15, 2011, 08:57:06 PM |
|
I guess this is still a 1-step authentication method to protect people's money from stealing. Maybe jav should add some username and password system to make it both safe and convenient.
The browsers do record the history, and lots of users do share their computers with other people
|
|
|
|
jav (OP)
|
|
July 15, 2011, 11:01:34 PM |
|
Anyone else getting a timeout error? occurred at 3:11PM EST
Yes, I just noticed that the site was down for a number of hours. Sorry about that. It's back up again now. Unfortunately I'm not sure what caused the crash, so it might happen again. :-/
|
|
|
|
done
Newbie
Offline
Activity: 56
Merit: 0
|
|
July 15, 2011, 11:02:21 PM |
|
it's back up
|
|
|
|
Oldminer
Legendary
Offline
Activity: 1022
Merit: 1001
|
|
July 18, 2011, 07:22:32 PM |
|
Down again...sigh
|
|
|
|
jav (OP)
|
|
July 18, 2011, 10:08:34 PM |
|
Quoted from the downtime thread ( http://forum.bitcoin.org/index.php?topic=13230 - I will post downtime related updates only over there in the future): It's back up.. for the moment. You guys are putting too much load on it by using it so much. ;-) Seriously though, I'm running into a number of scaling issues which show that the Bitcoin daemon hasn't really been used in production (large wallet.dat) much. I'm afraid there isn't an over-night fix for this, so the site might be flaky over the next days/weeks until I can figure out some solutions and/or workarounds. Thanks for this service by the way, it's really useful and (so far) dependable.
Thx for the encouragement. I'm glad it's useful to some people. Sorry about the downtime. I hope I can return to the previous level of stability once this growing pain is sorted out.
|
|
|
|
marcus_of_augustus
Legendary
Offline
Activity: 3920
Merit: 2348
Eadem mutata resurgo
|
|
July 19, 2011, 01:42:26 AM |
|
Quoted from the downtime thread ( http://forum.bitcoin.org/index.php?topic=13230 - I will post downtime related updates only over there in the future): It's back up.. for the moment. You guys are putting too much load on it by using it so much. ;-) Seriously though, I'm running into a number of scaling issues which show that the Bitcoin daemon hasn't really been used in production (large wallet.dat) much. I'm afraid there isn't an over-night fix for this, so the site might be flaky over the next days/weeks until I can figure out some solutions and/or workarounds. Thanks for this service by the way, it's really useful and (so far) dependable.
Thx for the encouragement. I'm glad it's useful to some people. Sorry about the downtime. I hope I can return to the previous level of stability once this growing pain is sorted out. jav, what's your business model for this great service? How do you expect for pay for it when/if it scales up to appreciable cost size? thnx.
|
|
|
|
jav (OP)
|
|
July 19, 2011, 08:20:18 AM |
|
what's your business model for this great service?
How do you expect for pay for it when/if it scales up to appreciable cost size?
I don't have a business model at the moment. It's just a spare time project to help Bitcoin gain some traction. I'll see how it develops. Maybe other services/solutions will make Instwallet obsolete, maybe I'll find a way to finance it that I'm happy with or maybe it will just run on donations. For the moment the scaling issues aren't so much "lots of users", but more "really inefficient algorithms" (in some parts of the Bitcoin daemon). As I mention, that will take some time to sort out, but fundamentally the service should be able to run on very few resources to serve current demand. On that note, I am considering throwing hardware at the problem to buy myself some time. Maybe get a dedicated server for 3 months. That would probably require around 10 BTC in donations. Would you guys be interested in that or would you rather deal with a little downtime here and there?
|
|
|
|
elk-tamer
Member
Offline
Activity: 87
Merit: 10
|
|
July 20, 2011, 01:36:04 AM |
|
For the moment the scaling issues aren't so much "lots of users", but more "really inefficient algorithms" (in some parts of the Bitcoin daemon). As I mention, that will take some time to sort out, but fundamentally the service should be able to run on very few resources to serve current demand.
On that note, I am considering throwing hardware at the problem to buy myself some time. Maybe get a dedicated server for 3 months. That would probably require around 10 BTC in donations. Would you guys be interested in that or would you rather deal with a little downtime here and there?
Can you give us more information about what causes the bottlenecks with bitcoind ? Like what volume and type of transactions? Is it all CPU? I'm sort of hoping to use bitcoinj, but in reality having instawallet running as a stable service would be ideal for what I want to do. You should just start charging a transaction fee. I'd far rather pay that than give a donation.
|
|
|
|
Stephen Gornick
Legendary
Offline
Activity: 2506
Merit: 1010
|
|
July 20, 2011, 09:20:35 AM |
|
develops. Maybe other services/solutions will make Instwallet obsolete, maybe I'll find a way to finance it that I'm happy with or maybe it will just run on donations. I wonder if offering a white-label version would be a revenue source. For instance, a retail merchant might wish to run some promotion where given away are scratch-off tickets each with InstaWallet URLs or something to that effect. For that, the merchant might want their own branded instawallet site. And, of course, they'ld need (and be paying for) enterprise-level service (i.e., able to serve adequately the expected load). Also, I wonder if there isn't a revenue opportunity to integrate some spend for balances in an instawallet. For instance, exchanges are looking to add customers. Any instawallet with 1 BTC or more is a good candidate to offer an account at an exchange (and InstaWallet gets commission for each user who signs up). I've not used BitPay yet but I suspect once I do I'll be willing to pay a monthly fee to have an instawallet + BitPay combination. Especially if it will be in exchange for a service level commitment.
|
|
|
|
jav (OP)
|
|
July 20, 2011, 02:48:06 PM |
|
Can you give us more information about what causes the bottlenecks with bitcoind ? Like what volume and type of transactions? Is it all CPU? I'm sort of hoping to use bitcoinj, but in reality having instawallet running as a stable service would be ideal for what I want to do.
It's mostly the fact that I'm using the account feature of bitcoind. I didn't realize in the beginning, that the account code often calculates things from scratch (for example when calculating the balance of an account). I have already written a cache ( https://github.com/javgh/bitcoin/tree/balancecache ), but it will need some more fundamental changes to scale further. I currently have around 30000 accounts (almost all of them empty of course, that's the nature of the site). If you don't make much use of the account feature, than you will probably not run into the same problems. You should just start charging a transaction fee. I'd far rather pay that than give a donation.
I agree, I also don't like asking for donations. So scratch that "donate for bigger server" idea. (You are of course welcome to donate and I appreciate that very much, but I don't want to give anyone the feeling, that they are obliged to donate). I have been considering transaction fees and will probably experiment with something in that direction. Unfortunately this is another area where the bitcoin daemon needs improvement. Using the RPC interface, it is currently very hard to control when and how much fee is included (and if I start taking transaction fees, I will want to pass some of them on to the miners). So things need to improve in this area first (or me finding the time to do it myself) before I can pursue that further. @Gornick: Those are interesting ideas. I'm also toying with different revenue models. There are definitely a number of things to try out. But you know how it is: "so much to code, so little time". ;-)
|
|
|
|
spruce
|
|
July 20, 2011, 02:52:31 PM |
|
What is the approximate traffic flow? How many BTC in and out average in a 24 hour period, would you say?
|
|
|
|
jav (OP)
|
|
July 20, 2011, 04:05:00 PM |
|
I have now deleted a bunch of old accounts to ease the load on the system. Accounts with ALL of the following conditions - balance of zero
- never received a transaction
- not been accessed in the last couple of weeks
have been deleted. I can't imagine anyone being affected by this, but if you had such an account, the associated Bitcoin address is now no longer valid and you have to revisit the site to get a new one. If you experience any problems because of this clean up, please get in touch with me, as I have backups of all deleted accounts. What is the approximate traffic flow? How many BTC in and out average in a 24 hour period, would you say?
I won't disclose BTC volume for now (although sooner or later someone will probably extract that from the block chain - it's not that hard with the right tools). But in terms of number of transactions, the site has about 70 per day. As I said, it's not terrible much. The scaling issues are mostly the big number of accounts and really inefficient algorithms. There are many possible solutions to this, but all of them will take a bit of time.
|
|
|
|
elk-tamer
Member
Offline
Activity: 87
Merit: 10
|
|
July 20, 2011, 05:16:26 PM |
|
jav, Have you considered moving the account generation to page other than the landing page? I know I've created a few accounts just by clicking your sig.
|
|
|
|
naypalm
Legendary
Offline
Activity: 1272
Merit: 1012
howdy
|
|
July 22, 2011, 02:00:35 AM |
|
Hello! I was just doing a google search for "bitcoin instawallet" and here are my results per 2 different computers and 1 mobile device. Each with their own different ISP IP. Computer 1: Computer 2: Mobile Phone: I only bring this up because there is an instawallet publicly visible in a google seach for "bitcoin instawallet". I guess a post here ( http://orlingrabbe.com/?p=1476084883) is what caused it to become visible. It might be wise for the creator of instawallet to delete this wallet just in case. Or if there is some sort of way to stop google from displaying instawallet pages in google searches. Please be advised and DON'T POST YOUR INSTAWALLET URL!
|
|
|
|
marcus_of_augustus
Legendary
Offline
Activity: 3920
Merit: 2348
Eadem mutata resurgo
|
|
July 22, 2011, 02:55:30 AM |
|
Cool, how much is in it?
|
|
|
|
jav (OP)
|
|
July 23, 2011, 10:43:06 AM |
|
jav, Have you considered moving the account generation to page other than the landing page? I know I've created a few accounts just by clicking your sig.
Yes, I will change it like that at some point.
|
|
|
|
Insti
Sr. Member
Offline
Activity: 294
Merit: 252
Firstbits: 1duzy
|
|
August 02, 2011, 04:09:04 PM |
|
Is there a way to get a new instawallet address? It keeps giving me the same address and I'd like a new one.
|
|
|
|
incraft3817
Member
Offline
Activity: 87
Merit: 10
|
|
August 02, 2011, 04:51:29 PM |
|
Is there a way to get a new instawallet address? It keeps giving me the same address and I'd like a new one.
Click on home. I wouldn't use this service if I were you. This site looks like another mybitcoin.
|
|
|
|
Insti
Sr. Member
Offline
Activity: 294
Merit: 252
Firstbits: 1duzy
|
|
August 02, 2011, 05:04:13 PM |
|
Click on home.
Thanks. It seems I had to also delete some old instawallet cookies, but now it gives me new addresses as I'd expect.
|
|
|
|
jorijnsmit
Newbie
Offline
Activity: 36
Merit: 0
|
|
August 18, 2011, 11:40:46 AM |
|
Cool stuff jav, thanks a lot! Stuff like this is what the bitcoin community really needs.
|
|
|
|
evoorhees
Legendary
Offline
Activity: 1008
Merit: 1021
Democracy is the original 51% attack
|
|
August 18, 2011, 02:15:23 PM |
|
I've been using this site for a few months and have been extremely impressed. That said, it's still not intended to be used for significant amounts of money. Don't store your savings there.
|
|
|
|
Piper67
Legendary
Offline
Activity: 1106
Merit: 1001
|
|
August 18, 2011, 02:16:32 PM |
|
I've been using this site for a few months and have been extremely impressed. That said, it's still not intended to be used for significant amounts of money. Don't store your savings there.
Agreed, not for large amounts or as your main place to keep bitcoins... but I have some BTC on an instawallet on my iPhone, and it works really, really well.
|
|
|
|
Trader Steve
|
|
August 19, 2011, 02:52:31 AM |
|
I've been using this site for a few months and have been extremely impressed. That said, it's still not intended to be used for significant amounts of money. Don't store your savings there.
