Bitcoin Forum
March 29, 2024, 02:45:44 PM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 [2] 3 4 5 6 7 8 9 10 11 12 13 »  All
  Print  
Author Topic: New, simple online wallet: www.instawallet.org - no signup required  (Read 28847 times)
bitlotto
Hero Member
*****
Offline Offline

Activity: 672
Merit: 500


BitLotto - best odds + best payouts + cheat-proof


View Profile WWW
April 29, 2011, 04:50:55 PM
 #21

Pretty cool! Can't be more simple. I don't know much about website programming but isn't it possible for website's to sometimes see where you were just browsing and thereby get the address?
It uses SSL, which should be good enough. The only computers that should be able to see the URL are yours and the server, and the server already has the money. Certainly it's possible that some specially-written malware on your computer could monitor for accesses to this site and steal the URL, but it could do that with the name and password of any e-wallet service, or any private keys stored on your own computer.
Thanks for the explanation. I was thinking about TOR too, but I guess since SSL hides the address from the final node it would work. I'm starting to really like the site!

*Next Draw Feb 1*  BitLotto: monthly raffle (0.25 BTC per ticket) Completely transparent and impossible to manipulate who wins. TOR
TOR2WEB
Donations to: 1JQdiQsjhV2uJ4Y8HFtdqteJsZhv835a8J are appreciated.
1711723544
Hero Member
*
Offline Offline

Posts: 1711723544

View Profile Personal Message (Offline)

Ignore
1711723544
Reply with quote  #2

1711723544
Report to moderator
1711723544
Hero Member
*
Offline Offline

Posts: 1711723544

View Profile Personal Message (Offline)

Ignore
1711723544
Reply with quote  #2

1711723544
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1711723544
Hero Member
*
Offline Offline

Posts: 1711723544

View Profile Personal Message (Offline)

Ignore
1711723544
Reply with quote  #2

1711723544
Report to moderator
Gavin Andresen
Legendary
*
Offline Offline

Activity: 1652
Merit: 2164


Chief Scientist


View Profile WWW
April 29, 2011, 05:05:28 PM
 #22

Fantastic idea!

My only suggestion would be a "copy to clipboard" icon/link next to the funding address (I need to do that for ClearCoin, too-- haven't looked into how to do it yet, but github does it so I know it can be done...)

How often do you get the chance to work on a potentially world-changing project?
nextnonce
Member
**
Offline Offline

Activity: 74
Merit: 10


www.minethings.com


View Profile WWW
April 29, 2011, 05:40:15 PM
 #23

Pretty cool! Can't be more simple. I don't know much about website programming but isn't it possible for website's to sometimes see where you were just browsing and thereby get the address?

When you click a link on a site, most browsers send the url of the page you were just visiting to the server of site you clicked on.  So, this would be an issue if instantwallet.com had links to other websites.

Very nice site.  I will recommend this to anyone I introduce to bitcoins.

BTC accepted at my browser-based MMO, Minethings.com.  ~1500 active players mining now.
dacoinminster
Legendary
*
Offline Offline

Activity: 1260
Merit: 1031


Rational Exuberance


View Profile WWW
April 29, 2011, 05:43:40 PM
 #24

This service is fantastic. I probably won't use it myself, but I sent a $1 USD donation (0.39BTC) to the donation address at the bottom of the page, just for being awesome.

I miss dollar parity at times like this - then I didn't have to do any math to know how much I'm sending someone. But of course I don't miss dollar parity TOO much Wink

BitterTea
Sr. Member
****
Offline Offline

Activity: 294
Merit: 250



View Profile
April 29, 2011, 06:15:19 PM
 #25

My only suggestion would be a "copy to clipboard" icon/link next to the funding address (I need to do that for ClearCoin, too-- haven't looked into how to do it yet, but github does it so I know it can be done...)

