customer hand-off between bitcoin partners

Customer hand-off between Bitcoin partners

Joris Bontje @mids106

Use Case

Making the connection

Copy / paste bitcoin address

Not very user friendly “Scary address”

First time user are anxious about their payments

Can’t detect referring partner

Poor customer support

Link via URL

User no longer has to enter the address himself

Can detect wallet type / partner (referrer)

Better customer support

Not secure: All kind of scams possible

Using API

Not “peer to peer”; unequal partners

How do you hand over user sessions?

Everybody has their own API

Signed links

Uses OAuth 1.0a signing scheme (used by Twitter)

Requests signed with shared secret (HMAC-SHA1)

Communication goes via the browser; no internal API or callbacks required

Existing scheme; “don’t invent your own crypto”

Implementation

Request

Security

Request signed with shared secret (HMAC-SHA1)

Limited time validity (5 minutes by default)

Prevent replay attacks with nonce

Shared secret exchanged out-of-band (PGP)

Protocol + Code

http://bit.ly/1cBq1Ka

Demo

Buy Bitcoin

Sell Bitcoin

? @mids106

Image by: casascius

Protocol + Code

http://bit.ly/1cBq1Ka

BIPS 0070

BIP 0070: Payment Protocol

Not yet in production *)

Uses SSL / Certificate Authorities

Relies on accessing a third party web page

Might only work in 1 direction (selling bitcoins)