Agreed, not for large amounts or as your main place to keep bitcoins... but I have some BTC on an instawallet on my iPhone, and it works really, really well. Agreed. See: A Simple Wallet Solution for iPhonehttp://bitcointraining.wordpress.com/2011/07/05/simple-wallet-solution-for-iphone/
|
|
|
|
BitcoinStars.com
|
|
August 19, 2011, 02:58:47 AM |
|
instawallet and vibanko are the ones we enjoy using personally for small amounts on the ipad
|
|
|
|
jav (OP)
|
|
August 19, 2011, 08:32:14 AM |
|
Thanks a lot guys, for all the kind words! I hope I can continue to provide a good service. I apologize for the site being slow from time to time at the moment. I am planning a complete rewrite of the back end to prepare the site for much higher loads which, as soon as I can complete it, should hopefully solve these problems.
|
|
|
|
BitterTea
|
|
September 30, 2011, 10:23:57 PM |
|
Jav, how's redevelopment going?
I've previously been using BitBills for introducing Bitcoins to people (leaving for tips, etc), but I wasn't happy because it was too difficult to spend them. After a friend that was interested in Bitcoin, but not technologically savvy paid for a breakfast and I gave them a pre-filled Instawallet account in return, it struck me as the solution to my BitBill problem. So I came up with a blurb about Bitcoin that goes on the front of a business card, and on the back will go a unique Instawallet account. I'm creating a tool using the API to create, fill, and print the accounts, and I'm getting a lot of 504 errors, which makes creating new wallets very slow. Is there any way that developers could sign up for an API key or something, allowing bypass of normal rate limits?
|
|
|
|
netrin
Sr. Member
Offline
Activity: 322
Merit: 251
FirstBits: 168Bc
|
|
October 01, 2011, 12:17:07 AM |
|
Hi Jav, I understand Instawallet comes as-is with no warranty express or implied. However, I'm just curious about your logging practice. Do you associate IP addresses with URL/BTC addresses? Is the session stored entirely client side or does your server remember some key shared with the browser cookie? Are URLs derived from BTC addresses, vise versa or are they both just columns in the same database row?
I'm curious about this for a number of reasons but in particular I'm wondering if Instawallet helps scramble identity and is thus useful in preserving some anonymity?
|
|
|
|
jav (OP)
|
|
October 01, 2011, 12:52:05 PM |
|
Jav, how's redevelopment going?
Slow, I'm afraid. My new job keeps me pretty busy. So I came up with a blurb about Bitcoin that goes on the front of a business card, and on the back will go a unique Instawallet account. I'm creating a tool using the API to create, fill, and print the accounts, and I'm getting a lot of 504 errors, which makes creating new wallets very slow. Is there any way that developers could sign up for an API key or something, allowing bypass of normal rate limits?
Cool to hear Instawallet being used in this way! Unfortunately I can't lift the rate limits for you as there aren't any rate limits. Just a smallish server with too much load. But I am planning on switching to a new server fairly soon, so that should hopefully help! Hi Jav, I understand Instawallet comes as-is with no warranty express or implied. However, I'm just curious about your logging practice. Do you associate IP addresses with URL/BTC addresses? Is the session stored entirely client side or does your server remember some key shared with the browser cookie? Are URLs derived from BTC addresses, vise versa or are they both just columns in the same database row?
I don't go out of my way to _not_ log users, which means that typical settings are in effect on the server - for example the webserver records a log file which could be used to associate IP addresses with Instawallet URLs. Cookies aren't used anymore (in the beginning they were used to store the last visited Instawallet, but I have since changed that). So the site doesn't track any specific sessions - the URL is the only identifier needed and it's available as part of every request. URLs are generated randomly and have no special connection to the Bitcoin address. The link between them is stored in a database, like you said. I'm curious about this for a number of reasons but in particular I'm wondering if Instawallet helps scramble identity and is thus useful in preserving some anonymity?
I do think Instawallet can be a useful tool to increase anonymity. If you make two payments from your private wallet, it might be possible to link them using the block chain. If you do the same with Instawallet, it can always be argued that the second payment was some other Instawallet user (as to the outside, Instawallet just looks like one large wallet). Of course if someone has access to Instawallets logs - like I mentioned above - they can get the IP address that initiated the payment. Using Tor could be an option here, to hide your real IP from that.
|
|
|
|
finway
|
|
October 01, 2011, 04:04:30 PM |
|
Nice work!
|
|
|
|
netrin
Sr. Member
Offline
Activity: 322
Merit: 251
FirstBits: 168Bc
|
|
October 01, 2011, 06:20:30 PM |
|
I don't go out of my way to _not_ log users, which means that typical settings are in effect on the server... URLs are generated randomly and have no special connection to the Bitcoin address. The link between them is stored in a database... If you make two payments from your private wallet, it might be possible to link them using the block chain. If you do the same with Instawallet, it can always be argued that the second payment was some other Instawallet user (as to the outside, Instawallet just looks like one large wallet)... Of course if someone has access to Instawallets logs - like I mentioned above - they can get the IP address that initiated the payment. Using Tor could be an option here, to hide your real IP from that.
Thanks. Perhaps you could summarize these points in the FAQ
|
|
|
|
BitterTea
|
|
October 01, 2011, 09:01:21 PM |
|
Jav,
Running into problems with the API. Every time I try to make a payment I get "2: Specify an address". Any ideas?
|
|
|
|
jav (OP)
|
|
October 01, 2011, 09:29:10 PM |
|
Running into problems with the API. Every time I try to make a payment I get "2: Specify an address". Any ideas?
What tool or programming language are you using to access the API? Sounds like the "address" parameter is somehow not transmitted or maybe none of the parameters. It needs to be an HTTP POST call - so depending on how you go about this, you might have to switch your tool or library into HTTP POST mode. The sample client shows how to do that in Python: https://github.com/javgh/iw-console/blob/master/iw-console.py .
|
|
|
|
BitterTea
|
|
October 01, 2011, 11:56:25 PM |
|
Running into problems with the API. Every time I try to make a payment I get "2: Specify an address". Any ideas?
What tool or programming language are you using to access the API? Sounds like the "address" parameter is somehow not transmitted or maybe none of the parameters. It needs to be an HTTP POST call - so depending on how you go about this, you might have to switch your tool or library into HTTP POST mode. The sample client shows how to do that in Python: https://github.com/javgh/iw-console/blob/master/iw-console.py . I'm using Java. Now that I think of it, I am having trouble communicating with BitcoinD as well, so maybe it is due to my lack of familiarity with the language. Does your server need a specific content type set in the request or anything? I know I'm doing a POST and setting the request parameters.
|
|
|
|
jav (OP)
|
|
October 02, 2011, 07:29:02 AM |
|
I'm using Java. Now that I think of it, I am having trouble communicating with BitcoinD as well, so maybe it is due to my lack of familiarity with the language. Does your server need a specific content type set in the request or anything? I know I'm doing a POST and setting the request parameters.
There is no specific check for the content type, no. Hard to tell what's going on. I just tested the Python client again and here the payment command works. If you like, you can post the relevant part of your Java source code here (probably also interesting to other people developing against the API) or send me a PM with it and I can see if I can figure out what's going on. It might also be interesting to have a look at the actual request being sent. So I would either use something like Wireshark to have a look at what is send to the server or alternatively run a dummy server (easy on Linux with for example netcat - just do "netcat -l -p 8080 -vv" and it will listen on port 8080 for TCP connections) and then have your code connect to that (set the URL to " http://127.0.0.1:8080/") and see what netcat displays.
|
|
|
|
BitterTea
|
|
October 02, 2011, 05:49:38 PM Last edit: October 02, 2011, 08:05:27 PM by BitterTea |
|
I'm using Java. Now that I think of it, I am having trouble communicating with BitcoinD as well, so maybe it is due to my lack of familiarity with the language. Does your server need a specific content type set in the request or anything? I know I'm doing a POST and setting the request parameters.
There is no specific check for the content type, no. Hard to tell what's going on. I just tested the Python client again and here the payment command works. If you like, you can post the relevant part of your Java source code here (probably also interesting to other people developing against the API) or send me a PM with it and I can see if I can figure out what's going on. It might also be interesting to have a look at the actual request being sent. So I would either use something like Wireshark to have a look at what is send to the server or alternatively run a dummy server (easy on Linux with for example netcat - just do "netcat -l -p 8080 -vv" and it will listen on port 8080 for TCP connections) and then have your code connect to that (set the URL to " http://127.0.0.1:8080/") and see what netcat displays. Here's what I get with netcat: Connection from 127.0.0.1 port 8080 [tcp/http-alt] accepted POST /api/v1/w/tDd7m55Pf87SMQIsAeak3g/payment HTTP/1.1 amount: 50000000 address: walletId User-Agent: Java/1.6.0_26 Host: 127.0.0.1:8080 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive I realized that it's because I wasn't sending you a Bitcoin address, I was sending you an Instawallet id... Maybe the message sent back should have been "malformed address"? Here's the class I wrote to interact with the API. Anyone can feel free to use/modify this. http://pastebin.com/ceaBBnGXedit... I take that back, it wasn't the problem. Here is what I get from netcat: Connection from 127.0.0.1 port 8080 [tcp/http-alt] accepted POST /api/v1/w/tDd7m55Pf87SMQIsAeak3g/payment HTTP/1.1 amount: 50000000 address: 1AFLxpKwd549Vq6oeC3cHiCJ6WZwRF4yL4 User-Agent: Java/1.6.0_26 Host: 127.0.0.1:8080 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive Here is what I get from Instawallet: {"successful": false, "message": "Please provide a Bitcoin address.", "message_code": 2}
|
|
|
|
finway
|
|
October 02, 2011, 06:32:06 PM |
|
awesome!
|
|
|
|
jav (OP)
|
|
October 02, 2011, 07:07:11 PM |
|
Here's the class I wrote to interact with the API. Anyone can feel free to use/modify this. http://pastebin.com/ceaBBnGXedit... I take that back, it wasn't the problem. Here is what I get from netcat: Connection from 127.0.0.1 port 8080 [tcp/http-alt] accepted POST /api/v1/w/tDd7m55Pf87SMQIsAeak3g/payment HTTP/1.1 amount: 50000000 address: 1AFLxpKwd549Vq6oeC3cHiCJ6WZwRF4yL4 User-Agent: Java/1.6.0_26 Host: 127.0.0.1:8080 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive I think I see what's going on. In your code you use setRequestProperty which - as far as I can tell - is used to set an extra HTTP header. But for a HTTP POST call you need to send the arguments in the body of the request. It should look something like this: POST /api/v1/w/2D3Yv-eNQQ3tbcb3oll_GQ/payment HTTP/1.0 Content-Type: application/x-www-form-urlencoded Content-Length: 53 Host: 127.0.0.1:8080 User-Agent: Python-urllib/1.17
amount=123&address=1AFLxpKwd549Vq6oeC3cHiCJ6WZwRF4yL4
Here is some example code, which puts together a POST call: http://www.exampledepot.com/egs/java.net/Post.html . That example code also uses URLEncoder.encode() to encode the arguments, although since this will always only be Bitcoin addresses and numbers I guess it isn't really necessary.
|
|
|
|
BitterTea
|
|
October 02, 2011, 07:18:44 PM |
|
Here's the class I wrote to interact with the API. Anyone can feel free to use/modify this. http://pastebin.com/ceaBBnGXedit... I take that back, it wasn't the problem. Here is what I get from netcat: Connection from 127.0.0.1 port 8080 [tcp/http-alt] accepted POST /api/v1/w/tDd7m55Pf87SMQIsAeak3g/payment HTTP/1.1 amount: 50000000 address: 1AFLxpKwd549Vq6oeC3cHiCJ6WZwRF4yL4 User-Agent: Java/1.6.0_26 Host: 127.0.0.1:8080 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive I think I see what's going on. In your code you use setRequestProperty which - as far as I can tell - is used to set an extra HTTP header. But for a HTTP POST call you need to send the arguments in the body of the request. It should look something like this: POST /api/v1/w/2D3Yv-eNQQ3tbcb3oll_GQ/payment HTTP/1.0 Content-Type: application/x-www-form-urlencoded Content-Length: 53 Host: 127.0.0.1:8080 User-Agent: Python-urllib/1.17
amount=123&address=1AFLxpKwd549Vq6oeC3cHiCJ6WZwRF4yL4
Here is some example code, which puts together a POST call: http://www.exampledepot.com/egs/java.net/Post.html . That example code also uses URLEncoder.encode() to encode the arguments, although since this will always only be Bitcoin addresses and numbers I guess it isn't really necessary. D'oh, thanks. When I get it working I'll update the pastebin... If you want to use that code for whatever reason, feel free.
|
|
|
|
jav (OP)
|
|
October 04, 2011, 08:24:49 AM |
|
Instawallet just moved to a new server! Response times should be much better now. :-)
|
|
|
|
Red Emerald
|
|
November 29, 2011, 06:45:35 AM |
|
I've setup a bookmark on my iPhone to use your site as a quick-and-easy wallet until a native app comes out.