As far as I know, the only way to do this universally across browsers and operating systems is to use a flash object. Sad

Clippy is what github uses: https://github.com/mojombo/clippy
danf
Newbie
*
Offline Offline

Activity: 8
Merit: 0


View Profile
April 29, 2011, 06:45:38 PM
 #26

When you click a link on a site, most browsers send the url of the page you were just visiting to the server of site you clicked on.  So, this would be an issue if instantwallet.com had links to other websites.

This would also be an issue if Instawallet added any advertising. The site which serves the ads would have access to the URL, which would potentially be very bad.
nextnonce
Member
**
Offline Offline

Activity: 74
Merit: 10


www.minethings.com


View Profile WWW
April 29, 2011, 07:09:27 PM
 #27

I just noticed the link in the bottom-right to http://www.freecsstemplates.org/  I wonder how many wallets they have access to already  Grin

BTC accepted at my browser-based MMO, Minethings.com.  ~1500 active players mining now.
Insti
Sr. Member
****
Offline Offline

Activity: 294
Merit: 252


Firstbits: 1duzy


View Profile
April 29, 2011, 07:30:27 PM
 #28

I just noticed the link in the bottom-right to http://www.freecsstemplates.org/  I wonder how many wallets they have access to already  Grin

Mine at least. Thanks for pointing that out...
(not that I'd put any money in..)

Insti
Sr. Member
****
Offline Offline

Activity: 294
Merit: 252


Firstbits: 1duzy


View Profile
April 29, 2011, 07:39:35 PM
 #29


Is typing in your own wallet code a supported feature?

https://www.instawallet.org/w/free_bitcoins
theymos
Administrator
Legendary
*
Offline Offline

Activity: 5152
Merit: 12580


View Profile
April 29, 2011, 08:50:04 PM
 #30

When you click a link on a site, most browsers send the url of the page you were just visiting to the server of site you clicked on.  So, this would be an issue if instantwallet.com had links to other websites.

This doesn't happen from HTTPS sites.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
kristofferR
Newbie
*
Offline Offline

Activity: 5
Merit: 0


View Profile
April 30, 2011, 01:46:20 AM
 #31

Would be cool if you could choose your own address for increased rememberability.
jav (OP)
Sr. Member
****
Offline Offline

Activity: 249
Merit: 251


View Profile
April 30, 2011, 09:38:12 AM
 #32

Great to see the site being positively received. :-)

This instant deposit feature is great, but you might want to wait until the funds clear before letting people withdraw it back out again.

I thought this wouldn't be an issue, but I'm not so sure anymore. I use the "account" feature of bitcoind and every wallet has its own account. My understanding was, that this will mean that the coins being sent are limited to the account as well. In that case it doesn't matter if the funds end up not confirming, because it will also invalidate the withdraw transaction. But maybe bitcoind uses coins from other accounts as well sometimes? Has someone here more insight into this?

I guess it can't get much easier than this Smiley Do you know if your service can be used with this pool? http://bitcointalk.org/index.php?topic=6667.0

Interesting question, I'm not sure. The balance is whatever the method "getbalance <account associated with your wallet> 0" (so minconf=0) will return. I have no idea if this is the case for these pool transactions.

Where are the wallet files kept?
who has access to the physical equipment that the wallets are stored on?
What kind of encryption does instawallet use?
can we see the source code?

Sorry if any/all of these are answered somewhere on the site, but I can't find it yet.

One of the next things I will add is some sort of FAQ list that will address these things. For now: the wallet is on a VPS, running Debian Squeeze on an un-encrypted file system. So my VPS host prgmr.com technically has access and of course I do. Besides SSL there is no encryption used, but the regular backups I will make will be encrypted. I haven't decided about the source code, so for now it remains closed.

In any case: This isn't really the place to store your Bitcoin wealth! I will try my best in keeping the service stable and secure, but ultimately I want to see mostly Bitcents on these wallets. A lot needs to happen before I would trust a cloud service with a larger amount of Bitcoin to store over longer time and Instawallet is definitely not the place to do that.

