
Namecheap now accepts Bitcoin with zero confirmations - ted0
http://community.namecheap.com/blog/2013/07/15/bitcoin-zero-confirmation/
======
drcode
"Explain it like I'm Five"

All bitcoin transactions get written to a globally-shared ledger of
transactions that is maintained by the bitcoin network. Roughly every ten
minutes, a new page is added to the ledger that includes (most of) the latest
transactions. When your bitcoin transaction is added to this ledger, it is
called a "confirmation".

Accepting bitcoins with "zero confirmations" means that namecheap doesn't wait
~10 minutes before accepting your payment. Instead, they accept your
transaction as soon as it is widely broadcast over the network, which takes
only about a second after you send your money.

The danger, of course, is that the payment never makes it into this ledger,
which basically means the transaction is invalidated, and the money "was never
sent". This only happens in unusual circumstances (can't get into them all in
this short explanation) and is only a small risk.

~~~
teej
Isn't this exploitable by forging a transaction? The way I thought the
ecosystem worked was that bitcoin mining verified the authenticity of
transactions of the page, thus creating the "confirmation". Couldn't a
malicious party create a fraudulent transaction to namecheap if they aren't
verifying that it's real?

~~~
MichaelGG
Even if it was easy to forge, what's the point? As soon as it is clear that
it's not a valid transaction, they can just cancel your order.

~~~
meowface
Yep. It's only an issue if you are giving the buyer something irreversible.

It's essentially no greater risk than accepting credit cards; any buyer can do
a chargeback and get their money back at a moment's notice, but it happens
fairly infrequently and when it does happen, you just revoke their rights to
the service and ban them if necessary.

------
sehrope
This is a perfect use case for zero confirmation transactions. Less friction
for a legit customer and no real loss for the business if they need to roll
back the transaction if it doesn't confirm. The only risk[1] I can see for
Namecheap is the $.18 ICANN fee and that's assuming they're still on the hook
for it if they cancel the registration.

[1]: Besides currency conversion risk of Bitcoin -> USD of course.

~~~
larrys
"Namecheap is the $.18 ICANN fee "

Competitor to namecheap here. Nope not on the hook for either the ICANN fee or
the registry fee if done w/i 5 days.

Edit: for .com .org .net .info

------
untothebreach
Funny this got to the front page today - this morning I bought a domain name
from namecheap. First I tried to use my credit card. It was denied, for no
apparent reason as I keep it paid off. Then I used my debit card, and it went
through. However, later today BOTH my cards were temporarily suspended, and I
had to wait on hold twice to verify that, yes, I did authorize a payment to
namecheap.com.

Nothing else in my recent purchase history was out of the ordinary, which
makes me think that namecheap.com is just one of those entities that the Cc
companies have flagged.

~~~
bdonlan
Sounds like the first denial was due to an automated fraud check with a false
positive. When that happens, it's a good idea to call your credit card company
right away - if it was such a fraud check, they can usually reactivate it
right away and whitelist the merchant you tried to buy from, allowing you to
retry the transaction - and more importantly, ensuring that your card isn't
suspended and later declined again at an inopportune time.

------
kyledrake
As an interesting note, I used the free Namecheap domain coupon I got at the
Bitcoin conference to register NeoCities.org. Thanks guys! Great service,
highly recommended.

~~~
lowglow
Wait! I didn't see this in my bag from the bitcoin conference! Argh...

~~~
ted0
drop me a line and i'll make sure to hook you up! ted@namecheap.com

------
dllthomas
This certainly seems to make more sense in a case like this - where deployment
takes some time and the user is relying on continued service.

~~~
rdl
Plus domain registrars get to roll back transactions over 14 days, I think.

~~~
duskwuff
I think the limit is shorter these days (more like 2 or 3 days), and there's a
penalty for using it too often. Still plenty for these purposes, though.

~~~
subsystem
Five days as far as I know.

[http://www.icann.org/en/resources/registries/agp/agp-
policy-...](http://www.icann.org/en/resources/registries/agp/agp-
policy-17dec08-en.htm)

------
gesman
This could be done by everyone delivering service, rather than products.

~~~
dllthomas
Not really. If it's a situation where having the service for a brief period of
time is valuable, and which can be active before a double-spend would be
detected, you'll probably see as much fraud as for a physical good of a
similar value.

On the flip side, requiring confirmations before physically shipping a product
but not before beginning provisioning would likely be doable.

------
jotm
Who actually uses bitcoins and what for? Last time I checked, I couldn't buy
bitcoins with my Paypal account or credit card.

The only way I see it being useful is if I get paid for some hacking job or
botnet (then spend the money on Namecheap domain and hosting :-)...

What am I missing?

~~~
drcode
Well, you can go to my bookstore cointagion.com and buy lots of ebooks :-)

But yes, for the most part bitcoin is still a solution looking for a problem.
The three best candidates for large-scale future use are, in my opinion (1)
sending money overseas for employees/family (2) store of value in countries
with high inflation (3) some kind of business model, as yet undiscovered,
involving "reverse micropayments" (by which I mean micropayments involving few
buyers, many sellers)

------
geuis
I'd love to hear more about the decision trade off they made. On the one hand,
you want to have a minimum of at least a handful of confirmations to verify
that the btc aren't being double-spent. This means a delay of several minutes
or longer. Alternatively, you can accept on faith with zero-confirmations that
the btc is legit.

