nelse87



Offline



Activity: 14

Merit: 0









NewbieActivity: 14Merit: 0 btcaddr.me - Bitcoin Address Identicon November 03, 2012, 05:55:52 PM #1



I believe problem can be solved using identicons. Check the site: I would like to introduce project I've done after reading ThePiachu's Master Thesis ( https://bitcointalk.org/index.php?action=profile;u=34743 ). In one of sections he writes about "Partial address collision" attack connected with bitcoin addresses. In a nutshell: given a bitcoin address we can generate address with the same prefix. As humans use to read only a few first characters of an address to validate it, malicous user may replace it with generated one and deceive user sending payment.I believe problem can be solved using identicons. Check the site: http://btcaddr.me/ and let me know what are your thoughts.

Spekulatius



Offline



Activity: 1022

Merit: 1000









LegendaryActivity: 1022Merit: 1000 Re: btcaddr.me - Bitcoin Address Identicon November 03, 2012, 06:13:40 PM

Last edit: November 03, 2012, 06:23:45 PM by Spekulatius #4 Quote from: nelse87 on November 03, 2012, 06:09:48 PM



[bitcoin address here]



Maybe the form is not working in your browser - which one are you using?

What addresses did you try? You can try it other way: http://btcaddr.me/ [bitcoin address here]Maybe the form is not working in your browser - which one are you using?

Firefox 16.0.2 on windows 7



-edit-

I first entered your site by your link provided in OP, then used the input field with a random address obtained on this forum (1CoinLabF5Avpp5kor41ngn7prTFMMHFVc). Then I changed some letters and later the whole address but it still gave me the same identicon.



Now I just tried it only adding the address in the URL, like you advised and it workeed. But dont you think it is problematic that the same address gets a different icon everytime I run it? Heck, it does the same thing again now, after Im leaving the tap open for 2 minutes, it returns the same identicon no matter what address I put in the URL.



Firefox 16.0.2 on windows 7-edit-I first entered your site by your link provided in OP, then used the input field with a random address obtained on this forum (1CoinLabF5Avpp5kor41ngn7prTFMMHFVc). Then I changed some letters and later the whole address but it still gave me the same identicon.Now I just tried it only adding the address in the URL, like you advised and it workeed. But dont you think it is problematic that the same address gets a different icon everytime I run it? Heck, it does the same thing again now, after Im leaving the tap open for 2 minutes, it returns the same identicon no matter what address I put in the URL.

crazy_rabbit



Offline



Activity: 1176

Merit: 1001





RUM AND CARROTS: A PIRATE LIFE FOR ME







LegendaryActivity: 1176Merit: 1001RUM AND CARROTS: A PIRATE LIFE FOR ME Re: btcaddr.me - Bitcoin Address Identicon November 03, 2012, 06:15:11 PM #5 Oh wow that is VERY COOL. That could go on so many things, right next to your payment address you can show what it *should* look like when you pay.



Is it possible to "scan" the identicon and decipher the address? Like a custom QR code? more or less retired.

nelse87



Offline



Activity: 14

Merit: 0









NewbieActivity: 14Merit: 0 Re: btcaddr.me - Bitcoin Address Identicon November 03, 2012, 06:25:19 PM #8 You can use it will litecoin addresses too (even there's "btc" in domain name). To be honest, you can use it with any string as there is no input validation. It just takes a string do sha1 twice and make identicon from it.

crazy_rabbit



Offline



Activity: 1176

Merit: 1001





RUM AND CARROTS: A PIRATE LIFE FOR ME







LegendaryActivity: 1176Merit: 1001RUM AND CARROTS: A PIRATE LIFE FOR ME Re: btcaddr.me - Bitcoin Address Identicon November 03, 2012, 06:27:37 PM #9 Quote from: nelse87 on November 03, 2012, 06:25:19 PM You can use it will litecoin addresses too (even there's "btc" in domain name). To be honest, you can use it with any string as there is no input validation. It just takes a string do sha1 twice and make identicon from it.



Is it open source? If not- is there an API that other sites could provide the service as well through you? Is it open source? If not- is there an API that other sites could provide the service as well through you? more or less retired.

FreeMoney



Offline



Activity: 1246

Merit: 1011





Strength in numbers







LegendaryActivity: 1246Merit: 1011Strength in numbers Re: btcaddr.me - Bitcoin Address Identicon November 03, 2012, 11:40:41 PM #12 This is interesting.



It seems it helps in cases where someone expects to be paying an address they have already paid, but the address has somehow been swapped out with the malicious one. If the site that was compromised is also serving the icon could that not also be swapped out for one that doesn't actually match? To guard against that the payer would need to personally check, is that what is intended?



Another solution that came to me (inspired by etotheipi) is to generate a visually distinctive address (etotheipi used an address with only capital letters). I think there are probably a lot of ways to make an address visually striking. Now that alone would not work because making another one that is striking in the same way would cost the same as the original on average, but if people remember the feel of the address plus the first 5 characters or so (which the original address producer can just let be random) then matching it would be about 58^5 times harder for an attacker.



What are some cheap but striking patterns?



An unusualy high number of triplets? (1j4U666mJJJw3QD7gggrHHH2rynFEcAAA)

A lot of numbers?

No letters or numbers with curves?

Only capitals and numbers? Play Bitcoin Poker at sealswithclubs.eu. We're active and open to everyone.

Fjordbit



Offline



Activity: 588

Merit: 500



firstbits.com/1kznfw







Hero MemberActivity: 588Merit: 500firstbits.com/1kznfw Re: btcaddr.me - Bitcoin Address Identicon November 04, 2012, 05:40:32 AM #13 I think it could work as a browser plugin, where when you mouse over an address, you would see the identicon. This would allow the user to verify quickly, but not rely on the security of the site.