Any chance of implementing a mobile-friendly theme? jQuery Mobile is stable now and makes it really easy to make a pretty site for lots of smartphones.
|
|
|
|
jav (OP)
|
|
November 29, 2011, 09:50:07 PM |
|
I've setup a bookmark on my iPhone to use your site as a quick-and-easy wallet until a native app comes out.
Any chance of implementing a mobile-friendly theme? jQuery Mobile is stable now and makes it really easy to make a pretty site for lots of smartphones.
I actually played around with jQuery Mobile a little bit. I might do a mobile version of the website using it at some point. Although it won't be possible to integrate the camera with a web solution, which is pretty unfortunate. So another option would be PhoneGap + jQuery Mobile to roll native applications for multiple platforms. That is also something I'm considering, but I don't have specific plans at the moment. And then there is the question, whether an app like this can make it into the iPhone app store. Has anyone more details on this? Are there actually Bitcoin apps which have been rejected or is there just a general assumption that Bitcoin wallets might get rejected? If so, on what basis? So yes, there is a chance I'll come up with a mobile solution. It's not at the top of my TODO list at the moment, though.
|
|
|
|
Stephen Gornick
Legendary
Offline
Activity: 2506
Merit: 1010
|
|
March 02, 2012, 08:17:58 AM |
|
There is a question posted asking if InstaWallet is experiencing any problems: - http://bitcointalk.org/index.php?topic=66984.0Is something wrong with the site? I'm missing money. And I keep getting a bad gateway message.
I'm suspecting the user cannot post here yet due to n00b status, so I'm posting this on that person's behalf.
|
|
|
|
jav (OP)
|
|
March 02, 2012, 08:52:12 AM |
|
Thanks for pointing that out. I will reply to that person in that thread. Instawallet is indeed under high load these days. It should not result in any lost coins though.
|
|
|
|
Alphonso Bedoya
Newbie
Offline
Activity: 45
Merit: 0
|
|
March 02, 2012, 02:41:32 PM |
|
Very glad to hear that response will be quicker, thank you. I continue to be impressed with the utility and simplicity of instawallet. I use them all the time to give gifts of bitcoins to people that have never heard of bitcoins, and instawallet makes this amazingly easy. I even sent a donation the other day after realizing there WAS no business model, just a great tool. Thanks again.
|
|
|
|
jav (OP)
|
|
March 02, 2012, 07:40:11 PM |
|
I continue to be impressed with the utility and simplicity of instawallet.
Thanks for the kind words! It makes it much harder to announce the following, but I'm afraid I have to stick to it: I have decided to shut down Instawallet for the time being. More details at www.instawallet.org . It was a great experience creating and running Instawallet, but at the moment I don't have the time and resources to continue to support the site. Thanks everyone for your support throughout the history of the project!
|
|
|
|
phatsphere
|
|
March 02, 2012, 08:34:57 PM |
|
I have decided to shut down Instawallet for the time being.
are there plans to open source the code?
|
|
|
|
MaxSan
|
|
March 03, 2012, 12:33:50 PM |
|
Yeh jav that would be pretty awsome. Id happily host a similar service just incase people require
|
|
|
|
red123
|
|
April 16, 2012, 11:00:33 PM |
|
Same thing is happening to me, I think I lost my coins just now. I had 40 in this wallet:12HXNGsG6gRk5Jz59HW1zQMnnV9Yf8hfgc and moved them to another wallet. When I hit 'Send coins' I never got a confirmation it just timed out and said "504 error" or something to that effect.
When I as able to access my wallet again about 5 minutes later my coins were gone have have yet to show up in my other wallet which is usually instant, at least confirmation the initiation, showing the progression of the blocks.
I'll keep checking but I have a feeling they are not going to show up.
|
|
|
|
Stephen Gornick
Legendary
Offline
Activity: 2506
Merit: 1010
|
|
April 16, 2012, 11:13:13 PM |
|
FYI - I don't see any posts in this thread by davout, the acquirer of InstaWallet, so I'm not sure he'll see your inquiry. Additionally, the site still shows the previous operator's e-mail address. So I posted an inquiry as to how to request support here: - http://bitcointalk.org/index.php?topic=67602.msg854213#msg854213
|
|
|
|
red123
|
|
April 16, 2012, 11:32:15 PM |
|
I see...well I got them but man something crazy is going on over there. My account all of a sudden showed 80 coins, exactly DOUBLE what I had in there. Is that crazy or what? I wasn't sure what to do. Then the site shut down again. 40, the original amount came back and I sent it out. I still timed out and there was still no confirmation however it seemed to work.
I never knew bitcoins could be manipulated like this, is it just instawallet? I am jst wondering what exactly causes all this. I LOVE instawallet its the best invention ever but not sure what is going on.
|
|
|
|
FreeMoney
Legendary
Offline
Activity: 1246
Merit: 1014
Strength in numbers
|
|
April 17, 2012, 02:24:28 AM |
|
I see...well I got them but man something crazy is going on over there. My account all of a sudden showed 80 coins, exactly DOUBLE what I had in there. Is that crazy or what? I wasn't sure what to do. Then the site shut down again. 40, the original amount came back and I sent it out. I still timed out and there was still no confirmation however it seemed to work.
I never knew bitcoins could be manipulated like this, is it just instawallet? I am jst wondering what exactly causes all this. I LOVE instawallet its the best invention ever but not sure what is going on.
Bitcoins aren't being manipulated. You can write whatever you want on a site you control. They are, certainly accidentally, displaying the wrong thing. I'm irritated because installet is a great idea, but it does require trust and it's being destroyed. How can I show people the simplicity of sending coin on a site that is down or slow 75% of the time? I knew davout was lazy on bitcoin-central, but I assumed acquiring this meant he was active again. :-(
|
Play Bitcoin Poker at sealswithclubs.eu. We're active and open to everyone.
|
|
|
moocow1452
Sr. Member
Offline
Activity: 240
Merit: 250
Don't mind me.
|
|
April 17, 2012, 02:54:17 AM |
|
Dammit, I really liked Instawallet and if it goes down, can't throw around URLs for payments anymore...
|
|
|
|
jav (OP)
|
|
April 17, 2012, 05:55:09 AM |
|
I see...well I got them but man something crazy is going on over there. My account all of a sudden showed 80 coins, exactly DOUBLE what I had in there. Is that crazy or what? I wasn't sure what to do. Then the site shut down again. 40, the original amount came back and I sent it out. I still timed out and there was still no confirmation however it seemed to work.
Hey there. Sorry to hear that you had troubles with Instawallet, but it looks like it is resolved now. About the 80 coins showing up: This is a bug somewhere in the AJAX balance updater and only affects the display. The server side is correct and if you refresh the page you will always see the correct balance. I have yet to track down the bug, it might have something to do with having multiple tabs open of the site or something like that. I guess it's up to the Bitcoin Central team now to dig through my code base and track this down - poor guys! ;-) i just wish they keep the exact same settings as Jav had.
The site still runs on the same exact configuration as before. It just has continued to grow and the current server can't really keep up - sorry about all the inconveniences. Davout & co. are still in the progress of bringing everything up on a new server. From what I understand it will be a much beefier machine, so that should help. For what it's worth though, even under high load and frequent timeouts the site will never lose your money no matter what you do. Withdraws are always atomic. Either the transaction went out and you see the amount deducted, or both of it doesn't happen. Regardless of when an error/timeout occurs. Still, I know it can be scary to see an error message after a big transaction. So sorry again about that, and hopefully the work that Davout & co. are doing at the moment will improve the situation in the near future. Additionally, the site still shows the previous operator's e-mail address. So I posted an inquiry as to how to request support here:
At the moment I'm still mostly handling all the support requests until the server transfer is complete.
|
|
|
|
FreeMoney
Legendary
Offline
Activity: 1246
Merit: 1014
Strength in numbers
|
|
April 17, 2012, 06:25:02 AM |
|
At the moment I'm still mostly handling all the support requests until the server transfer is complete.
Thanks for helping them Jav and not just letting it die.
|
Play Bitcoin Poker at sealswithclubs.eu. We're active and open to everyone.
|
|
|
Boussac
Legendary
Offline
Activity: 1220
Merit: 1015
e-ducat.fr
|
|
April 17, 2012, 07:45:45 AM |
|
I knew davout was lazy on bitcoin-central, but I assumed acquiring this meant he was active again. :-(
"lazy" ? That's probably an auto-correction typo, right You meant "busy" ! Yes we are all busy as hell trying to deliver as fast as we can. Server migration is not something you do in a snap when it comes to a service like instawallet, requiring security and performance. Thanks to davout for this extra effort and thanks to all of you guys for your patience.
|
|
|
|
davout
Legendary
Offline
Activity: 1372
Merit: 1007
1davout
|
|
April 17, 2012, 12:31:33 PM |
|
I knew davout was lazy on bitcoin-central, but I assumed acquiring this meant he was active again. :-(
I resent this comment. You obviously don't have the slightest clue about the time it takes to : - review IW's codebase - review every single patch that is applied to bitcoind in order to provide for IW's functionality - properly install, configure, armor, firewall, monitor, optimize, replicate and document a brand new military-grade server - read, review and fully understand the extended documentation jav provided me While at the same time : - maintain and improve Paytunia, its Android and iOS apps, - maintain Bitcoin-Central.net, support its customers, most of them beginning with Bitcoin, for free, as always And lots of other stuff. For the record Instawallet is currently running on and AMD Athlon server with 1GB RAM, 100MB/s connection, and 2x160GB hard-drive. It will be running on a Xeon 8-core with 24GB RAM, 300GB SSD hard-drive and a 1GB connection, heavy optimizations, a host of security measures, and a rock-solid replication and failover scheme. A really quick glimpse on how seriously I'm taking this server issue : So let me just tell you that : - I'm working on it, fucking hard, - You'll be delighted with the result, - I won't take this kind of shit, whoever it comes from And I even forgot to mention all the heavy testing required before migrating a server that serves hundreds of users with minimal downtime... I really want to take good care of Instawallet because it deserves to be loved, so I will ask you kindly to please bear with us
|
|
|
|
FreeMoney
Legendary
Offline
Activity: 1246
Merit: 1014
Strength in numbers
|
|
April 17, 2012, 03:57:11 PM |
|
I knew davout was lazy on bitcoin-central, but I assumed acquiring this meant he was active again. :-(
"lazy" ? That's probably an auto-correction typo, right You meant "busy" ! Yes we are all busy as hell trying to deliver as fast as we can. Server migration is not something you do in a snap when it comes to a service like instawallet, requiring security and performance. Thanks to davout for this extra effort and thanks to all of you guys for your patience. Uh, all I know is that like a year ago I really tried to help get bitcoin-central going and support was unreachable and I had to stop recommending and using it. Sorry if he was in a body cast or something, but nothing was happening and withdrawals were unavailable for a suspiciously long time.
|
Play Bitcoin Poker at sealswithclubs.eu. We're active and open to everyone.