Yeah, this seems rather nifty, but I'd want a lot more details about how the unique URL is generated, what protections there are against people trying to brute-force URLs to stumble upon money, and how the server/wallets are secured before using it for anything serious.

The URL contains 16 bytes of random data. I hope an attacker will do the math before wasting his and my bandwidth. Right now there isn't any sophisticated throttling implemented. Let's see how long until I have to deal with some trouble maker.

My only suggestion would be a "copy to clipboard" icon/link next to the funding address

Thx for the idea, I will consider implementing that!

Is typing in your own wallet code a supported feature?
https://www.instawallet.org/w/free_bitcoins

It's not specifically supported, but yes, it works at the moment and you are free to make up your own wallet URL.

1.  Did you address the possibility of cross-site request forgery?

Maybe not to its full extend. You need to provide the wallet identifier when making a payment, but maybe this could be scripted with JavaScript after being redirect to the wallet URL? I will tighten up security in this area, thx for the pointer. Again, I don't recommend people to store large amounts of money there, so that CSRF would be worthwhile, but of course I appreciate the trust in the service if someone ends up doing it anyway.

2.  Though the standard is somewhat vague, the traditional interpretation of RFC 2616 is that Referrer: headers are permitted from HTTPS content as long as the target uses SSL as well.  I don't know offhand how each different modern browser reacts by default, but I disagree with Theymos that it's not a concern in general.

2a.  To address this issue partly, it would be fairly easy to continue to permit pages to be accessed using an address in the URL but to redirect the user immediately to a page that doesn't include it there, either storing it in the session or including it as a hidden form parameter.

It seems you are correct, that referrer is transferred when linking to another SSL site. I will have to think about this, but as I don't have outgoing SSL links, it should be fine at the moment. Redirecting in the way you describe would be an option, but I'm not sure I like it much. I consider seeing your actual wallet link in the address bar a usability feature.

4.  Are the addresses generated using a secure PRNG?  If it's an ordinary PRNG, it wouldn't be hard to guess addresses.

What is an "ordinary PRNG" for you? I use Python's os.urandom() which I would consider pretty "ordinary", but I have checked the documentation which claims that it returns "random bytes suitable for cryptographic use".

Hive, a beautiful wallet with an app platform for Mac OS X, Android and Mobile Web. Translators wanted! iOS and OS X devs see BitcoinKit. Tweets @hivewallet. Donations appreciated at 1HLRg9C1GsfEVH555hgcjzDeas14jen2Cn.
Gavin Andresen
Legendary
*
Offline Offline

Activity: 1652
Merit: 2164


Chief Scientist


View Profile WWW
April 30, 2011, 10:58:32 PM
 #33

This instant deposit feature is great, but you might want to wait until the funds clear before letting people withdraw it back out again.

I thought this wouldn't be an issue, but I'm not so sure anymore. I use the "account" feature of bitcoind and every wallet has its own account. My understanding was, that this will mean that the coins being sent are limited to the account as well. In that case it doesn't matter if the funds end up not confirming, because it will also invalidate the withdraw transaction. But maybe bitcoind uses coins from other accounts as well sometimes? Has someone here more insight into this?

It is definitely an issue-- the account code doesn't keep track of where the coins it is sending out came from, so if you accept 0-confirmation coins you're vulnerable to double-spending attacks (see, for example, the discussion of the "Finney attack" in these forums).

Seeing coins show up right away is a fantastic feature, though, so I'd suggest getting the 0-confirmation balance and a 3+-confirmation balance, allowing only 3+ confirmed coins to be withdrawn, and displaying the difference as 'waiting confirmation'.

