marcus_of_augustus
Legendary
 Offline
Activity: 3920
Merit: 2348
Eadem mutata resurgo
|
 |
May 02, 2011, 04:11:18 AM |
|
How does the address allocation work for this?
I sent 0.02 btc to the generated address at instawallet, works okay.
Then I sent those 0.02 btc back to another bitcoin client. When I return to instawallet page a new receiving address has been generated, why does it do that?
What happens if I now receive a payment at the old address that I was allocated first, who has control of that?
|
|
|
|
|
|
|
|
|
|
|
|
|
The trust scores you see are subjective; they will change depending on who you have in your trust list. |
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
|
|
|
marcus_of_augustus
Legendary
Offline
Activity: 3920
Merit: 2348
Eadem mutata resurgo
|
|
May 02, 2011, 04:31:12 AM
Last edit: May 02, 2011, 04:45:42 AM by moa |
|
Hmmm, thanks for thinking this through 's'.
I haven't open/close browser tab or window or done anything that would have changed the cookies. All I did was send, and thus empty the initially assigned wallet address.
I back-paged to the one containing the initial wallet address and it has the same assigned token in the http:// field as the new one.
Edit: further test, i deleted the cookie folder associated with instawallet and then launched another tab with the provided http link with personal token and it brings me back to correct (new) wallet address. Something else changed the wallet address after I performed the send from function, what was it?
|
|
|
|
|
asdf
|
|
May 02, 2011, 07:40:58 AM |
|
What happens if I now receive a payment at the old address that I was allocated first, who has control of that?
It's still yours. From Jav's comments, it was created with a cryptographically secure PRNG, so nobody else ought to be able to guess it. As far as the site is concerned, presumably you've just got two wallets now and can use whichever you'd like, assuming you record the two "addresses." I think he means a new bitcoin address, but the same instawallet address. So, is that old bitcoin address still tied to his account? From the information you've given (you use the bitcoin accounts feature) I would infer: yes. Cool concept. |
|
|
|
|
|
jav (OP)
|
|
May 02, 2011, 08:10:59 AM |
|
Another concern: If someone uses an anonymizer agent like Tor, how will your "recognition" system work? It could be that it will identify the user based on the exit point, which would be a serious problem as it's likely that eventually two users will have the same exit point.
The recognition system works with cookies. Cookies are stored locally by your browser, so as long as your are using the same browser to come back to the website, it doesn't matter whether you use Tor or not. I'm a bit worried that I might put money into a wallet and then lose the address. Hypothetically, if I were able to tell you the exact balance of a wallet (and that balance were something unique like 142.41305), would you be able to send me a link?
I'm sorry, but I would probably not want to that, no. Remember, Bitcoin transactions are public. Somebody else might - maybe with some additional clues - figure out that some Bitcoin address belongs to Instawallet and can just look up the balance on blockexplorer.com. I guess it would be ok if you would tell me the correct balance plus the last couple of characters from your secret link. Just write that down somewhere, to be safe. well, i'm having problems with it. easy to get 2 send tx's into instawallet of .01 btc each but now can't get them out. instawallet shows balance of zero, my btc wallet shows 2 deposits of +.01 however they are greyed out and have 0 confirms. have contacted JAV but have yet to get this fixed.
Please give this at least 24h to sort itself out. If you quickly send coins back in forth, then these transactions look very "spammy" to the Bitcoin network and can potentially take a long time to be confirmed. How does the address allocation work for this?
I sent 0.02 btc to the generated address at instawallet, works okay.
Then I sent those 0.02 btc back to another bitcoin client. When I return to instawallet page a new receiving address has been generated, why does it do that?
What happens if I now receive a payment at the old address that I was allocated first, who has control of that?
Every Bitcoin address you ever saw on your Instawallet page will always be yours and you can still receive payments there. asdf explained it right: You have one specific Instawallet URL, which is tied to an account in the Bitcoin wallet. The Bitcoin daemon automatically assigns a fresh Bitcoin address to an account once it receives or sends out a transaction. The old ones continue to be associated with that account though, so they will still work. It's kind of an un-intended side effect of using the account feature right now. I can understand how it can be confusing that the addresses change from time to time and I will probably soon put code in that will just keep the address static. But for now: Don't worry about changing Bitcoin addresses, they are still all tied to your Instawallet URL. |
|
|
|
marcus_of_augustus
Legendary
Offline
Activity: 3920
Merit: 2348
Eadem mutata resurgo
|
|
May 02, 2011, 08:42:42 AM |
|
jav: Every Bitcoin address you ever saw on your Instawallet page will always be yours and you can still receive payments there. asdf explained it right: You have one specific Instawallet URL, which is tied to an account in the Bitcoin wallet. The Bitcoin daemon automatically assigns a fresh Bitcoin address to an account once it receives or sends out a transaction. The old ones continue to be associated with that account though, so they will still work.