|
|
|
FreeMoney
Legendary
Offline
Activity: 1246
Merit: 1014
Strength in numbers
|
|
April 17, 2012, 04:17:45 PM |
|
I knew davout was lazy on bitcoin-central, but I assumed acquiring this meant he was active again. :-(
I resent this comment. You obviously don't have the slightest clue about the time it takes to : - review IW's codebase - review every single patch that is applied to bitcoind in order to provide for IW's functionality - properly install, configure, armor, firewall, monitor, optimize, replicate and document a brand new military-grade server - read, review and fully understand the extended documentation jav provided me While at the same time : - maintain and improve Paytunia, its Android and iOS apps, - maintain Bitcoin-Central.net, support its customers, most of them beginning with Bitcoin, for free, as always And lots of other stuff. For the record Instawallet is currently running on and AMD Athlon server with 1GB RAM, 100MB/s connection, and 2x160GB hard-drive. It will be running on a Xeon 8-core with 24GB RAM, 300GB SSD hard-drive and a 1GB connection, heavy optimizations, a host of security measures, and a rock-solid replication and failover scheme. A really quick glimpse on how seriously I'm taking this server issue : So let me just tell you that : - I'm working on it, fucking hard, - You'll be delighted with the result, - I won't take this kind of shit, whoever it comes from And I even forgot to mention all the heavy testing required before migrating a server that serves hundreds of users with minimal downtime... I really want to take good care of Instawallet because it deserves to be loved, so I will ask you kindly to please bear with us ok, I'm sorry. I may be misremembering my experience with bitcoin-central. I realize you're just now getting control of instawallet. Good luck.
|
Play Bitcoin Poker at sealswithclubs.eu. We're active and open to everyone.
|
|
|
Boussac
Legendary
Offline
Activity: 1220
Merit: 1015
e-ducat.fr
|
|
April 18, 2012, 10:07:11 AM |
|
Uh, all I know is that like a year ago I really tried to help get bitcoin-central going and support was unreachable and I had to stop recommending and using it. Sorry if he was in a body cast or something, but nothing was happening and withdrawals were unavailable for a suspiciously long time.
Ok but a year ago is a long time ago: that's precisely about the time bitcoin-central was resolving all the issues entailed in a new service launch. No bitcoiner was harmed during this process. Things are settled now an and you can use it with confidence thanks to davout efforts.
|
|
|
|
davout
Legendary
Offline
Activity: 1372
Merit: 1007
1davout
|
|
April 26, 2012, 02:00:41 PM |
|
Cross-posted from this threadApart from a couple things left to do the migration is now completed ! Left to do :- A very small number of accounts (less than 10) need some manual attention to reconcile operations that happened during the time span where bitcoind was listening but the database wasn't properly registering transactions. The accounts in question are identified, if you think your balance is not correct, and if it remains so after 48h have passed please contact me. The reason it might take up to 48h is that the old bitcoind must catch up with the chain after being shut down during the migration, it does so very slowly since it's packed with addresses and accounts. It must be up-to-date with the chain for transaction reconciliation to be accurate.
- The current SSL certificate is valid for https://instawallet.org, a new one will be installed that also validates https://www.instawallet.org
What has been done :- The backend has been rewritten from scratch to make it much more scalable and responsive. It relies much less on bitcoind, which was a performance bottleneck and delegates the accounting to an SQL database. bitcoind is now only used to notify the backend of incoming transactions, generate an address for each account, and send funds
- Generation transactions are now understood, that means that if you're mining at Eligius, your payouts will be available after 20 confirmations if you direct them to your Instawallet (generations usually take 120 confirmations to mature)
- Balance updates are instant (as previously) but rely on websockets instead of long-polling (if your browser doesn't support WS it will degrade gracefully to long-polling or regular polling)
- A comforting cash-register sound has been added, it plays when you receive funds (except on Safari for iOS)
- Instawallet will now tell you about the confirmed status of your funds, previously you'd get an error message when trying to send, but you had no way to know whether funds were confirmed or not
- The new API is fully backwards compatible with the original API, it will be deprecated at some point but for now it's good enough to me
- The new server is a Intel Xeon 8-cores with 24GB RAM, and a lightning-fast SSD hard-drive. (The previous server had a single-core CPU, 1GB RAM and a regular HDD)
- A paranoid firewall has been set-up, along with serious monitoring, and monitoring of the monitoring
- An iPhone app is available worldwide, for free, in the AppStore, it's called FriendlyPay, it's awesome and it lets you carry Instawallet in your pocket, an Android version is almost ready
If there's anything that should be fixed you may comment here, drop me a line by PM, send me an e-mail at david {at} bitcoin-central.net, or drop by at the office in Boulogne, right near Paris ! I really want to thank Jan Vornberger, Instawallet's previous owner for being very available and responsive during the whole migration process, having thought of such a cool concept, providing me with loads of hand-crafted documentation, and more generally being awesome. He is a gentleman. Thank you for your attention !
|
|
|
|
jav (OP)
|
|
April 26, 2012, 04:40:32 PM |
|
I really want to thank Jan Vornberger, Instawallet's previous owner for being very available and responsive during the whole migration process, having thought of such a cool concept, providing me with loads of hand-crafted documentation, and more generally being awesome. He is a gentleman.
Thanks David! It's great to see Instawallet in capable hands. I wish you guys much success in your endeavors! :-)
|
|
|
|
marcus_of_augustus
Legendary
Offline
Activity: 3920
Merit: 2348
Eadem mutata resurgo
|
|
April 27, 2012, 03:06:27 AM |
|
Cool. the iPhone FriendlyPay app didn't come up when searching the App. Store An iPhone app is available worldwide, for free, in the AppStore, it's called FriendlyPay when it is available it needs to be put up in bright lights somewhere .... InstaWallet for iPhone big, imho. Post it in the comments to the latest Forbes story regarding iPhone bitcoin Apps for example ....
|
|
|
|
coinuser4000
Member
Offline
Activity: 128
Merit: 10
|
|
April 27, 2012, 03:16:48 AM |
|
[/quote]
For the record Instawallet is currently running on and AMD Athlon server with 1GB RAM, 100MB/s connection, and 2x160GB hard-drive.
[/quote]
Hahaha well no wonder it's always crashing.
|
|
|
|
davout
Legendary
Offline
Activity: 1372
Merit: 1007
1davout
|
|
April 27, 2012, 09:07:25 AM |
|
Hahaha well no wonder it's always crashing.
Actually what was happening is that the requests would time out when the previous Instawallet was calling bitcoind. bitcoind is currently unable to handle requests concurrently due to the locking strategy it uses. So the only thing left to do was to delegate most of the handling to an SQL database, and only call the client when really needed. But of course, beefing the hardware up can't do much bad
|
|
|
|
Boussac
Legendary
Offline
Activity: 1220
Merit: 1015
e-ducat.fr
|
|
May 05, 2012, 10:51:45 AM |
|
The FriendlyPay app is now available on the appStore for iOS device: it's a mobile version of instawallet, using instawallet.org as backend.
|
|
|
|
bitlotto
|
|
May 05, 2012, 11:35:31 AM |
|
Any chance you could add a feature where you can pay multiple addresses in one transaction? Just like the "Add recipient" feature in Bitcoin or blockchain.info.
|
*Next Draw Feb 1* BitLotto: monthly raffle (0.25 BTC per ticket) Completely transparent and impossible to manipulate who wins. TOR TOR2WEB Donations to: 1JQdiQsjhV2uJ4Y8HFtdqteJsZhv835a8J are appreciated.
|
|
|
marcus_of_augustus
Legendary
Offline
Activity: 3920
Merit: 2348
Eadem mutata resurgo
|
|
May 06, 2012, 08:24:46 AM |
|
The FriendlyPay app is now available on the appStore for iOS device: it's a mobile version of instawallet, using instawallet.org as backend.
Tested this app. now. Good work, extremely simple like Instawallet itself, I like it, this has great potential.
|
|
|
|
davout
Legendary
Offline
Activity: 1372
Merit: 1007
1davout
|
|
June 19, 2012, 09:07:13 AM |
|
Any chance you could add a feature where you can pay multiple addresses in one transaction? Just like the "Add recipient" feature in Bitcoin or blockchain.info.
I'm not sure about such a feature. What makes Instawallet's strength is that it is extremely simple and straightforward. I think it is better to focus on core functionality (and add push notifications for balance updates, improve the scanning part...), keep the app simple and extremely reliable.
|
|
|
|
Boussac
Legendary
Offline
Activity: 1220
Merit: 1015
e-ducat.fr
|
|
June 19, 2012, 04:19:19 PM |
|
The FriendlyPay app is now available on the appStore for iOS device: it's a mobile version of instawallet, using instawallet.org as backend.
Tested this app. now. Good work, extremely simple like Instawallet itself, I like it, this has great potential. Thanks ! (that's a bump) Unfortunately Friendlypay was pulled from the appstore by Apple's anti-bitcoin patrol today..
|
|
|
|
giszmo
Legendary
Offline
Activity: 1862
Merit: 1105
WalletScrutiny.com
|
|
July 16, 2012, 09:48:39 PM |
|
1BTC lost Hi, I sent 1BTC to a friend (receiving address 1PWd56wQ9jAbrpcBAWuuhz77kBrQErxPBP ) and as along the way to get things going she had to send me the url I now, days later wanted to move it on to another wallet and wanted her to do it. She opened a new wallet with the receiving address 15ZmtzJMQH3UwpztWMx45y4rH8bj6wRuUr and sent the 1BTC but it never arrived. Is there any issue about sending between instawallet accounts? This was not a very good advertisement so far
|
ɃɃWalletScrutiny.com | Is your wallet secure?(Methodology) WalletScrutiny checks if wallet builds are reproducible, a precondition for code audits to be of value. | ɃɃ |
|
|
|
davout
Legendary
Offline
Activity: 1372
Merit: 1007
1davout
|
|
July 16, 2012, 10:18:34 PM |
|
1BTC lost Hi, I sent 1BTC to a friend (receiving address 1PWd56wQ9jAbrpcBAWuuhz77kBrQErxPBP ) and as along the way to get things going she had to send me the url I now, days later wanted to move it on to another wallet and wanted her to do it. She opened a new wallet with the receiving address 15ZmtzJMQH3UwpztWMx45y4rH8bj6wRuUr and sent the 1BTC but it never arrived. Is there any issue about sending between instawallet accounts? This was not a very good advertisement so far No, it should work just fine. Just e-mail the support with a bit details because it isn't very clear for me right now.
|
|
|
|
Alphonso Bedoya
Newbie
Offline
Activity: 45
Merit: 0
|
|
July 16, 2012, 10:36:08 PM |
|
A big bump for this site. It is clean, simple, and every newby I show it to gets it instantly. I have used it for over a year with NO problems. Thanks for the excellent work.
|
|
|
|
giszmo
Legendary
Offline
Activity: 1862
Merit: 1105
WalletScrutiny.com
|
|
July 16, 2012, 11:17:12 PM Last edit: July 18, 2012, 01:21:11 AM by giszmo |
|
1BTC lost Hi, I sent 1BTC to a friend (receiving address 1PWd56wQ9jAbrpcBAWuuhz77kBrQErxPBP ) and as along the way to get things going she had to send me the url I now, days later wanted to move it on to another wallet and wanted her to do it. She opened a new wallet with the receiving address 15ZmtzJMQH3UwpztWMx45y4rH8bj6wRuUr and sent the 1BTC but it never arrived. Is there any issue about sending between instawallet accounts? This was not a very good advertisement so far No, it should work just fine. Just e-mail the support with a bit details because it isn't very clear for me right now. Hm … had no clue what could have gone wrong but now I have a theory. Will ask her to check her browser history before bothering support again. Unfortunately she is pretty new to it … not bitcoin, computers Edit: We found it. Sorry for bothering. At first I couldn't understand what might have gone wrong.
|
ɃɃWalletScrutiny.com | Is your wallet secure?(Methodology) WalletScrutiny checks if wallet builds are reproducible, a precondition for code audits to be of value. | ɃɃ |
|
|
|
Stephen Gornick
Legendary
Offline
Activity: 2506
Merit: 1010
|
|
July 22, 2012, 08:22:04 AM Last edit: July 22, 2012, 11:47:15 PM by Stephen Gornick |
|
There are a couple reports of issues where the blockchain shows the transaction having confirmed, but the Instwallet balance wasn't credited. Here's one, which I'll quote here since the person reporting it is still stuck in the newbie forum: Blockchain confirms the transaction but there's no update in the Instawallet balance.
