Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Bitcoin Discussion
Re: How To Automate Bitcoin Payments For Website Sales??
by
MrJoshua
on 09/08/2011, 23:27:18 UTC
I'm hoping that this thread goes to show, that 3rd party services have security flaws, even when they say they don't. It is always you're own responsibility to verify the security of your money. You can't trust a sales pitch, however well intentioned.

I am surprised to discover that you can't check payments to random addresses remotely at the moment, so I've tried to give the dev team some encouragement to integrate that feature (which is already available in a patch).

You can use bitocind on a server and manage the funds entirely yourself. This is as easy as any web service using the json interface.  You can have a duplicate of the server's wallet on your own machine, and you can manually or procedurally sweep funds from the online wallet to a more secure wallet at any time.

3rd party solutions are NEVER going to be an easier way to bitcoin security. It is not possible to know all the security issues with a 3rd party solution, without access to their entire server/software stack, and significant knowledge of possible weakness (like IP masquerading). Which is of course harder then securing your own server.  You can always make your server at least as secure as any 3rd party server, and because unix security is a known problem you have lots of resources for improving it.

I think BitcoinNotify is probably a very good service that can help the bitcoin economy, and I want to see more bitcoin merchant related services. I'm glad they attempted to addressed one of the security issues quickly, but there is still the double spend attack which is quite a bit easer to exploit then IP masquerading (mybitcoin claims that is exactly what happened to them, losing more then 50% of all customers assets), and who knows how many other issues (how secure are their servers, are you really going to always check the sig on their POST request?). This may not be an issue for the OP because he can re-verify payments before shipping, but not all services have that window for additional verification. So please understand you ARE compromising your security by using a 3rd party, it is up to you to decide if the benefits out way the risk, and you must do so without a full knowledge of what risks that 3rd party is exposing you too.

As I said before, and everyone should know by now, there is no shortcut to security.

Understand first, trust second, and if you must trust someone trust a security professional who is working for you.

j