a) Is it against your bank's TOS to print out a webpage showing a proof-of-payment and handing it over to another party? If not, then why should this be different? You are not sharing your login-credentials.
b) Is it stupid to print out a proof-of-payment from your bank and use it as a proof-of-payment?

Maybe you don't understand that you can audit the software running on Amazon AWS?

murraypaul, did you see my post at the end of page 7? (you may have missed it because there were several posts at once). I made some points about TOS there.

Well no, it isn't exactly the same risk, is it?
A standard secured connection is a very well known and understood setup, which large companies do all the time.
You are talking about a brand new, untested, bespoke, security setup.
The risk of security failure in the latter is much higher than the former.


If your security setup was perfect, then in practice it might be as secure in practice.
It isn't exactly the same from the bank's point of view, because showing someone the statement doesn't involve any possiblity of compromising the security of your account, because it is a static bit of data. Accessing your account through someone else's system, where the bank cannot be confident that that system is secured, is not the same thing.
Showing them your bank statement would be the equivalent of emailing someone a screenshot of your online banking.


It would depend on the working of your particular bank's TOS.
I wouldn't be confident that there isn't some clause they could find that would cover this situation.

murraypaul's arguments all boil down to reputation-based security, but he then surrounds them in lots of other gumpf.

Reputation-based security is last decade.

I would like to invite those who follow this thread to take part in alpha testing.
Code-named "Paysty", is a set of tools which allow you to connect to your bank via an Amazon EC2 oracle and then select a statement page which you would like a third party to see.
With this alpha version of Paysty you don't give anything to any third party - the oracle sends your encrypted banking data back to you.  Paysty then acts as if it was the escrow and analyzes the encrypted data and lets you know whether it can find your HTML page in it.

Those who wish to participate, please PM me and I will give a key which serves as a passwords to get access to oracle. Otherwise you won't be able to use Paysty.

https://github.com/themighty1/ssllog/tree/alphatest
You can choose "Download ZIP" if you don't want to use git

Make sure that Firefox is installed on your system.

Windows users don't need any extra software - Paysty is bundled with Python, plink(console putty), stcppipe and wireshark tools.
Just run startPaysty.bat

Linux users will have to install Python (v2 variety), ssh, tshark, gcc.
On Ubuntu we just run Then just run "python buyer-oracle.py"

OSX: nothing yet, sorry.
------------------------------------

Copy the private key which will you receive from me into the file alphatest.txt in the root of the Paysty's installation.


Usage:

On the bottom panel of Paysty there are two input fields: Account number and Sum.
After you navigate to a specific transaction in your banking statement history, enter the Account number and sum exactly as they appear on the page.
After that Paysty will tell you whether your bank is compatible.


Once again let me re-emphasize all security related points:
1. The oracle is open source and serves as a proxy when you connect to your bank.
2. Even though the oracle is launched from my Amazon account, it is set up in such a way that I have no access to it. I can only terminate it at most. I can't see which IP address is connecting to which site via the oracle.
3. In this Alpha version, you don't share any page of your banking session with anyone, all your data is sent back to you for examination.

Whether successful, or otherwise, please let me know your testing results (PM or here), viz. your operating system, your bank's name/site.

Sorry Dan. I don't think the issue is lack of interest in the outcome. I did take a look at doing some testing for myself, but:

1) I've been out of time lately (that is, the time I have for Bitcoin is soaked up by other things)
2) I would be about to route an online banking session via a third party proxy, using a large pile of code not written by me

(2) implies before I'd be willing to take part in this, I'd want to verify everything for myself. The fact that this is possible is why your approach is powerful. However, that doesn't mean it's something I can squeeze into my lunch break.

What you might want to do is start a new thread, perhaps in this section or perhaps in the dev/tech section, outlining what is required. It will take a while until someone is able to fully verify that your setup does what you say it does. Once that is complete, it'll be easier to recruit beta testers. All I can suggest for now is raising the visibility of your important work, combined with patience ...

I just tested it for 2 banks.

For netbank.de it works just fine.
For sparkasse.de it doesn´t...

this is the last part of the log:


the amount I entered was 29,44, so.. not sure why it´s garbled in the log while the account no is fine

Edit: Ok, my fault (kinda)... I didn´t enter 29,44 but -29,44, as that was the way it was stated. Imho this should be processed either way.
So, entering 29,44 works for sparkasse.de, too.

Now maybe a stupid question... what exactly does this prove?
Is it a problem that, e.g. I can send a transaction to one of my own bank accounts and put the actual target account number (whom I´m supposed to pay) just in the comments field of the transaction? Paysty does find the actual target account number in the html but does it recognize that this is not the account number money is send to?

Yeah thanks, makes sense. I guess in the end there will always be some kind of trust required, even for technical people, unless they are willing and able to inspect the whole source code but in essence that´s equally applicable to using bitcoin itself. Making explicit what kind of information at which step is stored where and visible to whom and at which point in time is going to be crucial though.

Yes, I did take a quick look and the code seemed quite readable. It's just a matter of carving out a few hours to really get to grips with the code, and then trying it.

Hello I am keen to do some testing if you like.  I have downloaded and run the python script on my linux box, but I think I need a key from you?