There is no announcement of any problem here though, nor on the site nor on the Twitter account @Instawallet
|
|
|
|
davout
Legendary
Offline
Activity: 1372
Merit: 1007
1davout
|
|
July 22, 2012, 11:36:46 PM |
|
There are a couple reports of issues where the blockchain shows the transaction having confirmed, but the Instwallet balance wasn't credited. Here's one, which Ill quote here since the person reporting it is still stuck in the newbie forum: Blockchain confirms the transaction but there's no update in the Instawallet balance.
There is no announcement of any problem here though, nor on the site nor on the Twitter account @Instawallet It's resolved now, balances have been corrected and instant update is operational again
|
|
|
|
mb300sd
Legendary
Offline
Activity: 1260
Merit: 1000
Drunk Posts
|
|
September 03, 2012, 05:38:58 AM |
|
I just sent BTC to an instawallet and the coins are not showing up!
Has something changed? I'm used to them showing up immediately and being spendable after 2 confirms.
Address is 12CcBCfRGPQQE5WQtSfBPRj5vBRCnNdoLC
|
1D7FJWRzeKa4SLmTznd3JpeNU13L1ErEco
|
|
|
davout
Legendary
Offline
Activity: 1372
Merit: 1007
1davout
|
|
September 03, 2012, 10:27:47 AM |
|
I just sent BTC to an instawallet and the coins are not showing up!
Has something changed? I'm used to them showing up immediately and being spendable after 2 confirms.
Address is 12CcBCfRGPQQE5WQtSfBPRj5vBRCnNdoLC
Software glitch. Fixed now. You should see your coins
|
|
|
|
420
|
|
September 15, 2012, 07:59:23 AM |
|
couldn't someone just run a program to load all random urls until they find ones with coins in them and take the coins?
|
Donations: 1JVhKjUKSjBd7fPXQJsBs5P3Yphk38AqPr - TIPS the hacks, the hacks, secure your bits!
|
|
|
capsqrl
|
|
September 15, 2012, 09:09:00 AM |
|
couldn't someone just run a program to load all random urls until they find ones with coins in them and take the coins?
Yes, in the same way that someone could just try all the private/public keypairs and see which ones correspond to Bitcoin addresses with coins in them.
|
|
|
|
giszmo
Legendary
Offline
Activity: 1862
Merit: 1105
WalletScrutiny.com
|
|
September 15, 2012, 04:37:42 PM |
|
couldn't someone just run a program to load all random urls until they find ones with coins in them and take the coins?
Yes, in the same way that someone could just try all the private/public keypairs and see which ones correspond to Bitcoin addresses with coins in them. aka no (it would take longer than the universe will exist counting from when it started.)
|
ɃɃWalletScrutiny.com | Is your wallet secure?(Methodology) WalletScrutiny checks if wallet builds are reproducible, a precondition for code audits to be of value. | ɃɃ |
|
|
|
420
|
|
September 15, 2012, 05:42:45 PM |
|
couldn't someone just run a program to load all random urls until they find ones with coins in them and take the coins?
Yes, in the same way that someone could just try all the private/public keypairs and see which ones correspond to Bitcoin addresses with coins in them. aka no (it would take longer than the universe will exist counting from when it started.) Supercomputers but generating just one address and checking for existence of bitcoins is multitudes easier than generating two addresses and checking but maybe the website has a way of shutting down or blocking something with so many requests or couldn't even handle so many requests
|
Donations: 1JVhKjUKSjBd7fPXQJsBs5P3Yphk38AqPr - TIPS the hacks, the hacks, secure your bits!
|
|
|
capsqrl
|
|
September 15, 2012, 07:11:56 PM |
|
Supercomputers
Yes, crypto doesn't work "because supercomputers".
|
|
|
|
420
|
|
September 16, 2012, 12:39:52 AM |
|
Supercomputers
Yes, crypto doesn't work "because supercomputers". why do you believe that?
|
Donations: 1JVhKjUKSjBd7fPXQJsBs5P3Yphk38AqPr - TIPS the hacks, the hacks, secure your bits!
|
|
|
wuala
Full Member
Offline
Activity: 163
Merit: 100
Luk, soy tu padreeee
|
|
October 01, 2012, 08:05:17 PM |
|
Instawallet is down... "We're sorry, but something went wrong." What happen with the wallets???
|
Leave the force be with you...
|
|
|
davout
Legendary
Offline
Activity: 1372
Merit: 1007
1davout
|
|
October 01, 2012, 08:20:37 PM |
|
Instawallet is down... "We're sorry, but something went wrong." What happen with the wallets??? It's solved now, sorry for the downtime.
|
|
|
|
giszmo
Legendary
Offline
Activity: 1862
Merit: 1105
WalletScrutiny.com
|
|
October 01, 2012, 08:39:26 PM |
|
Instawallet is down... "We're sorry, but something went wrong." What happen with the wallets??? It's solved now, sorry for the downtime. [CONFIRMED] instawallet got hacked!!!! AHHHH, get your lawyers lined up!!! lol thanx for the great service. I have far too many BTC in instawallet regarding my general skepticism towards hosted wallets but instawallet is the best so far. Do you know your up-time? I would guess it is >99.8%
|
ɃɃWalletScrutiny.com | Is your wallet secure?(Methodology) WalletScrutiny checks if wallet builds are reproducible, a precondition for code audits to be of value. | ɃɃ |
|
|
|
420
|
|
October 01, 2012, 09:27:43 PM |
|
was it hacked or just a joke
|
Donations: 1JVhKjUKSjBd7fPXQJsBs5P3Yphk38AqPr - TIPS the hacks, the hacks, secure your bits!
|
|
|
davout
Legendary
Offline
Activity: 1372
Merit: 1007
1davout
|
|
October 01, 2012, 09:31:59 PM |
|
was it hacked or just a joke
not sure if serious
|
|
|
|
ImJello
Newbie
Offline
Activity: 15
Merit: 0
|
|
October 01, 2012, 10:38:49 PM |
|
I can't withdraw my funds but the tx has over 15 confirmations hopefully this is just a glitch and they haven't been hacked.
|
|
|
|
davout
Legendary
Offline
Activity: 1372
Merit: 1007
1davout
|
|
October 01, 2012, 11:38:23 PM |
|
I can't withdraw my funds but the tx has over 15 confirmations hopefully this is just a glitch and they haven't been hacked. You should now be able to withdraw your coins. And no, nothing was hacked
|
|
|
|
Boussac
Legendary
Offline
Activity: 1220
Merit: 1015
e-ducat.fr
|
|
October 06, 2012, 09:02:14 PM |
|
I love the new design of the home page. And the fact that it has NEVER been hacked. Stephan, Arsy and davout you are doing a great job with Instawallet.
|
|
|
|
|
giszmo
Legendary
Offline
Activity: 1862
Merit: 1105
WalletScrutiny.com
|
|
October 07, 2012, 12:28:09 PM |
|
This "metal detector" is a joke as stated by the most up-voted comment. Instawallet invites users to create thousands of wallets for whatever meaningful use with their api and a real metal detector would rather look for man-made wallets like https://www.instawallet.org/w/forAndrea or similar dictionary matches.
|
ɃɃWalletScrutiny.com | Is your wallet secure?(Methodology) WalletScrutiny checks if wallet builds are reproducible, a precondition for code audits to be of value. | ɃɃ |
|
|
|
davout
Legendary
Offline
Activity: 1372
Merit: 1007
1davout
|
|
October 08, 2012, 07:27:43 AM |
|
Incidentally, how many different, unsuccessful wallet requests from the same IP before the banhammer comes down?
The banhammer is used only for maliciously crafted requests.
|
|
|
|
VEscudero
Donator
Sr. Member
Offline
Activity: 335
Merit: 250
Bitcoin, Ripple & Blockchain pioneer
|
|
November 19, 2012, 06:13:19 AM Last edit: November 19, 2012, 06:34:42 AM by vescudero |
|
Software glitch. Fixed now. You should see your coins Again it seems Instawallet is not working properly. When I tried to send bitcoins from instawallet to another bitcoin address I got the message: "We're sorry, but something went wrong." The original amount is deducted from the instawallet address but it's not sent to the destination address I have already written to Instawallet support, as I have had this problem twice this weekend. NOTE: Instawallet addresses were 1Bs2aH9a9Vu42bRFnQDyRKKqGx1By13DpU & 1E7grd8iRPeLjSBzXAA4peL4iHfCvv6gE6
|
|
|
|
davout
Legendary
Offline
Activity: 1372
Merit: 1007
1davout
|
|
November 19, 2012, 11:28:35 AM |
|
Software glitch. Fixed now. You should see your coins Again it seems Instawallet is not working properly. When I tried to send bitcoins from instawallet to another bitcoin address I got the message: "We're sorry, but something went wrong." The original amount is deducted from the instawallet address but it's not sent to the destination address I have already written to Instawallet support, as I have had this problem twice this weekend. NOTE: Instawallet addresses were 1Bs2aH9a9Vu42bRFnQDyRKKqGx1By13DpU & 1E7grd8iRPeLjSBzXAA4peL4iHfCvv6gE6 Fixed
|
|
|
|
AvL42
|
|
December 03, 2012, 05:54:23 PM |
|
I just withdrew 0.01BTC from my instawallet to someone else, and was surprised to see that you paid another 75% (0.0075 BTC) for miner fees! Now, I thought the minimum retrieval amount of 0.01 was exactly to avoid any miner fees at all, so I guess this might be a bug, which I hereby report. (To be clear: this "bug" is entirely irrelevant for my own money. It's instawallet's money that I think got spent too much to the miner, and I'm merely worrying on instawallet's behalf ;-) https://blockchain.info/tx/69e47b21d626827d30cfc76235755350767faa9c1831a56023274aae38de5d6a?show_adv=true
|
|
|
|
davout
Legendary
Offline
Activity: 1372
Merit: 1007
1davout
|
|
December 03, 2012, 08:36:41 PM |
|
Free transactions they said! Your case is a little extreme, we usually don't pay much fees because we can usually send aged coins even if you withdraw what you deposited 20 minutes earlier. But yea, the transaction sending code could use a little love, to bundle small transactions together for example.
|
|
|
|
MemoryDealers
VIP
Legendary
Offline
Activity: 1052
Merit: 1105
|
|
December 06, 2012, 06:13:40 AM Last edit: December 13, 2012, 12:40:45 PM by MemoryDealers |
|
Is instawallet under some kind of attack?
As I watch the site, the number of wallets is increasing faster than my eye can follow. (Thousands of new wallets per minute)
Also, my recent instawallet deposit was never credited to my wallet.
What is going on?
-------------------------Update-------------------------
Everyone at Instawallet is great and solved this problem very quickly.
|
|
|
|
davout
Legendary
Offline
Activity: 1372
Merit: 1007
1davout
|
|
December 06, 2012, 08:09:52 AM |
|
I'm on it.
|
|
|
|
yossarian
|
|
December 13, 2012, 11:14:29 AM |
|
I just transfered some BTC from instawallet to my clients BTC address. After hitting send, the site gave me an error, something like "oops, something went wrong". The amount was deducted from my instawallet but never showed up on my address/the blockchain.
