This is actually a special case of a general concept: specifying how much you trust particular addresses. Instawallet has just coined 'green address' as a nickname for an address that you will accept payments from instantly (0 confirmation), but what do you call an address for which you would prefer to see 1 or 2 confirmations (~10 or 20 minutes, respectively)?

If Bitcoin UIs allowed you to specify how much you trusted particular sending addresses (in terms of confirmation numbers), things like green addresses would fall out naturally. Also, providing these trust numbers is a great usecase for a web-of-trust system.

I'd hope you wouldn't do business on just 1 confirmation. It'd be fairly easy to spoof.

Not particularly... an attacker with a rack of GPU filled machines will only find a valid block every 10 days or so, and blocks are valid for around 10 minutes on average: this is a relatively narrow window for double spending, and not an opportunity to waste on a small transaction.

There are other attacks that rely on the receiver being fenced off from the wider network, but those are even harder to coordinate.

Would people be happy for banks to use the same security for your account? Because that's what people seem to be arguing when they say it's perfectly safe/secure. This is in regards to the obscure URL being the entry point to the account not to do with BC itself.

Cool to see this finally get implemented. Thanks Instawallet!

Erm... that's the public part of a public-key pair. It's as secure as any other modern public-key crypto out there (plus or minus a few digits). Any transactions are signed.

No, in the case the problem is that the URL is essentially the private key!

You're missing something, but I'm not sure what... Addresses are always public knowledge, along with all transactions between them. Who owns the address, on the other hand, is usually not advertised: but in this case Instawallet is claiming and endorsing their address to allow for instant payments on your behalf.

I can't tell how this diminishes security, assuming the normal practice of using one-time receiving addresses is still used. EDIT: And assuming you are comfortable having a middleman like Instawallet involved.

Well just think, if your bank used the same security measures how would you feel about it?

After reading this and all of eli's posts below, I believe this is referring to the way Instawallet works, and not the "green address" system. But to both of you: WTF, be more specific. It sounds precisely like you're referring to the use of a single bitcoin address as being some horribly insecure concept, and somehow relating to a URL in a way that makes no sense.

Instawallet (appears like it) works by giving you a bitcoin address, and a unique URL which gives you access to send money from that address. From that perspective, I agree: horrible, horrible idea for safety purposes. Bookmarks rarely (ever?) have secure storage.

I'm not sure why my comment got down voted so much, my point is if a obscure web address is the only line of security it is terrible, especially as they recommend you to bookmark the address in your tool bar. The point is it might look great and secure at first, all it takes is a small mistake from one of many angles and it's done for. Examples of mistakes, people posting their urls, people being tricked into posting their urls, shared computers with bookmarks, the webmaster accidently installing a sitemap script which indexes them all etc.

I think it got voted down because it has nothing to do with the forum post. The post talks about a "green address" system, not their strange techniques for security, and your comment makes no distinction. I had no idea what you were talking about until a couple hours and several similarly-cryptic comments later, and going to Instawallet's site and seeing it for myself.

The address isn't obscure, it's right there.

A collision is a collision. If you are uncomfortable relying on the sender address you should be just as uncomfortable about an attacker taking over your own wallet.

You know what BitCoins themselves are too, right? Huge in this case is effectively infinite.

Yeah but URLs are not intended to secure data. They tend to leak out in unexpected ways.

Did you know Google will still index URLs prohibited by robots.txt if it finds a link to them (it just won't crawl them)?

Certainly, putting this URL on a page for other people to read is a very bad idea -- like tossing your (physical) wallet out your car window.

The intent of the URL is that you should bookmark it and otherwise keep it private.

Unless you know of some way for an attacker to get at the browser's bookmark list (which I'd be interested to know about; I'm certainly not enough of an expert to be sure that no such attack exists) then this seems fairly secure.

The tossing your physical wallet out the window analogies are tired and false. When does your wallet ever have thousands of dollars in it? Some naive BC users had huge % of their net worth in BC then got punished for it in various ways.

Did you mistakeningly post this here? Why aee you bringing up URLs?

The way the site works the URL is the password. The wallet is secured entirely via no one else knowing your URL string.

Why are you bringing up URLs? Noone else knowing your URL string makes your wallet secure?

The parent comment was referring to the URL when he/she said "address". You obviously haven't actually tried the linked service.

I have tried the service and I also understand bitcoin to a certain extent. That is why I recognize that "address" in this context is not a URL but a bitcoin wallet ID or address.