It's kind of an un-intended side effect of using the account feature right now. I can understand how it can be confusing that the addresses change from time to time and I will probably soon put code in that will just keep the address static. But for now: Don't worry about changing Bitcoin addresses, they are still all tied to your Instawallet URL.
Okay that makes sense. So even though I can no longer see that address it may still be receiving for my Instawallet. Maybe just list on the Instawallet page (on a pull-down button?) every bitcoin address that can receive to that Instawallet account? Nice work btw. |
|
|
|
cypherdoc
Legendary
Offline
Activity: 1764
Merit: 1002
|
|
May 02, 2011, 01:42:08 PM |
|
Another concern: If someone uses an anonymizer agent like Tor, how will your "recognition" system work? It could be that it will identify the user based on the exit point, which would be a serious problem as it's likely that eventually two users will have the same exit point.
The recognition system works with cookies. Cookies are stored locally by your browser, so as long as your are using the same browser to come back to the website, it doesn't matter whether you use Tor or not. I'm a bit worried that I might put money into a wallet and then lose the address. Hypothetically, if I were able to tell you the exact balance of a wallet (and that balance were something unique like 142.41305), would you be able to send me a link?
I'm sorry, but I would probably not want to that, no. Remember, Bitcoin transactions are public. Somebody else might - maybe with some additional clues - figure out that some Bitcoin address belongs to Instawallet and can just look up the balance on blockexplorer.com. I guess it would be ok if you would tell me the correct balance plus the last couple of characters from your secret link. Just write that down somewhere, to be safe. well, i'm having problems with it. easy to get 2 send tx's into instawallet of .01 btc each but now can't get them out. instawallet shows balance of zero, my btc wallet shows 2 deposits of +.01 however they are greyed out and have 0 confirms. have contacted JAV but have yet to get this fixed.
Please give this at least 24h to sort itself out. If you quickly send coins back in forth, then these transactions look very "spammy" to the Bitcoin network and can potentially take a long time to be confirmed. How does the address allocation work for this?
I sent 0.02 btc to the generated address at instawallet, works okay.
Then I sent those 0.02 btc back to another bitcoin client. When I return to instawallet page a new receiving address has been generated, why does it do that?
What happens if I now receive a payment at the old address that I was allocated first, who has control of that?
Every Bitcoin address you ever saw on your Instawallet page will always be yours and you can still receive payments there. asdf explained it right: You have one specific Instawallet URL, which is tied to an account in the Bitcoin wallet. The Bitcoin daemon automatically assigns a fresh Bitcoin address to an account once it receives or sends out a transaction. The old ones continue to be associated with that account though, so they will still work. It's kind of an un-intended side effect of using the account feature right now. I can understand how it can be confusing that the addresses change from time to time and I will probably soon put code in that will just keep the address static. But for now: Don't worry about changing Bitcoin addresses, they are still all tied to your Instawallet URL. JAV, how long do i have to wait? i had my client connected all afternoon yesterday w/o any effect. |
|
|
|
|
cypherdoc
Legendary
Offline
Activity: 1764
Merit: 1002
|
|
May 02, 2011, 02:11:47 PM |
|
Another concern: If someone uses an anonymizer agent like Tor, how will your "recognition" system work? It could be that it will identify the user based on the exit point, which would be a serious problem as it's likely that eventually two users will have the same exit point.
The recognition system works with cookies. Cookies are stored locally by your browser, so as long as your are using the same browser to come back to the website, it doesn't matter whether you use Tor or not. I'm a bit worried that I might put money into a wallet and then lose the address. Hypothetically, if I were able to tell you the exact balance of a wallet (and that balance were something unique like 142.41305), would you be able to send me a link?
I'm sorry, but I would probably not want to that, no. Remember, Bitcoin transactions are public. Somebody else might - maybe with some additional clues - figure out that some Bitcoin address belongs to Instawallet and can just look up the balance on blockexplorer.com. I guess it would be ok if you would tell me the correct balance plus the last couple of characters from your secret link. Just write that down somewhere, to be safe. well, i'm having problems with it. easy to get 2 send tx's into instawallet of .01 btc each but now can't get them out. instawallet shows balance of zero, my btc wallet shows 2 deposits of +.01 however they are greyed out and have 0 confirms. have contacted JAV but have yet to get this fixed.
Please give this at least 24h to sort itself out. If you quickly send coins back in forth, then these transactions look very "spammy" to the Bitcoin network and can potentially take a long time to be confirmed. How does the address allocation work for this?