I'm getting a little nervous here, what's happening? I triple-checked the address before sending, so that shouldn't be the issue.
|
|
|
|
yossarian
|
|
December 13, 2012, 12:44:18 PM |
|
I just transfered some BTC from instawallet to my clients BTC address. After hitting send, the site gave me an error, something like "oops, something went wrong". The amount was deducted from my instawallet but never showed up on my address/the blockchain.
I'm getting a little nervous here, what's happening? I triple-checked the address before sending, so that shouldn't be the issue.
Issue resolved, thanks a lot!
|
|
|
|
Stephen Gornick
Legendary
Offline
Activity: 2506
Merit: 1010
|
|
December 13, 2012, 08:14:42 PM |
|
With Paymium (operator of Instawallet)' Bitcoin-Central exchange becoming partnered to a Payment Services Provider (PSP), how will this affect Instawallet?
Specifically, let's say I buy a piece of silver bullion and send bitcoins as payment from my Instawallet. And that seller happened to use Bitcoin-Central. Then they cashed out and withdrew the funds via the PSP/bank. But unbeknownst to me the bullion seller was in trouble with the authorities for something and the EU authorities are monitoring each transaction of the seller.
Would that mean the link to my Instawallet might also be shared, and possibly all of my Instawallet transactions be shared with the authorities?
|
|
|
|
davout
Legendary
Offline
Activity: 1372
Merit: 1007
1davout
|
|
December 13, 2012, 09:40:16 PM |
|
With Paymium (operator of Instawallet)' Bitcoin-Central exchange becoming partnered to a Payment Services Provider (PSP), how will this affect Instawallet?
In no way. Bitcoins are and remain unregulated. No reporting requirements are imposed upon Bitcoin-only services, and even if Instawallet is operated by Paymium it remains a Bitcoin-only service. We welcome Tor users on Instawallet. Specifically, let's say I buy a piece of silver bullion and send bitcoins as payment from my Instawallet. And that seller happened to use Bitcoin-Central. Then they cashed out and withdrew the funds via the PSP/bank. But unbeknownst to me the bullion seller was in trouble with the authorities for something and the EU authorities are monitoring each transaction of the seller.
What we would do is pull the data we have from the Bitcoin-Central logs. We'd see a Bitcoin transaction incoming. And that would be it. We keep the strict minimum logs for Instawallet so there's really not much to share. Would that mean the link to my Instawallet might also be shared, and possibly all of my Instawallet transactions be shared with the authorities?
If as a company we get a court order, we have to comply. However : - we can only give what we log, which is, again, not much for Instawallet, - it's quite dubious a court would issue an order to surrender Instawallet data "just to see if the transaction didn't originate from there" The beauty with Bitcoin is that you don't have to trust my word. Your financial privacy is in your very own hands, all the tools are yours to use.
|
|
|
|
Stephen Gornick
Legendary
Offline
Activity: 2506
Merit: 1010
|
|
December 14, 2012, 03:52:32 AM |
|
No reporting requirements are imposed upon Bitcoin-only services, and even if Instawallet is operated by Paymium it remains a Bitcoin-only service.
But without Instawallet being a separate legal entity I am assuming that if Paymium were to be ordered to turn over any and all records relating to Bitcoin-Central account #nnnnn and those records included a deposit from an Instawallet bitcoin address that those Instawallet records too would need to be turned over, in order to comply with the order.
|
|
|
|
davout
Legendary
Offline
Activity: 1372
Merit: 1007
1davout
|
|
December 14, 2012, 08:21:18 AM |
|
No reporting requirements are imposed upon Bitcoin-only services, and even if Instawallet is operated by Paymium it remains a Bitcoin-only service.
But without Instawallet being a separate legal entity I am assuming that if Paymium were to be ordered to turn over any and all records relating to Bitcoin-Central account #nnnnn and those records included a deposit from an Instawallet bitcoin address that those Instawallet records too would need to be turned over, in order to comply with the order. My interpretation is different. BC really has no way to know whether a deposit came from Instawallet or not. Bitcoin-Central and instawallet are different services. They have no direct connection and communicate to each other only through the Bitcoin network itself.
|
|
|
|
davout
Legendary
Offline
Activity: 1372
Merit: 1007
1davout
|
|
December 24, 2012, 01:43:23 PM |
|
Instawallet's Bitcoin daemon apparently just crashed. Sit tight while it's starting up again. For the record, the Instawallet bitcoin client takes approximately an hour to start up.
|
|
|
|
ErebusBat
|
|
January 09, 2013, 04:24:32 AM |
|
Instawallet's Bitcoin daemon apparently just crashed. Sit tight while it's starting up again. For the record, the Instawallet bitcoin client takes approximately an hour to start up.
Why so long?
|
|
|
|
davout
Legendary
Offline
Activity: 1372
Merit: 1007
1davout
|
|
January 09, 2013, 09:53:19 AM |
|
Why so long?
Because the wallet is massive
|
|
|
|
Gavin Andresen
Legendary
Offline
Activity: 1652
Merit: 2216
Chief Scientist
|
|
January 21, 2013, 10:18:36 PM |
|
Why so long?
Because the wallet is massive ... and because bitcoind's wallet code hasn't been optimized for massive wallets. "patches welcome" (although I think the wallet code needs a complete rewrite, we've learned a lot over the last couple of years and need wallets that are much easier to back up and keep secure).
|
How often do you get the chance to work on a potentially world-changing project?
|
|
|
AvL42
|
|
February 22, 2013, 03:43:58 PM |
|
Recently, I saw a couple of instances (in chat rooms), where people published private URLs of instawallets, sometimes with some dust (less than 0.01 BTC) in it, sometimes empty. I think that newbies could be tricked by referrers to believe that the wallet they arrive at might be theirs, and start depositing money.
I'd like to see Instawallet make it perfectly clear to a user, whether a wallet displayed has just been created anew, or is being "re-visited".
In the former case the wallet should contain all the advisories about about saving it to a bookmark for lack of recovery-procedures (and of course about not sharing the wallet's URL).
If the user goes straight to an existing wallet, then it would be good to "welcome back" him, with an extra note, that if he hasn't previously created that one wallet himself, that it would then probably be unsafe to deposit funds there.
Please let me know, if my concern makes sense to you, or if I might need to clarify it a bit better.
|
|
|
|
Stephen Gornick
Legendary
Offline
Activity: 2506
Merit: 1010
|
|
February 22, 2013, 07:40:04 PM |
|
Please let me know, if my concern makes sense to you, or if I might need to clarify it a bit better. You are correct that the only secure way to use Instawallet is to use only an InstaWallet (URL) that was assigned to you by the site (which occurs EVERY time you access the URL without specifying any path, i.e,., https://instawallet.org ). If someone passes you some funds with another InstaWallet (URL), you can send the funds to the Bitcoin address to your own InstaWallet but you should never add new funds to that InstaWallet -- it should be treated as having been compromised. If the user goes straight to an existing wallet, then it would be good to "welcome back" The site does give the message: "Only share your bitcoin address, NOT the wallet URL or key, with the public." So if a person gets the wallet URL from elsewhere hopefully that person can realize that a problem exists.
|
|
|
|
AvL42
|
|
February 22, 2013, 08:03:53 PM |
|
Please let me know, if my concern makes sense to you, or if I might need to clarify it a bit better. You are correct that the only secure way to use Instawallet is to use only an InstaWallet (URL) that was assigned to you by the site (which occurs EVERY time you access the URL without specifying any path, i.e,., https://instawallet.org ). If someone passes you some funds with another InstaWallet (URL), you can send the funds to the Bitcoin address to your own InstaWallet but you should never add new funds to that InstaWallet -- it should be treated as having been compromised. If the user goes straight to an existing wallet, then it would be good to "welcome back" The site does give the message: "Only share your bitcoin address, NOT the wallet URL or key, with the public." So if a person gets the wallet URL from elsewhere hopefully that person can realize that a problem exists. The problem is, that bad guys in chat-rooms redirect newbies to "compromised" instawallets, labelling the links merely "Instawallet", thus tricking newbies into believing it was a new one. Since they typically use short-url services, it often really isn't obvious to the user where the link actually went to. Open your own wallet in one tab, and create a new wallet in a second tab: except for the identifiers, (and the balance) there's nothing that would tell one, if it is a newly created or a used wallet. So, to protect newbies from accidentally "adopting" a compromised wallet, the wallet-page itself should use specific wording like "welcome to your new wallet" versus "welcome back to your w." in big letters on top and explain, that if the "welcome back" sounds unexpected, then it definitely *is*. Also, there must definitely be no way to re-trigger the "new"-tag through crafted URLs, either. I hope the problem became clear, this time.
|
|
|
|
giszmo
Legendary
Offline
Activity: 1862
Merit: 1105
WalletScrutiny.com
|
|
February 23, 2013, 10:39:32 AM |
|
Oh this really looks like a big problem. I could advertise instawallet.org and claim there was some sort of referral program. You get 0.01Ƀ if you use my referral link: <a href=instawallet.org/w/myAddressBook43>instawallet.org/referrer/Giszmo</a>. The problem is the attacker could even use some new addresses here but generate them himself and send the "referrer reward" only seconds later. I think instawallet.org should definitely distinguish between deep link and generated url. I really feel sad for all the noobs that were and will get scammed This attack works with all the users that take help to get started no matter what wallet but with instawallet it is easier. I sold many people bitcoins that had no clue about bitcoin and could have easily installed them my wallet for their use without them noticing that now I will have access. I think the minimum instawallet should do is to show a creation time stamp of that wallet with some advice that if the user feels like he might have started using it later, he better should move on to a new wallet. Moving on to new wallets is actually a good advice to just about every user.
|
ɃɃWalletScrutiny.com | Is your wallet secure?(Methodology) WalletScrutiny checks if wallet builds are reproducible, a precondition for code audits to be of value. | ɃɃ |
|
|
|
Phinnaeus Gage
Legendary
Offline
Activity: 1918
Merit: 1570
Bitcoin: An Idea Worth Spending
|
|
February 23, 2013, 07:36:07 PM |
|
This is a simply problem that should have a simple fix. The URL https://instawallet.org should be set up as a landing page, populate with simple content and one button. Upon clicking the button, the familiar page, or similar, we now see would then appear showcasing the new wallet with 0 bitcoins, whereupon the newly generated URL will be the address of the user's new online wallet. Currently, as it is set up now, there is no instawallet.org page one can visit. This simple change would take very little effort. Problem solved! ~Bruno K~
|
|
|
|
giszmo
Legendary
Offline
Activity: 1862
Merit: 1105
WalletScrutiny.com
|
|
February 23, 2013, 08:08:10 PM |
|
This is a simply problem that should have a simple fix. The URL https://instawallet.org should be set up as a landing page, populate with simple content and one button. Upon clicking the button, the familiar page, or similar, we now see would then appear showcasing the new wallet with 0 bitcoins, whereupon the newly generated URL will be the address of the user's new online wallet. Currently, as it is set up now, there is no instawallet.org page one can visit. This simple change would take very little effort. Problem solved! ~Bruno K~ The problem is not the experienced user but the noob. You could still trick a noob into believing that <a href=instawallet.org/w/myAddressBook43>instawallet.org/referrer/Giszmo</a> is a referral link.
|
ɃɃWalletScrutiny.com | Is your wallet secure?(Methodology) WalletScrutiny checks if wallet builds are reproducible, a precondition for code audits to be of value. | ɃɃ |
|
|
|
Phinnaeus Gage
Legendary
Offline
Activity: 1918
Merit: 1570
Bitcoin: An Idea Worth Spending
|
|
February 24, 2013, 05:04:59 PM |
|
This is a simply problem that should have a simple fix. The URL https://instawallet.org should be set up as a landing page, populate with simple content and one button. Upon clicking the button, the familiar page, or similar, we now see would then appear showcasing the new wallet with 0 bitcoins, whereupon the newly generated URL will be the address of the user's new online wallet. Currently, as it is set up now, there is no instawallet.org page one can visit. This simple change would take very little effort. Problem solved! ~Bruno K~ The problem is not the experienced user but the noob. You could still trick a noob into believing that <a href=instawallet.org/w/myAddressBook43>instawallet.org/referrer/Giszmo</a> is a referral link. Valid point! Then on the landing page I mentioned above, a popup warning box appears that has to be manually ticked (If you don't want to see this box again from this IP, click this box and exit). In fact, besides just the landing page, ANY page generated for the first time visitor via a unique IP. I'm sure the above should eliminate a high percentage of the scams. Hell, there are people still being spoofed by fake PayPal sites, and I'm sure they're throwing everything in their arsenal to combat the problem.
|
|
|
|
VEscudero
Donator
Sr. Member
Offline
Activity: 335
Merit: 250
Bitcoin, Ripple & Blockchain pioneer
|
|
March 09, 2013, 06:16:32 PM |
|
Another software glitch?
