BitShares Forum

Main => General Discussion => Topic started by: fluxer555 on December 11, 2014, 10:09:52 pm

Title: Spending funds within browser, without opening client
Post by: fluxer555 on December 11, 2014, 10:09:52 pm
If PayPal needed a separate app to process transactions across the web, they would be pulling in much less business. Of course, the problem of processing BTS transactions without opening the client is security, however I think this is not an impossible hurdle to overcome. Any ideas?
Title: Re: Spending funds within browser, without opening client
Post by: xeroc on December 11, 2014, 10:31:32 pm
I dont get the question :(

You do know that there is a lightweight client for web and mobile phones under development?
Title: Re: Spending funds within browser, without opening client
Post by: fuzzy on December 11, 2014, 10:33:10 pm
I dont get the question :(

You do know that there is a lightweight client for web and mobile phones under development?

I think he is talking about integration of said client.  I read about Plugins being created that should help with this (https://bitsharestalk.org/index.php?topic=11840.0;topicseen), but I am not sure how paypal does it exactly.
Title: Re: Spending funds within browser, without opening client
Post by: gamey on December 11, 2014, 10:43:45 pm
If PayPal needed a separate app to process transactions across the web, they would be pulling in much less business. Of course, the problem of processing BTS transactions without opening the client is security, however I think this is not an impossible hurdle to overcome. Any ideas?

Opening the wallet seems to be required.  The approach is to not have too many funds exposed when you use your wallet.  IE we need simplified cold storage.  In Paypal you open your paypal account which is something of the same security-wise.  It is just that paypal lets you reverse charges etc so they do not need to be as concerned.
Title: Re: Spending funds within browser, without opening client
Post by: fluxer555 on December 11, 2014, 11:14:43 pm
I am not sure how paypal does it exactly.

There are two ways merchants use PayPal (from what I can remember):

1. When you select PayPal as a payment option, it redirects you to a PayPal login page. You type in your email and password, press submit, then it reviews the total, and then you click pay. You are then redirected back to the website.

2. When you select PayPal as a payment option, it redirects you to a PayPal login page. You type in your email and password, and click 'Authorize example.com to make this purchase'. You are then redirected back to the site, and confirm your purchase there.

Is it possible for there to be a hosted web-based implementation of BTS? Could that be secure? What is the difference between trusting the source code of a website, and the source code of the desktop wallet?

Would be it possible to allow authorization of web-based transactions to occur on your smart phone?

1. Click "Pay via BitShares App"
2. Enter in your account name
3. Website says "Please check your phone to Authorize transaction" or "Your account is not set up to take phone authorizations. Click here for more info"
4. Receive notification and request to authorize transaction on your phone, touch 'Accept'
5. Website recognizes the authorization, receives payment, and brings you to thank-you page.

It would be great for this to be a part of the lightweight phone client.
Title: Re: Spending funds within browser, without opening client
Post by: xeroc on December 11, 2014, 11:46:45 pm
There are two ways merchants use PayPal (from what I can remember):

1. When you select PayPal as a payment option, it redirects you to a PayPal login page. You type in your email and password, press submit, then it reviews the total, and then you click pay. You are then redirected back to the website.

2. When you select PayPal as a payment option, it redirects you to a PayPal login page. You type in your email and password, and click 'Authorize example.com to make this purchase'. You are then redirected back to the site, and confirm your purchase there.
interesting ... never saw the second option :)

Is it possible for there to be a hosted web-based implementation of BTS? Could
that be secure? What is the difference between trusting the source code of a
website, and the source code of the desktop wallet?
You could have a webpage do exactly that .. its just a matter of developing it .. should be a "big deal" .. technically (though maybe legally, no idea)
the issue with web wallets is that the web provider should never ever see a privvate key .. not in encrypted form... and for sure never in unencrypted form ..
so all the crypto math and transaction signing stuff has to be performed in the browser .. which opens up some potential attack vectors such as
- weak random number generators
- backdoors in delivered JS libraries
- hacked keyboards/memory on your home computer
and thus could compromise your ENTIRE holdings ..

Same holds true for ANY crypto currency .. by the way

Would be it possible to allow authorization of web-based transactions to occur on your smart phone?

1. Click "Pay via BitShares App"
2. Enter in your account name
3. Website says "Please check your phone to Authorize transaction" or "Your account is not set up to take phone authorizations. Click here for more info"
4. Receive notification and request to authorize transaction on your phone, touch 'Accept'
5. Website recognizes the authorization, receives payment, and brings you to thank-you page.
Taht would only work if your had your funds stored at a service provider ..

oh wait ..

you can do escrow/multisig as greenaddress.it and the other btc service i forgot the name to is doing. It would work that way:

1) all your funds require at least 2 out of 3 or 4 signatures
2) your have 1 installed on your computer and 2 in cold storage
3) the other key is installed at a service provider
4) you want to make a transaction and sign the tx ..
5) you mail your service provider with the built-in mailing app
6) your service provider sends a SMS or does some other kind of 2 faktor authentication
7) if the authentication is successfull the service provider also signs the tx and the tx gets valid

that way you can even include 2Fak via Google Authenticator or similar. Like a
extra for when you do your transaction that holds the 2fak code ..