I sent 0.02 btc to the generated address at instawallet, works okay.
Then I sent those 0.02 btc back to another bitcoin client. When I return to instawallet page a new receiving address has been generated, why does it do that?
What happens if I now receive a payment at the old address that I was allocated first, who has control of that?
Every Bitcoin address you ever saw on your Instawallet page will always be yours and you can still receive payments there. asdf explained it right: You have one specific Instawallet URL, which is tied to an account in the Bitcoin wallet. The Bitcoin daemon automatically assigns a fresh Bitcoin address to an account once it receives or sends out a transaction. The old ones continue to be associated with that account though, so they will still work. It's kind of an un-intended side effect of using the account feature right now. I can understand how it can be confusing that the addresses change from time to time and I will probably soon put code in that will just keep the address static. But for now: Don't worry about changing Bitcoin addresses, they are still all tied to your Instawallet URL. JAV, how long do i have to wait? i had my client connected all afternoon yesterday w/o any effect. my client show the 2 receives of .01 btc greyed out; what does that mean? |
|
|
|
|
cypherdoc
Legendary
Offline
Activity: 1764
Merit: 1002
|
|
May 02, 2011, 06:14:51 PM |
|
never mind JAV; those two .01 btc confirmed  |
|
|
|
|
|
pc
|
|
May 03, 2011, 12:27:06 PM |
|
I don't know if this might just give people a false sense of security, but you might want a robots.txt excluding your wallet URLs. Google has several wallets indexed now, although there were no bitcoins in any of the ones I saw. I think the main concern might be a user hearing about Instawallet, Googling for it, and then clicking through to a specific wallet URL without realizing it, and then anyone else could get to it the same way. Maybe a warning based on referrer would be good enough, though. If you leave wallets indexable, it gives users a quick way to see if their secret URL has gotten out anywhere, I suppose. |
|
|
|
|
deadlizard
Member
Offline
Activity: 112
Merit: 11
|
|
May 03, 2011, 01:46:43 PM |
|
google-analytics? ....... afaik that gives google access to every page that it runs on  |
|
|
|
|
jav (OP)
|
|
May 03, 2011, 03:04:59 PM |
|
I don't know if this might just give people a false sense of security, but you might want a robots.txt excluding your wallet URLs. Google has several wallets indexed now, although there were no bitcoins in any of the ones I saw. Aw, nice... yeah, whenever their robot comes back it gets a fresh wallet. =) Thx for pointing that out, I will set up a robots.txt. The problem with people clicking through to a specific Instawallet is a valid concern (I had one person using the /w/free_bitcoins link posted by Insti in this thread, transfer 0.01 BTC there and then wondered when it disappeared) and there is no point in spamming the search index anyway. google-analytics? ....... afaik that gives google access to every page that it runs on Yes, that's correct. And while I consider my Analytics data to be pretty secure, it's an unnecessary risk, I agree. I will move to a local-only log analysis tool soon and then delete the Google Analytics data set. |
|
|
|
|
Ian Maxwell
|
|
May 10, 2011, 04:34:48 PM |
|
@jav: How much access do you have to money in an instawallet? It wouldn't surprise me if it's possible to arrange things so you have no access at all. One way would be to randomly generate the URL for each new wallet, but derive keypairs deterministically from that URL, and not keep a record of the URL on your end. (Of course you'd have web server logs, but you could purge them of sensitive data on a regular basis.)
On the legal end, this may protect you from things like bank regulations that might eventually be applied to Bitcoin, since you wouldn't actually be holding anything yourself---just hosting a web application.
On the security end, it would dramatically reduce user risk---even if your server were physically stolen or destroyed, it would be possible for your users to recover their bitcoins and impossible for anyone else to steal them.
|
|
|
|
|
jav (OP)
|
|
May 11, 2011, 03:00:24 PM |
|
@jav: How much access do you have to money in an instawallet? It wouldn't surprise me if it's possible to arrange things so you have no access at all. One way would be to randomly generate the URL for each new wallet, but derive keypairs deterministically from that URL, and not keep a record of the URL on your end. (Of course you'd have web server logs, but you could purge them of sensitive data on a regular basis.)
That's an interesting idea and it should be possibly in theory. I don't think it's very practical at the moment, though. It would probably require large changes to bitcoind, to support frequent imports and removals of private keys for the temporary time that the user is logged on. And it would still be kind of a kludge, as the user is still vulnerable during the time he is accessing the Instawallet. I agree though, that it would have many benefits. I think the WebCoin project does some interesting work in this regard, going so far as completely preventing the server from seeing the private keys at all. It should be interesting to see what they can come up with and their software might eventually be a better backend for the Instawallet site. |
|
|
|
|
jav (OP)
|
|
May 19, 2011, 02:23:12 PM |
|
Quick update: All traces of Google Analytics have been removed. I also tackled the biggest source of user confusion: changing Bitcoin addresses. The address you see on your Instawallet will from now on not change anymore.