It seems instawallet bitcoin daemon has died, all in & out transactions are not reflected in instawallet addresses.
|
|
|
|
HighInBC
Member
Offline
Activity: 85
Merit: 10
|
|
March 09, 2013, 06:44:40 PM |
|
I have the same problem, I sent money to an instawallet and even though the transaction is confirmed there is nothing showing up in instawallet.
Really annoying.
|
|
|
|
HighInBC
Member
Offline
Activity: 85
Merit: 10
|
|
March 09, 2013, 09:45:56 PM |
|
I am amazed that more people are not reporting this, I wonder if it is isolated.
|
|
|
|
davout
Legendary
Offline
Activity: 1372
Merit: 1007
1davout
|
|
March 09, 2013, 10:41:14 PM |
|
I'll keep it short : - It's not isolated, other users are affected - I'm working on it - No funds were lost, it's not a hack, - It'll probably take another hour before affected users can access their funds
|
|
|
|
ksteve96
Full Member
Offline
Activity: 624
Merit: 125
alcedoplatform.com
|
|
March 09, 2013, 11:47:34 PM |
|
Everyone stop panicking, it's back
|
|
|
|
davout
Legendary
Offline
Activity: 1372
Merit: 1007
1davout
|
|
March 10, 2013, 01:11:41 AM |
|
It should now be fully fixed.
What happened is that for a few hours the backend was talking to the wrong bitcoind.
That's purely my fault, I messed up a configuration setting during the course of a routine maintenance.
Wallets created against this Bitcoin client will have to be discarded as their private key is unknown to the main Bitcoin client. Therefore it won't notify incoming transactions properly, affected wallets will fail to see their balance properly updated.
At this point their balance should be correct though, I fixed it so affected users can move their funds to another instawallet or to any arbitrary address.
If funds are still accidentally sent to an affected wallet they will have to be accounted for manually.
I apologize for the inconvenience to all affected users.
|
|
|
|
HighInBC
Member
Offline
Activity: 85
Merit: 10
|
|
March 10, 2013, 01:48:24 AM |
|
You rock! I got the money back now.
|
|
|
|
ianspain
Donator
Full Member
Offline
Activity: 164
Merit: 100
|
|
March 10, 2013, 10:24:25 AM |
|
It should now be fully fixed.
What happened is that for a few hours the backend was talking to the wrong bitcoind.
That's purely my fault, I messed up a configuration setting during the course of a routine maintenance.
Wallets created against this Bitcoin client will have to be discarded as their private key is unknown to the main Bitcoin client. Therefore it won't notify incoming transactions properly, affected wallets will fail to see their balance properly updated.
At this point their balance should be correct though, I fixed it so affected users can move their funds to another instawallet or to any arbitrary address.
If funds are still accidentally sent to an affected wallet they will have to be accounted for manually.
I apologize for the inconvenience to all affected users.
sent PM
|
BlockChain Capital
|
|
|
giszmo
Legendary
Offline
Activity: 1862
Merit: 1105
WalletScrutiny.com
|
|
March 10, 2013, 03:26:23 PM |
|
If funds are still accidentally sent to an affected wallet they will have to be accounted for manually.
can't you just move the priv keys to the other wallet? should be about 1020 minutes of work.
|
ɃɃWalletScrutiny.com | Is your wallet secure?(Methodology) WalletScrutiny checks if wallet builds are reproducible, a precondition for code audits to be of value. | ɃɃ |
|
|
|
davout
Legendary
Offline
Activity: 1372
Merit: 1007
1davout
|
|
March 10, 2013, 08:19:12 PM |
|
If funds are still accidentally sent to an affected wallet they will have to be accounted for manually.
can't you just move the priv keys to the other wallet? should be about 1020 minutes of work. Rescanning the chain against a very large wallet takes a very long time, a long time you have to multiply by the number of keys to import. Quite a long time during which Instawallet has to be put into maintenance mode.
|
|
|
|
giszmo
Legendary
Offline
Activity: 1862
Merit: 1105
WalletScrutiny.com
|
|
March 10, 2013, 11:25:55 PM |
|
If funds are still accidentally sent to an affected wallet they will have to be accounted for manually.
can't you just move the priv keys to the other wallet? should be about 1020 minutes of work. Rescanning the chain against a very large wallet takes a very long time, a long time you have to multiply by the number of keys to import. Quite a long time during which Instawallet has to be put into maintenance mode. Well, yeah, then thank you that (coincident?) even I already got a customer who claimed I didn't pay him and I could bet I actually did pay him to one of your broken wallets. Wanna take the bet? I will tell you the receiving address and trust you to not lie about it being one of your funny wallets or not. Maybe you should start running two wallets anyway? Yes, it's nasty to have to pay transaction fees for instawallet to instawallet transactions but it's also nasty to have broken wallets, sorry. At least I hope you have a BIG warning in the broken instawallets.
|
ɃɃWalletScrutiny.com | Is your wallet secure?(Methodology) WalletScrutiny checks if wallet builds are reproducible, a precondition for code audits to be of value. | ɃɃ |
|
|
|
davout
Legendary
Offline
Activity: 1372
Merit: 1007
1davout
|
|
March 11, 2013, 09:25:20 AM |
|
Well, yeah, then thank you that (coincident?) even I already got a customer who claimed I didn't pay him and I could bet I actually did pay him to one of your broken wallets. Wanna take the bet? I will tell you the receiving address and trust you to not lie about it being one of your funny wallets or not.
The few affected wallets display a big red warning, but if you don't have access to this wallet and only the URL sure, send the address and I'll tell you if it's one of them. Maybe you should start running two wallets anyway? Yes, it's nasty to have to pay transaction fees for instawallet to instawallet transactions but it's also nasty to have broken wallets, sorry.
Well, actually the best solution would be to have one single wallet with tools to efficiently clean it from time to time. At least I hope you have a BIG warning in the broken instawallets.
Yep, and it's red too.
|
|
|
|
giszmo
Legendary
Offline
Activity: 1862
Merit: 1105
WalletScrutiny.com
|
|
March 11, 2013, 04:47:16 PM |
|
Well, yeah, then thank you that (coincident?) even I already got a customer who claimed I didn't pay him and I could bet I actually did pay him to one of your broken wallets. Wanna take the bet? I will tell you the receiving address and trust you to not lie about it being one of your funny wallets or not.
The few affected wallets display a big red warning, but if you don't have access to this wallet and only the URL sure, send the address and I'll tell you if it's one of them. Thanx for looking it up. So it wasn't instawallet. Sorry for the false accusations 3,418,941 wallets Wow! Impressive Ever considered making this a life-counter or a fake-life counter? When loading an instawallet, the 24h average creation rate of wallets could be used to fake the counter with some randomness to give the user more a feel for how much 3.4 million actually is in that short amount of time.
|
ɃɃWalletScrutiny.com | Is your wallet secure?(Methodology) WalletScrutiny checks if wallet builds are reproducible, a precondition for code audits to be of value. | ɃɃ |
|
|
|
HighInBC
Member
Offline
Activity: 85
Merit: 10
|
|
March 12, 2013, 08:01:54 AM |
|
Is there another issue related to the fork? I sent some coins into instawallet and they are not showing up.
|
|
|
|
HighInBC
Member
Offline
Activity: 85
Merit: 10
|
|
March 13, 2013, 04:00:29 PM |
|
Is there another issue related to the fork? I sent some coins into instawallet and they are not showing up.
They seemed to have fixed it, got my coins back.
|
|
|
|
Mjbmonetarymetals
Legendary
Offline
Activity: 1096
Merit: 1067
|
|
March 14, 2013, 08:09:28 PM |
|
Any plans for a Litecoin version of instawallet ?
|
Bitrated user: Mick.
|
|
|
davout
Legendary
Offline
Activity: 1372
Merit: 1007
1davout
|
|
March 15, 2013, 11:43:00 AM |
|
Any plans for a Litecoin version of instawallet ?
Why not, I don't know much about litecoin at all though. Way too busy with Bitcoin Is it getting very popular ?
|
|
|
|
JonSnow
Member
Offline
Activity: 112
Merit: 10
|
|
March 16, 2013, 06:08:56 AM |
|
Sent 40 btc from my instawallet this evening in 2 transactions and neither transaction has shown up on blockchain ...
|
|
|
|
yodog
Member
Offline
Activity: 99
Merit: 10
|
|
March 16, 2013, 10:33:33 AM |
|
I sent 52.39 btc from one instawallet to another one and the coins did not show up. From the block chain the new instawallet address isn't showing up(unused) and the 52.39 btc are showing up as unspent http://blockchain.info/unspent?active=17iQhdkNpoxYcNNcXodPjTWUqSuTC8XaF4&format=htmlI'm assuming that there is an issue in your backend and the coins will be returned ?? or what is the plan to remedy this situation? as 52.39 btc is over 2600$!!
|
|
|
|
davout
Legendary
Offline
Activity: 1372
Merit: 1007
1davout
|
|
March 16, 2013, 12:01:23 PM |
|
I sent 52.39 btc from one instawallet to another one and the coins did not show up. From the block chain the new instawallet address isn't showing up(unused) and the 52.39 btc are showing up as unspent http://blockchain.info/unspent?active=17iQhdkNpoxYcNNcXodPjTWUqSuTC8XaF4&format=htmlI'm assuming that there is an issue in your backend and the coins will be returned ?? or what is the plan to remedy this situation? as 52.39 btc is over 2600$!! Hey, why don't you open an additionnal 10 threads complaining about this issue ? Don't forget to send 5 PMs and 3 e-mails to the support. Oh wait, you can also tweet and facebook it. Hey, and maybe you want my personal phone number to text me every five minutes about your 50 BTC ? And you know, my personal address to stand in front of my door, knock every 30 seconds and wonder if I'm taking care of your issue. Protip : If you have an issue with Instawallet send an e-mail to the support, and look at a calendar, if the current date is a saturday or a sunday, chances are I am currently not working, so kick back, read a book, get some flowers for your wife, do something interesting, go have a walk, get some good time. You will be taken care of. Nagging about your issue using every possible channel is just incredibly rude and useless. I work almost every day to take care of stuff and help where help is needed, Instawallet is a free service, so I'd appreciate not being constantly harassed by people who think waiting twelve hours is too much and that they're the only ones to need attention. If you don't like this please go store your coins elsewhere. Thank you very much for your understanding and consideration.
|
|
|
|
JonSnow
Member
Offline
Activity: 112
Merit: 10
|
|
March 16, 2013, 07:52:30 PM |
|
davout, I understand what you're saying, but surely you can also understand why people get scared when they send their money and it never shows up.
I appreciate what you do, and the service you offer - I've been using it for a long, long time and this is the first and only problem I've ever had, but not sure that it deserved this kind of response. Just reaching out for help. I don't mind waiting 12 hours, if that's what it takes, but when they initially don't come through it is worrisome so of course people are going to reach out for support through whatever channels are available.
