5

I'm working on a project involving mining Bitcoins for charity. I'm writing my own miner, and though I may eventually set up my own pool for this purpose, for now I'm planning on using existing pools.

My question is: how can I set up the miner so that people can use it to mine toward my organization's Bitcoin address (if having a single address is even the right approach to take), without exposing this address to theft from anyone who reads the credentials from the miner's getwork requests? My understanding is that the HTTP Basic Auth used in getwork requests doesn't pass values in a safe way.

As is probably evident from this question, I'm generally pretty fuzzy on how wallets interact with payouts from mining pools and/or Bitcoins stored in accounts with said pools, so any explanation there would also be greatly appreciated.

Highly Irregular
  • 10,910
  • 6
  • 52
  • 102
ConstableJoe
  • 655
  • 2
  • 7
  • 14
  • 1
    I'm going to leave the work of answering to folks who know more about `getwork` requests and unsafe value passing, but I'll mention that there are plenty of pools (Eligius being the largest I'm aware of) that accept an address as the username and don't parse passwords at all, then pay out via generated transactions to those addresses. It would be easy to have others mine for a charity at such a pool - you could even mine coins for someone else's address without their permission or intervention as an odd form of tipping, no privkey necessary. – David Perry Nov 26 '12 at 05:55
  • I'm currently using Eligius in testing for just this reason, but I guess I don't quite understand what allows me to have access to the Bitcoins at a given address. Do I have to have a wallet for that address somewhere? Does that wallet have to be connected to the Internet? Currently I'm using the "to add Bitcoins, send to this address" address for my Mt.Gox account, but that address auto-changes each transaction. – ConstableJoe Nov 26 '12 at 13:40
  • Bitcoin is built around digital signing with split encryption keys. The address is just a hash of the public key, the private key is what allows you to spend coins at a given address. Mining is just doing work in exchange for coins sent to an address you specify and you can specify any address, even ones you don't control the private key for. If someone wanted to grab the donation address from my web site and mine on my behalf, they can do so without my permission or knowledge and the fact that only I have that private key means the account isn't compromised. – David Perry Nov 26 '12 at 17:55
  • [This](https://bailbloc.thenewinquiry.com/) might interest you. Code is in Github. – luchonacho Nov 15 '17 at 22:45
  • Very cool, @luchonacho! My own project, [Compute for Humanity](https://www.computeforhumanity.org), never really got enough interest to be viable. – ConstableJoe Nov 16 '17 at 13:39
  • Looks interesting! Why did it not pick up? – luchonacho Nov 16 '17 at 13:48
  • I think it was a combination of the fact that I was a bit too early for most people to have heard of Bitcoin, and at the time there weren't really any other examples of low-energy mining. So most people thought, "my computer can generate money? Seems like a scam," and people who understood cryptocurrencies thought, "mining uses up all your CPU and costs a ton in electrical bills, this isn't worth it," when neither of those were true. – ConstableJoe Nov 16 '17 at 14:07

1 Answers1

2

You can give someone the necessary credentials to mine on your behalf without them gaining access to the bitcoins. Pools don't use the worker passwords sent with getwork for logging into the website and controlling where coins are sent. They are used only for fetching work and delivering the results.

As you say, basic auth over unencrypted HTTP is already unsafe handling of the worker passwords. You have to assume that those passwords are compromised anyway.

I think the most damage someone can do is to overload a pool server using your worker credentials. I suppose this could get your account temporarily banned, but I'm sure a pool operator would be understanding in this case. I've never heard of anything like that happening either.

Dr.Haribo
  • 8,409
  • 10
  • 43
  • 62
  • Ah, didn't realize that worker passwords != login passwords, as it's been awhile since I've used a login-based pool. – ConstableJoe Nov 27 '12 at 19:20