So far everything seems to run fine. More updates (including a FAQ) will follow.
|
|
|
|
|
foo
|
|
May 23, 2011, 09:45:44 AM |
|
Would you consider creating a namecoin version of instawallet?
|
I know this because Tyler knows this.
|
|
|
|
gigabytecoin
|
|
May 23, 2011, 10:53:05 AM |
|
Nice! I likey! Keep up the good work!
|
|
|
|
|
zef
Member
Offline
Activity: 90
Merit: 10
|
|
May 23, 2011, 01:36:12 PM |
|
Is it possible for someone to generate addresses locally and inputting them to your site, sort of like a brute force way to find random wallets? I noticed the url is different from the wallet address, which is good, but I would still be concerned about an attack like that.
|
|
|
|
|
|
jerfelix
|
|
May 23, 2011, 09:40:33 PM |
|
@JAV, You may also have to worry about Toolbar programs (like Alexa toolbar, Ask toolbar, Bing tool bar, Yahoo Tool Bar, Google Toolbar, lots of Firefox plugins). I believe that some of these send URLs back to the "mother ship" to help with page rankings and site analytics. But Instawallet is a very nice looking site! See http://www.google.com/privacy/faq.html#toc-terms-urls
URLs and embedded information
Some of our services, including Google Toolbar and Google Web Accelerator, send the uniform resource locators (“URLs”) of web pages that you request to Google. When you use these services, Google will receive and store the URL sent by the web sites you visit, including any personal information inserted into those URLs by the web site operator. Some Google services (such as Google Toolbar) enable you to opt-in or opt-out of sending URLs to Google, while for others (such as Google Web Accelerator) the sending of URLs to Google is intrinsic to the service. When you sign up for any such service, you will be informed clearly that the service sends URLs to Google, and whether and how you can opt-in or opt-out.
For example, when you submit information to a web page (such as a user login ID or registration information), the operator of that web site may “embed” that information – including personal information – into its URL (typically, after a question mark (“?”) in the URL). When the URL is transmitted to Google, our servers automatically store the URL, including any personal information that has been embedded after the question mark. Google does not exercise any control over these web sites or whether they embed personal information into URLs. |
|
|
|
|
|
luv2drnkbr
|
|
May 24, 2011, 12:06:13 PM |
|
Could you implement some kind of thing like Mt. Gox's API where I could send BTC by just opening a URL, and then as long as enough BTC were in my wallet, it would send them. Something like: https://www.instawallet.org/w/wallet-address/send.php?sendtoaddress=&amount=That way, guys like me who have basically no programming knowledge at all could still have a way to automate things. Like I plan on writing an autohotkey script that might utilize a feature like that. |
|
|
|
|
jav (OP)
|
|
May 24, 2011, 01:19:07 PM |
|
Would you consider creating a namecoin version of instawallet?
I think Namecoin is a very interesting project, but would prefer to focus my resources just on the Bitcoin side of things for now. Is it possible for someone to generate addresses locally and inputting them to your site, sort of like a brute force way to find random wallets? I noticed the url is different from the wallet address, which is good, but I would still be concerned about an attack like that.
Knowing the Bitcoin address of a wallet doesn't improve your chances of guessing an Instawallet, if that's what you mean. As to randomly trying Instawallet URLs: the search space is big enough, that this won't get you anywhere. @JAV, You may also have to worry about Toolbar programs (like Alexa toolbar, Ask toolbar, Bing tool bar, Yahoo Tool Bar, Google Toolbar, lots of Firefox plugins). I believe that some of these send URLs back to the "mother ship" to help with page rankings and site analytics.
Thx for the heads up, but how do you propose I should deal with them? It seems to me, that if people want to send their private data to a cloud service, it's up to them whether they trust that provider. I'm not the only service that uses secret URLs. You can, for example, create YouTube videos that can only be accessed through a private link. As far as I know, these services also don't deal specifically with toolbars. But I will mention it in the upcoming FAQ. Could you implement some kind of thing like Mt. Gox's API where I could send BTC by just opening a URL, and then as long as enough BTC were in my wallet, it would send them.
I have been toying with the idea of providing an API. It will probably happen at some point, but I can't promise anything right now, there are still lots of other things in the queue. |
|
|
|
|
