Should we make a move toward making checksummed hex addresses mandatory?(self.ethereum)submitted by Just some guyFor those not "in the know", when using tools in the Ethereum ecosystem now, you see addresses in two different forms: 0x3bb9557113fbb052dae3008a2801a072c432c018 And: 0x3bb9557113FBb052dAE3008A2801a072C432c018 The mixed-case addresses actually have meaning: the specific choice of whether to use a lowercase or uppercase letter is taken from the hash of the address, and this serves as a form of error detection - if you slip up and mistype a character, then it's overwhelmingly likely that the uppercase/lowercase choice for the remaining letters will become incorrect, and the address will be rejected.However, the error-detection benefits of checksumming are limited now, for two reasons.First, not all applications check checksums.Second, because some applications give you all-lowercase addresses, other applications have to accept them, and so the all-lowercase form is accepted as an alternate legitimate representation of any address.

This means that even users that do use checksummed addresses incur a higher risk of the checksum mechanism not catching a mistake.Discussion: should Ethereum clients and dapp developers make a push to make checksummed addresses mandatory?π Rendered by PID 12952 on app-281 at 2017-06-24 10:54:24.163149+00:00 running 3522178 country code: SG.Thomson Reuters BlockOne ID™ for Ethereum™ (hereafter referred to as BlockOne ID) is a user entitlement framework that allows blockchain developers to control which users can access their smart contracts.When your DApp uses BlockOne ID, only logged-in users may use your DApp to make changes to the blockchain.In other words, totally anonymous users who've just rocked up with a keypair and some Ether won't be able to (ab)use your DApp.User authentication is provided via federated OAuth 2.0 login (currently supporting Google, Facebook, Twitter)- but our plan is to partner with identity providers who can provide stronger guarantees of identity.BlockOne ID currently best supports: Thomson Reuters hosts a hierarchical deterministic wallet (based on eth-lightwallet).

It stores password-encrypted keys, and has recoverability features in case of password loss.It separates the accounts used by each DApp, and it has a web interface to manage the separate accounts (discover their public addresses, transfer Ether between them etc.).All transactions sent by your DApp are intercepted by BlockOne ID's signing hook, which pops up a browser window hosted from a Thomson Reuters domain where the user enters their wallet password, and the transaction is signed on the user's machine.At the smart contract level, the registration of your DApp with BlockOne ID causes the creation of an "entitlement contract" for your DApp.non-constant) methods in your contracts may call a query method on this entitlement contract (which checks that the account sending the transaction is registered to use that DApp) prior to allowing them to perform any changes to the blockchain.Hence, DApps are protected from malicious users because: Also, users are protected from malicious DApps because: This section will show you how to: In greater detail (steps 1 to 6): Visit the Developer page and sign in with your OAuth provider of choice.

This will be the login you'll use from now on to administer your DApp.Currently only a single login can administer a particular DApp.Click "Register New DApp", and fill out the form with: DApp name (for display purposes in the management UIs), The blockchain you are targeting (ropsten/rinkeby/norsborg) DApp ID (a globally unique ID for your DApp), in my case com.tr.roblh.testdapp1, Valid URLs for your DApp's web frontend (required by the OAuth federated login)- perhaps: a URL for when you host your DApp publically e.g.bitcoin difficulty history data/ a URL for running locally during development e.g http://localhost:4444/ - please do enter this exact value as it'll tie in with the example later Terms & conditions of use for your DApp, which will be displayed for all users when they first try to access it.bitcoin become a miner

Your form should end up looking something like this: Click "Register".This triggers the creation of an entitlement contract for your DApp on the blockchain.ethereal deutsch downloadClick the tick and you will see your DApp shown in the list: Initially this will be labelled "Pending" while your DApp's entitlement contract is being mined.ethereum smart contract codeThis label will disappear when the entitlement contract is ready to use.bitcoin linux minerBut, there's no need to sit and wait for it- let's continue.... Click the document button - up pops Solidity source code for a skeleton contract with bindings to your DApp's entitlement contract.litecoin miner test

You can base a new contract on this, or merge it with the source code of your existing contract(s).Paste the skeleton into a clean text editor and, to see BlockOne ID in action with a simple opinion poll DApp, make these additions to the skeleton code: Member variables (so there's something to edit) - just some uints Method to cast a vote, importantly using the entitledUsersOnly modifier blue = 0; red = 0; { (voteRed) { red++; } { blue++; } } This results in something like the following Solidity code (yours will be different since your DApp ID will be the one you chose when you registered your DApp): ``` pragma solidity ^0.4.2; contract EntitlementRegistry{function get(string _name)constant returns(address);function getOrThrow(string _name)constant returns(address);} contract Entitlement{function isEntitled(address _address)constant returns(bool);} EntitlementRegistry entitlementRegistry = EntitlementRegistry(); { entitlementRegistry.getOrThrow(); } modifier entitledUsersOnly { (!Entitlement(getEntitlement()).isEntitled(msg.sender)) ; _; } Next you need to provision your contract(s) to the blockchain.