Quote
It would be great for this to be a part of the lightweight phone client.
Absolutely! the devs are on it .. the basically already have all the required Javascript stuff .. its just a matter of a "nice" UI :)
Title: Re: Spending funds within browser, without opening client
Post by: gamey on December 11, 2014, 11:55:38 pm
Taht would only work if your had your funds stored at a service provider ..

oh wait ..

you can do escrow/multisig as greenaddress.it and the other btc service i forgot the name to is doing. It would work that way:

1) all your funds require at least 2 out of 3 or 4 signatures
2) your have 1 installed on your computer and 2 in cold storage
3) the other key is installed at a service provider
4) you want to make a transaction and sign the tx ..
5) you mail your service provider with the built-in mailing app
6) your service provider sends a SMS or does some other kind of 2 faktor authentication
7) if the authentication is successfull the service provider also signs the tx and the tx gets valid

that way you can even include 2Fak via Google Authenticator or similar. Like a
extra for when you do your transaction that holds the 2fak code ..


For step 4 doesn't it require your private key?  And if you are exposing your private key, why need any of the other steps?  Just generate the transaction... Or would there be an account type that is 2/3 multi-sig without a master private key ?

Or will multi-sig have a master private key which generates the 3 multi-signatures ?  I wonder how this works.  I once asked about a multi-sig account to hold funds ..  How would the signatures be generated without 1 person knowing all 3?  Is that going to be possible?
Title: Re: Spending funds within browser, without opening client
Post by: xeroc on December 12, 2014, 12:05:13 am
Taht would only work if your had your funds stored at a service provider ..

oh wait ..

you can do escrow/multisig as greenaddress.it and the other btc service i forgot the name to is doing. It would work that way:

1) all your funds require at least 2 out of 3 or 4 signatures
2) your have 1 installed on your computer and 2 in cold storage
3) the other key is installed at a service provider
4) you want to make a transaction and sign the tx ..
5) you mail your service provider with the built-in mailing app
6) your service provider sends a SMS or does some other kind of 2 faktor authentication
7) if the authentication is successfull the service provider also signs the tx and the tx gets valid

that way you can even include 2Fak via Google Authenticator or similar. Like a
extra for when you do your transaction that holds the 2fak code ..


For step 4 doesn't it require your private key?  And if you are exposing your
private key, why need any of the other steps?  Just generate the transaction...
Or would there be an account type that is 2/3 multi-sig without a master
private key ?
The blockchain is ECC .. so technically all of the above is possible.. as you
can do this in BTC too .. ok. btc has SCRIPT .. but having a new tx operation
type that can do this should be implementable

AFAIK, there already is an escrow OP in bitshares .. coming in the next release
. not sure about the details .. but IMHO .. a 2 of 4 address should be implementable with that.

For me .. this would it would work like this:
you have an address that has some special characteristics (i.e. starts with KEY
instead of BTS) that allows withdrawal only ifh 2 of 4
signatures are ok (from a given set of pubkeys) ... one of the keys is owned by
a service provider .. the others are yours and should in part be in
coldstorage. ... to that address there is neither a account name .. nor is
there a single private key that can spend the funds.

All of this is just in my mind .. devs might have implemented it differently ..


Quote
Or will multi-sig have a master private key which generates the 3
multi-signatures ?  I wonder how this works.  I once asked about a multi-sig
account to hold funds ..  How would the signatures be generated without 1
person knowing all 3?  Is that going to be possible?
It would work like this:
I generate 3 keys and the pubkeys to it: A, B, C
the service provider generates D ..
then you generated your escrow/multisig address using all three pubkeys
pubA + pubB + pubC + pubD

any 2 of these can spend the funds

you only know 3.
If you or the provider loses one .. you are still safe
Title: Re: Spending funds within browser, without opening client
Post by: Troglodactyl on December 12, 2014, 05:10:47 am
...
Would be it possible to allow authorization of web-based transactions to occur on your smart phone?

1. Click "Pay via BitShares App"
2. Enter in your account name
3. Website says "Please check your phone to Authorize transaction" or "Your account is not set up to take phone authorizations. Click here for more info"
4. Receive notification and request to authorize transaction on your phone, touch 'Accept'
5. Website recognizes the authorization, receives payment, and brings you to thank-you page.

It would be great for this to be a part of the lightweight phone client.

This wouldn't require multisig or escrow, though those are always nice options to have.  It seems the messaging system for lightweight clients should be able to support payment requests just as easily as payment notifications. 

Payment requests could be generated anywhere, and transferred to the mobile wallet through the messaging system if no other method were available.  Once the user sees the request on the mobile wallet and approves it, the transaction would just be signed and broadcast.
Title: Re: Spending funds within browser, without opening client
Post by: jsidhu on December 12, 2014, 07:14:55 am
If the js lib can sign txs then maybe we can use it like bitcore? That is.. We can simply run rpc on server to doenload blocks etc but the spending can happen in browser. This would make life easier... The shopping carts direct you to the wallet to make the tx.. There is no confirmation since we dont have a callback mechanism (ive asked bm how hard this is via a pm).. I use a cronjob to update orders and status of cart orders. That part can all go away if we sign and confirm right in javascript