I hope that you have a good weekend. Thank you for the service you offer - I'll wait patiently for my 40 coins from yesterday. I think for most people who are having problems, they don't mind waiting as long as the issue is acknowledged. (which your post did, so thank you.)
|
|
|
|
JonSnow
Member
Offline
Activity: 112
Merit: 10
|
|
March 16, 2013, 09:26:25 PM |
|
Updating to say the coins just came in. Thanks, davout.
|
|
|
|
davout
Legendary
Offline
Activity: 1372
Merit: 1007
1davout
|
|
March 16, 2013, 09:38:20 PM |
|
Sorry for the earlier rant, that was uncalled for. I could have expressed the same thing without being so aggressive.
My apologies.
Lesson : never post when you did not have your first cup of coffee.
Have a nice day all, and don't hesitate to notify me of any issue.
|
|
|
|
VEscudero
Donator
Sr. Member
Offline
Activity: 335
Merit: 250
Bitcoin, Ripple & Blockchain pioneer
|
|
March 18, 2013, 01:36:51 PM Last edit: March 18, 2013, 02:32:34 PM by vescudero |
|
Another problem has been notified. I'm currently waiting for davout's reply, so I will update this thread as soon as this problem is solved.
EDIT: At 14:30h, that is one hour later, the problem was solved. Thanks
|
|
|
|
AvL42
|
|
March 19, 2013, 08:53:08 PM |
|
A while ago, I raised some topic about making it clearly evident on the wallet-page whether it is a new one, or one created previously.
I understand that there were more urgent problems meanwhile. Since those appear to be resolved now, I'd kindly ask to review that suggestion, again.
The Problem: Newbies click on links that lead them to an "insta"-wallet, but depending on what link they actually followed, the wallet might be "not a fresh" one. Instead it might be a wallet created by a scammer, and once the unsuspecting newbie deposits 0.01 or more, the scammer would withdraw it, leaving behind a newbie thinking that instawallet itself may have ripped them.
The Proposal: Use specific wording such as "welcome BACK to your wallet", that is likely to alert even Newbies that they didn't actually get a new wallet. Also, add a footnote, that if the "back" isn't what they expected (i.e., they don't remember havign created a wallet and saved the link before), that they should rather create a new one (with a link to instawallet homepage).
|
|
|
|
|
AvL42
|
|
March 20, 2013, 10:25:59 AM |
|
I did a test, before posting, but in hindsight it obviously wasn't an adequate one ;-)
I had opened my own wallet from a bookmark, because I thought the criterion would/should be "first open" versus "re-open", but obviously you're using some other heuristic.
Anyway, thanks for implementing it!
|
|
|
|
davout
Legendary
Offline
Activity: 1372
Merit: 1007
1davout
|
|
March 20, 2013, 10:50:07 AM |
|
I did a test, before posting, but in hindsight it obviously wasn't an adequate one ;-)
I had opened my own wallet from a bookmark, because I thought the criterion would/should be "first open" versus "re-open", but obviously you're using some other heuristic.
Anyway, thanks for implementing it!
No worries, thanks a lot for suggesting this useful feature ! The trigger for displaying the message is "have you been redirected to a wallet (existing or not) directly from a referrer other than Instawallet itself". For example the warning will trigger even if you're redirected to a wallet that didn't exist before, but with a key already embedded in the URL. With the increase in price it becomes more and more important to provide additional security features since people seem to ignore the fact that Instawallet shouldn't be used to store large amounts of coins.
|
|
|
|
dooglus
Legendary
Offline
Activity: 2940
Merit: 1330
|
|
March 21, 2013, 08:03:55 AM |
|
I used to use InstaWallet a couple of years ago. I have the secret URL and the corresponding bitcoin address saved.
I just visited the secret URL, but the bitcoin address it shows is different than the one it used to show.
Is this normal? The address it shows now has never been used in any transactions, whereas I used my Instawallet quite a lot.
|
Just-Dice | ██ ██████████ ██████████████████ ██████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████ ██████████████ ██████ | Play or Invest | ██ ██████████ ██████████████████ ██████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████ ██████████████ ██████ | 1% House Edge |
|
|
|
davout
Legendary
Offline
Activity: 1372
Merit: 1007
1davout
|
|
March 21, 2013, 08:11:51 AM |
|
I used to use InstaWallet a couple of years ago. I have the secret URL and the corresponding bitcoin address saved.
I just visited the secret URL, but the bitcoin address it shows is different than the one it used to show.
Is this normal? The address it shows now has never been used in any transactions, whereas I used my Instawallet quite a lot.
That's because when the last maintenance occurred your wallet had a zero balance. If you haven't sent funds to the old address all is fine, use the new address and the old one. If you did send funds I'll have to fix your balance manually. We archived a lot of addresses to alleviate the load on our bitcoind, the site was becoming extremely slow, the addresses are just archived though, no funds are lost. And no, we can't simply re-import the private key, it would block the client for the time of a whole chain rescan. :-) So send an e-mail to the support if something needs to be done on our side. Cheers!
|
|
|
|
dooglus
Legendary
Offline
Activity: 2940
Merit: 1330
|
|
March 21, 2013, 08:35:22 PM |
|
That's because when the last maintenance occurred your wallet had a zero balance.
We archived a lot of addresses to alleviate the load on our bitcoind, the site was becoming extremely slow, the addresses are just archived though, no funds are lost.
I was only revisiting the old wallet to see if I had left anything in it. I was pretty sure I hadn't, but was just checking. Thanks for the reply.
|
Just-Dice | ██ ██████████ ██████████████████ ██████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████ ██████████████ ██████ | Play or Invest | ██ ██████████ ██████████████████ ██████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████ ██████████████ ██████ | 1% House Edge |
|
|
|
ianspain
Donator
Full Member
Offline
Activity: 164
Merit: 100
|
|
March 23, 2013, 07:53:24 PM |
|
Hi, another transaction from Instawallet hasn't come through this time 50 btc, has the bitcoin daemon fallen again???
thanks
|
BlockChain Capital
|
|
|
jayleno
Newbie
Offline
Activity: 16
Merit: 0
|
|
April 04, 2013, 12:45:20 AM |
|
Instawallet is just a bunch of crooks. Not a second after the currency goes through the roof do they pull a Cyprus on all the users. If you have over 50 btc your refund will be accessed. That's bull... you better have used fake information because if your real name ever got out.. Wow.
|
|
|
|
bitclown
|
|
April 04, 2013, 12:59:44 PM |
|
I know things have changed over the past few years, but I'd expect some people to be more critical of what was a disaster just waiting to happen. That's really, really great!
Fantastic idea!
Amazing idea! Love it.
|
|
|
|
giszmo
Legendary
Offline
Activity: 1862
Merit: 1105
WalletScrutiny.com
|
|
April 04, 2013, 02:57:50 PM |
|
Hmmm ... this sux. It was inevitable you would get hacked some day. At least there is a good chance most users with small holdings get back their money without pain.
Let's hope the best. And next time at least allow users to provide an optional email address.
|
ɃɃWalletScrutiny.com | Is your wallet secure?(Methodology) WalletScrutiny checks if wallet builds are reproducible, a precondition for code audits to be of value. | ɃɃ |
|
|
|
giszmo
Legendary
Offline
Activity: 1862
Merit: 1105
WalletScrutiny.com
|
|
April 04, 2013, 05:56:32 PM |
|
Hmmm ... this sux. It was inevitable you would get hacked some day. At least there is a good chance most users with small holdings get back their money without pain.
Let's hope the best. And next time at least allow users to provide an optional email address.
@davout: The more I think about the situation the more I'm worried the "hackers" will get away with a high share of all the money trusted to your service. If you assume the first to claim a stash to be the legit owner, they will make sure as hell that they will be the first for 3.5 million addresses. They will buy fake email addresses in time. They will get people involved to do a more personal claim for the bigger stashes etc. On the other hand there's people like me that gave away many small sums to friends who never looked too much into it trusting me I took a good decision. For some I still have the instawallet link but for others I might even have forgotten I gave them some. Most of the people I gave bitcoins to, just watched the price from time to time (=once a year) and will not go to instawallet within 90 days. Please think carefully how to deal with this situation as I'm afraid this can go terribly wrong. What is the total sum owned by instawallet? When will the reclaim process start? I got a wrong certificate yesterday and a 404 now.
|
ɃɃWalletScrutiny.com | Is your wallet secure?(Methodology) WalletScrutiny checks if wallet builds are reproducible, a precondition for code audits to be of value. | ɃɃ |
|
|
|
mrbitbank
Newbie
Offline
Activity: 48
Merit: 0
|
|
April 06, 2013, 08:35:50 AM |
|
This 90 day limit on claims is bullcrap!!!! The statute of limitations on debtors in most EU countries is at least 6 years. Therefore imposing a 90 limitation on claims is totally illegal. However this is a very mute point because not one ounce of truth has come out of all this shambles as shown in the notices as to the time frame when the site is to be back up.
|
|
|
|
giszmo
Legendary
Offline
Activity: 1862
Merit: 1105
WalletScrutiny.com
|
|
April 06, 2013, 04:12:57 PM |
|
Ok as you don't tell how the claims process is meant to work, I hereby claim access to the funds of https://www.instawallet.org/w/poliglotabitcoindemoIt should contain 0.1BTC. Send them to 1PcEoaaGbCxVZR2SAvJs2zP3CJmSmKhm9z please. I feel very tempted to post all of my such addresses to front run the hacker as he will have all the time in the world to hit reload on your site and take the measures to falsely claim my coins comparing the coins at stake for him to those at stake for me and others with your assumption of the first claimer being more legit than those coming later. I hope you have a good plan to put up a trap for the hacker the way you design this. Edit: Actually if you are afraid some hacker has a list of all accounts, the only way to proof that I'm the rightful owner would be to proof prior communication of the respective addresses or proof ownership of the addresses that were used to charge the addresses or something. What will happen if the list leaks? Perfect disaster.
|
ɃɃWalletScrutiny.com | Is your wallet secure?(Methodology) WalletScrutiny checks if wallet builds are reproducible, a precondition for code audits to be of value. | ɃɃ |
|
|
|
AvL42
|
|
April 06, 2013, 04:40:55 PM |
|
I'm still not sure, if all the instawallet addresses found on google only showed up there, because their owners used a google-spybot browser (or google-spybot-extensions), or if there are other scenarios where such URLs get published, even if my PC is/was really clean and used only by myself.
I still use URL-authentication e.g. on peerbet (with less than 1mBTC kept there) although they also offer registering username and password.
|
|
|
|
Boussac
Legendary
Offline
Activity: 1220
Merit: 1015
e-ducat.fr
|
|
April 06, 2013, 04:44:38 PM |
|
This 90 day limit on claims is bullcrap!!!! The statute of limitations on debtors in most EU countries is at least 6 years. Therefore imposing a 90 limitation on claims is totally illegal. However this is a very mute point because not one ounce of truth has come out of all this shambles as shown in the notices as to the time frame when the site is to be back up.
You must be new here. Before ranting like that, it does not hurt to read : where did you read in any of the notice that the claim period is limited to 90 days ?? The notice says that we will not pay anyone before a 90 day period has elapsed which has nothing to do with any statute of limitations.. It has everything to do with allowing us to process the claims properly and to avoid paying the hacker.
|
|
|
|
AndreyE
Member
Offline
Activity: 86
Merit: 10
|
|
April 10, 2013, 02:41:56 PM |
|
There is no claim process on the go. I see no forms etc
|
|
|
|
giszmo
Legendary
Offline
Activity: 1862
Merit: 1105
WalletScrutiny.com
|
|
April 10, 2013, 03:17:29 PM |
|
Yep it is worrying to see no progress withe those millions of dollars involved.
|
ɃɃWalletScrutiny.com | Is your wallet secure?(Methodology) WalletScrutiny checks if wallet builds are reproducible, a precondition for code audits to be of value. | ɃɃ |
|
|
|
|