This section details a working method to deploy a contract using the online Solidity compiler and a geth console.If you prefer to deploy contracts with an alternative toolchain (Truffle, Embark etc.)the following instructions will make clear what you need to do, so it's worth reading them anyway.Start a local geth node on the rinkeby network- follow the instructions here under "Connect Yourself" -> "Go Ethereum: Geth" Wait for your node to sync- if you haven't connected to rinkeby before, this will take a long time.Create a local account with which to provision your contract, and unlock it:> personal.()> personal.unlockAccount(eth.accounts[0],,0) Give the account some Ether by visiting a free test Ether faucet (such as the "Crypto Faucet" on rinkeby.io) Paste your Solidity code into the online Solidity compiler.Click the "Contract" tab, open the dropdown bar for your contract, click "Contract details" and copy the text from the "Web3 deploy" section: Leave the Solidity compiler window open for later Paste the text into your geth console (then remember to press enter after you've pasted to execute it).

When the Contract mined!line appears, take note of the contract address.Below is source code for a simple webapp to use the opinion poll contract.Obviously it's not a shining example of source code structure and reusability, but it captures the BlockOne ID integration points in a single file webapp, notably: N.B.Edit line 20 to contain your DApp's "unique ID" (rather than the example value).You'll find this value on your DApp listing on the Developer page.Edit line 23 to contain your deployed contract address (which you noted in the last step - you can copy it from the geth console; leave the geth console open for later)... and for when you're writing your own DApps.. N.B.Edit line 17 to contain your contract's ABI (from the Solidity compiler window "Interface" field).Aside: When a user logs in to your webapp, this leads to an OAuth 2.0 authentication workflow which, if successful, redirects the browser back to the URL it was called from./menu, this value must be present in your DApp's "DApp Redirect Urls" list.

You may ask it to call back to a different URL by adding a authServiceCallbackUrl option to the construction options for WalletBar (line 25); in which case, that specified URL must be present in your DApp's "DApp Redirect Urls" list.The requirement to specify precise URLs is an OAuth 2.0 rule.Hence slash-delimited sub-paths may be tricky to manage - you could pass any addressing information after a hash instead.Save the file somewhere as index.html.Host up the page locally, e.g.on OSX: /place/you/saved/the/index/html python -mSimpleHTTPServer 4444 As you can see it uses the port 4444 that we earlier specified in the DApp registration.Now hit http://localhost:4444/ in a browser: Log in with the button in the top right.You may wish to do this with a different login provider than the one you used to register the DApp.Create a wallet for the DApp as prompted.Read and accept the T&Cs of the Thomson Reuters hosted wallet and the T&Cs of your DApp.The "Activating Account" process is entitling your new account to use the DApp, which requires a blockchain transaction (slow on Rinkeby) so please be patient.

The window will close when your account is ready to use.Since you're on a test blockchain, and because we're nice, your new account will automatically be funded with 1 ether so you can transact with it straight away.Aside: To top up the balance on any of your BlockOne accounts, visit the BlockOne Wallet web page, and log in with the ID provider you just used.Click "Get Ether" next to the account you want to top up (to 1 ether).For more ether, you'll need to make your own arrangements.In the web app, click to vote blue and it sends the transaction, causing the signing window to pop up: Enter your wallet password and click "Confirm Transaction".After a while (Rinkeby is slow) you'll see the numbers update to reflect your vote.To test the negative case (transacting without entitlement), let's try voting from an account not managed by BlockOne ID.Fortunately the geth window you had open before has such an account.Let's try to vote for red with it: As you can see it returns an estimate of 50 million gas, which is an indicator that the transaction will throw (since even gas estimation runs the contract code locally, it just doesn't commit any results to the blockchain).

If you don't trust this result, you could just try to send the transaction: Keep an eye on the webapp, and observe that the red count doesn't change.In some cases it's inconvenient to have to manually sign every transaction using a popup, notably whilst testing your contracts.Each DApp has a test mode which, when enabled, considers all accounts to be entitled (whether or not they are from a BlockOne wallet).To try it, click "Turn Test Mode On" on your DApp's entry in the Developer page.Once the button un-greys, try the negative case again (see previous section).You'll see that the transaction gets mined to the blockchain and the vote is counted, even though it was sent by an account not managed by BlockOne ID.Remember to turn off test mode before you release your app.Since BlockOne ID is handling the user login process, each user session also gets an auth token (JWT) for your project.You can send this to a backend, for example, for storing / retrieving offchain data that needs to be associated with the logged-in user, or performing actions in the context of that user.

