- From: Chris Ellis <chris@chrisellis.me>
- Date: Fri, 25 Sep 2015 20:25:04 +0100
- To: Tao Effect <contact@taoeffect.com>
- Cc: Timothy Holborn <timothy.holborn@gmail.com>, Melvin Carvalho <melvincarvalho@gmail.com>, Web Payments <public-webpayments@w3.org>
- Message-ID: <CACc1awz1=+SP2S=Nfw7Y4X2f3Nm85HevYeOAFXpZdN7mWe3n0g@mail.gmail.com>
Hi, I am Chris from ProTip. Thanks for the comments everyone. Timothy: this is one of the first things we were concerned about and would love any feedback and suggestions on how to mitigate or illuminate this attack vector altogether. Obviously while the app is not very well known it's not an issue but the last thing we want is to get popular only to create lots of spam and I cannot think of a better forum than this to help. The way the app works at the moment is pretty good at preventing the user from accidentally paying someone because auto-payment is OFF by default. ProTip only selects the first address it finds on the page and then the user is reminded to make a batch payment to the top 10 list of websites that they visited that week. That top 10 list is curated based on the time they spent on the page while that window was in focus. When browsing the user is given the opportunity to un-tick the address or they can simply click on the Protip icon in the browser menu and click the 'X' ignore button next to the domain. They can also choose to ignore: 1. bitcoin addresses, 2. top level domains or 3. directories of domains (eg Twitter notifications page but not the "People You Follow" url: https://twitter.com/mentions?filter=following) Some websites like blockexplorers and exchanges have already been blacklisted since we felt it's pretty obvious a user won't want to tip these sites but they can easily tick an address when they see it if they so choose to. We haven't seen it happen yet but the best place to test this out would be bitcointalk forum and r/bitcoin where people frequently post addresses. I like Greg's suggestion of whitelisting. We had a similar idea where for certain popular domains like Youtube the app would behave differently, ignoring the comments sections for example. Other things we have considered are linking it to keybase.io and onename so that only validated bitcoin addresses are paid. Another option would be giving the user the ability to decide whether the app is opt in or opt out by default when they first install it. Lastly for webmasters we have the metatag: <meta name="microtip" content="1bitcoinadress" data-currency="btc"> This goes in the header and overrides any bitcoin address found anywhere else on the page. We have also considered putting more syntax in there so that they can customise how Protip behaves when a user comes on to their site. It could be a good feature for forums where whitelisted users could be given the ability to put some microsyntax in the designated areas that protip could then augment in to a fancy button like the "Like" button for example. Anyway thanks again for taking the time to read this. We are just a small team trying to have a little impact and I appreciate any help and suggestions. On Fri, Sep 25, 2015 at 2:28 AM, Tao Effect <contact@taoeffect.com> wrote: > Chris (from ProTip) just subscribed to this mailing list so that he can > chime in. > > Since new subscribers cannot reply to threads they haven’t seen, I’m > replying to myself as as courtesy to him so that his response will continue > as part of this thread (and will appear in the appropriate place on the web > archives). > > (He also said he might respond tomorrow as it’s late where he is now.) > > Cheers! > Greg > > -- > Please do not email me anything that you are not comfortable also sharing with > the NSA. > > On Sep 24, 2015, at 6:12 PM, Tao Effect <contact@taoeffect.com> wrote: > > First thing to do, would probably be to leave your Bitcoin address in > comment fields on webpages? > > > Heh, that’s a great point. :) I sent them a tweet asking for them to > comment on this attack. > > If it were me, I would handle it by creating a whitelist to detect content > areas in popular blogs/websites. Blacklists are easy to circumvent. > > cheers, > greg > > -- > Please do not email me anything that you are not comfortable also sharing with > the NSA. > > On Sep 24, 2015, at 5:57 PM, Timothy Holborn <timothy.holborn@gmail.com> > wrote: > > First thing to do, would probably be to leave your Bitcoin address in > comment fields on webpages? > > On Fri, 25 Sep 2015 at 10:10 am, Tao Effect <contact@taoeffect.com> wrote: > >> this is actually a really cool project that deserves a bit more >> description. >> >> it’s a browser extension + bitcoin wallet that scans web pages for >> bitcoin addresses and automatically tips them based on your frequency of >> visiting (and this is all customizable). >> >> So you fill it with like $5 worth of bitcoin and it distributes it across >> websites automatically, make it possible to tip any sort of content (blogs, >> youtube videos, etc.). >> >> i supported their crowd fund, and i can vouch for integrity of the people >> behind this project. >> >> cheers, >> greg slepak >> >> -- >> Please do not email me anything that you are not comfortable also sharing with >> the NSA. >> >> On Sep 24, 2015, at 5:03 PM, Melvin Carvalho <melvincarvalho@gmail.com> >> wrote: >> >> Help people be rewarded for doing what they love. >> http://protip.is/ >> >> >> > >
Received on Friday, 25 September 2015 20:41:17 UTC