How often do you get the chance to work on a potentially world-changing project?
genjix
Legendary
*
Offline Offline

Activity: 1232
Merit: 1071


View Profile
April 30, 2011, 11:57:43 PM
 #34

Amazing idea! Love it.
shazow
Newbie
*
Offline Offline

Activity: 50
Merit: 0



View Profile WWW
May 01, 2011, 12:55:39 AM
 #35

It seems you are correct, that referrer is transferred when linking to another SSL site. I will have to think about this, but as I don't have outgoing SSL links, it should be fine at the moment. Redirecting in the way you describe would be an option, but I'm not sure I like it much. I consider seeing your actual wallet link in the address bar a usability feature.

I agree that having the wallet link in your address bar is a usability feature (though it could also be done with hash fragments). Perhaps a better approach is to make sure that all outgoing links go through a redirector?

E.g. http://redirect.instawallet.org/?url=http://google.com/ -> http://google.com

This will make sure all the referrer information is cleansed before leaving the site.

Also great job. Smiley I worry what your wallet data looks like after I tried a bunch of random urls and they all worked. Sorry about that. Tongue

- shazow
jav (OP)
Sr. Member
****
Offline Offline

Activity: 249
Merit: 251


View Profile
May 01, 2011, 08:37:01 PM
 #36

It is definitely an issue-- the account code doesn't keep track of where the coins it is sending out came from, so if you accept 0-confirmation coins you're vulnerable to double-spending attacks (see, for example, the discussion of the "Finney attack" in these forums).

I see, thx for clearing that up. I would really like to keep the speedy transactions, so I have decided to still allow 0-confirmation transactions. But I implemented a server-wide rate-limit for those transactions, which should make the Finney attack not worth the effort.


Great idea, that's probably how I'm going to do it!

Hive, a beautiful wallet with an app platform for Mac OS X, Android and Mobile Web. Translators wanted! iOS and OS X devs see BitcoinKit. Tweets @hivewallet. Donations appreciated at 1HLRg9C1GsfEVH555hgcjzDeas14jen2Cn.
Ian Maxwell
Full Member
***
Offline Offline

Activity: 140
Merit: 100



View Profile WWW
May 01, 2011, 09:18:48 PM
 #37

Nice site, I like the idea a lot.

I'm a bit worried that I might put money into a wallet and then lose the address. Hypothetically, if I were able to tell you the exact balance of a wallet (and that balance were something unique like 142.41305), would you be able to send me a link?

Ian Maxwell
PGP key | WoT rating
cypherdoc
Legendary
*
Offline Offline

Activity: 1764
Merit: 1002



View Profile
May 02, 2011, 12:42:13 AM
 #38

well, i'm having problems with it.  easy to get 2 send tx's into instawallet of .01 btc each but now can't get them out.   instawallet shows balance of zero, my btc wallet shows 2 deposits of +.01 however they are greyed out and have 0 confirms. have contacted JAV but have yet to get this fixed.
Ian Maxwell
Full Member
***
Offline Offline

Activity: 140
Merit: 100



View Profile WWW
May 02, 2011, 02:18:35 AM
 #39

cypherdoc: wait a few minutes and make sure it's really a problem.

Another concern: If someone uses an anonymizer agent like Tor, how will your "recognition" system work? It could be that it will identify the user based on the exit point, which would be a serious problem as it's likely that eventually two users will have the same exit point.

Ian Maxwell
PGP key | WoT rating
cypherdoc
Legendary
*
Offline Offline

Activity: 1764
Merit: 1002



View Profile
May 02, 2011, 02:23:25 AM
 #40

cypherdoc: wait a few minutes and make sure it's really a problem.

Another concern: If someone uses an anonymizer agent like Tor, how will your "recognition" system work? It could be that it will identify the user based on the exit point, which would be a serious problem as it's likely that eventually two users will have the same exit point.

i've been waiting all day nervously watching my wallet balance.  no, they're not confirming and the receives are greyed out.
Pages: « 1 [2] 3 4 5 6 7 8 9 10 11 12 13 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!