It can be used as follows: See an example implementation here, which extends the simple web app above with a notes box- notes are saved to a tiny node.js server that persists the notes for each user in a "database".The notes are retrieved on subsequent logins from the same user.You may wish to limit the list of login providers presented by your app.You can do this by setting authServiceProviders attribute in the WalletBar constructor options.If not specified, the default value is ['gplus', 'facebook', 'twitter'].If you specify only a single provider, there will be no drop-down menu (a click on "Sign In" will immediately pop up a login window for your specified provider) so click count for your app will be reduced.currently this doesn't prevent a user from logging into your app using a different provider (if they do a little bit of hacking to figure out how), it just limits the list you present.This will be addressed in a subsequent release, whereby your supported login providers would need to be defined in your DApp listing on the Developer page.

Let us know if you need this feature.There are some implementation details of BlockOne to be aware of: The hosted Web3 RPC ports we provide only permit requests that carry a valid BlockOne token.Our hooked web3 provider automatically injects this token onto all web3 requests your web app makes, so your web3 code is unaffected.However it's important to note that, as a result, it's not possible for your app to talk to our hosted Web3 RPCs until the user has logged in.To ensure this, wait for walletBar.applyHook to complete (as shown in the above sample web app) before you use the web3 instance.If your app requires login-free read access to the blockchain you'd need to run and manage your own Ethereum node with an open RPC port (and you can configure BlockOneID to point to it by setting priorityRpcs:['http://your-rpc-addr'] in the WalletBar constructor options), but be wary that open RPC ports are a security hole.The hooked web3 provider we provide has automatic reconnection functionality.

This allows us to upgrade our Ethereum nodes without any interruption of service of your running apps.We run multiple nodes, and will only upgrade one at a time, so one should always be reachable.In a situation where the underlying Ethereum node is unreachable (because we're upgrading it, or there's some other connectivity problem): Any asynchronous web3 calls your app makes will not complete until a successful reconnection has occurred, at which point they'll complete with the expected result.Any synchronous web3 calls you make will fail (but a reconnect will be triggered, so at some point soon further synchronous web3 calls will succeed with no further action on your part).But try not to use synchronous web3 calls since they block all Javascript execution (particularly bad in a browser environment where the entire UI hangs) It's important to note that, if you're using web3's watch functions, that these are stateful with respect to their backend - they rely on periodic polling with a handle that's only known to the specific node you were talking to when you set them up.

Obviously this is a problem if reconnection happens automatically beneath the visibility of your app code- any such handles you are using will be invalidated.Your calls would error due to a bad handle with "Error: filter not found...."-at that point it's your responsibility to re-issue the watch calls.If you happen to reconnect to a node with a different block height, your watchers may miss events.So it's important to check for events since the block of the last received event.Homestead support is our top priority.Since Homestead handles ether with real world value, we're currently undergoing a security review to ensure we deliver a trustworthy product.Proposed future improvements to the BlockOne ID product may include the following: Use of stronger identity providers (credit agencies, governments) "Bring-Your-Own-Wallet" - use of BlockOneID apps by other Ethereum wallets (obviously some degree of identity assurance would be lost since private keys would be out of Thomson Reuters' control) DApp developer experience: ability to see the users who are registered to use your DApp ability to see the transactions carried out by a selected user of your DApp ability to revoke access to your DApp by specific users ability to define and check roles - so certain users can carry out certain actions transaction signing provided by a browser plugin - this will allow transacting with a less disruptive user experience, or possibly transacting with no prompt transaction signing by a BlockOne ID mobile app - so you can release mobile versions of web apps These developments will be prioritised in response to demand, so please let us know how you would like to use BlockOne ID.

Do you have any feedback or have you encountered any problems?If so, please join the discussion at the BlockOne ID Gitter page.Why doesn't it run on Homestead?We're working on it, it's our top priority.Before we are comfortable handling "real" ether we are performing a full security review and other due diligence.What happened to Ropsten support?Ropsten is an unreliable mess after many spamming attacks so its use is not recommended.Rinkeby is a reliable replacement.Contact us if you need help migrating your Ropsten-based projects over to Rinkeby.What happened to Morden support?Morden was discontinued as a test platform.Ropsten was the replacement (but see above).Contact us if you need help migrating your Morden-based projects over to Ropsten/Rinkeby.Is this hosted wallet secure?Thomson Reuters servers never see the wallet mnemonic or user password, and we only ever store the pasword encrypted version of users' wallets.The wallet in its clear form is only in the memory of the user's browser while a transaction is being signed (or a wallet is being manipulated in the wallet web app).