In this case, it sounds like Namecheap decided the ease of use is economically
more valuable than the threat of being cheated. I like this line of thinking.

Further, it could be that it's not really a risk for Namecheap, because they
can reverse a domain name purchase afterwards if the btc payment is
fraudulent.

~~~
drcode
The latest I've heard is that an extremely sophisticated hacker can roll back*
a zero confirmation transaction in about one third of attempts... so long term
such a hacker could manage a 33% discount on purchases.

*Via a double spend attack with careful selection of peer connections and precise timing

~~~
nadaviv
I wouldn't usually worry about accepting zero confirmation transactions on a
website. Most digital orders are reversible and physical orders take some time
to process (packaging, shipping, etc).

However, with brick and mortar stores, 0-confirmations transactions are much
more problematic for the business. The customer could be long gone with your
product by the time you notice the double-spend. OTOH, the 10 minutes delay is
also much more problematic for the customer with physical stores (imagine a
customer having to wait for 10 minutes to buy a pack of gum).

One interesting solution for making zero-confirmations safer to accept is
fidelity bonds [1], where you would "sacrifice" some Bitcoins from your
address, a sort of "safe deposit" that you never get back. From that point on,
until that address is seen to commit a double-spend, merchants can accept
zero-confirmation payments from it knowing that attempting to double-spend
would make the customer's initial deposit invalidated. As long as the deposit
is larger than the transaction amount, it'll make double-spending
unprofitable.

Edit: Another interesting aspect is that fidelity bonds can also be used to
make other kinds of fraud unprofitable, not only double-spending. However,
while its easy to determine when a user committed a double-spend attack (just
show two signed transactions paying the same coins to two different places),
its not that straight forward to prove other kinds of fraud.

[1]
[https://en.bitcoin.it/wiki/Fidelity_bonds#Financial_Services](https://en.bitcoin.it/wiki/Fidelity_bonds#Financial_Services)

~~~
drcode
Fidelity bonds are interesting, but it seems to me there are a couple of
alternative solutions that are much easier to understand and hence more likely
to get traction. One would be to rely on green addresses (downside: requires
third party trust) and another is to simply sniff the bitcoin network for an
additional small time window looking for suspicious double spend attempts
(downside: not 100% effective)

However, I suspect you understand these issues better than I, so I'd love to
hear your input on these alternatives and why you think Fidelity bonds are the
most likely solution that will be adopted.

~~~
petertodd
The most interesting alternative solution right now to make zero-confirmation
transaction safe is rather counter-intuitive:

"However we can make zero-confirmation transactions safe without complex
trusted identity systems, ironically by making it easier to double-spend. If
we implement replace-by-fee nodes will always forward the transaction with the
highest overall fee (including parents) even if it would double-spend a
previous transaction. At first glance this appears to make double-spending
trivial and zero-confirmation transactions useless, but in fact it enables a
powerful counter-measure to an attempted double-spend: the merchant who was
ripped off creates a subsequent transaction sending 100% of the funds to
mining fees. All replace-by-fee miners will mine that transaction, rather than
the one sending the funds back to the fraudster, and there is nothing the
fraudster can do about it other than hope they get lucky and some one mines
their double-spend before they hear about the counter spend. The transaction
can also be constructed such that the payee pays slightly more in advance,
with the merchant refunding the extra amount once the transaction confirms, to
ensure that a double-spend will result in a net loss for the fraudster." \-
[https://bitcointalk.org/index.php?topic=251233.msg2669189#ms...](https://bitcointalk.org/index.php?topic=251233.msg2669189#msg2669189)

In English, if you want to reverse a transaction, IE cancel a payment, the
most you can steal from the person you paid is the value of the transaction
itself. But if we implement a system where you can change a transaction after
the fact, sending more of the fees to miners, the merchant can always outbid
you, so it's almost impossible to actually get away with the theft and gain
anything. You'll still pay for whatever you stole, thus turning what was a
profitable attack, into a unprofitable attack that at best is simple
vandalism. Namecheap isn't going to care much if a thief lost $10 when their
loss was at most a $0.17 registrar fee.

Disclaimer: I'm working on implementing this feature in Bitcoin, although it's
John Dillon's idea.

------
ticklishconcept
Maybe I'm missing something, but I do not believe there is a possibility of a
double spend with the way NameCheap has setup their payment.

To pay with Bitcoin, you have to send BTC to your Namecheap account (which is
done through BitPay), and wait for 6 confirmations (1 hour). They say "Funds
will be added to your account within one hour after payment is confirmed. On
very rare occasions, it may take up to 24 hours for the funds to be credited."

After that point, you can buy domain names with zero confirmations, but there
is no risk at this point, because it is Namecheap account credit.

~~~
drcode
If you were right, then that would not be an example of zero confirmations.

I suspect you found old text that they need to update.

~~~
ticklishconcept
I just bought a domain on namecheap.com with Bitcoin to test it out, and I had
to wait an hour for the confirmation.

------
mikemoka
Could the raise of anonymous and distributed services using bitcoin be the
answer of people exasperated by government surveillance?

~~~
drcode
Bitcoin, from its inception, has had deep ties with radical libertarianism.
Suspicion of the government is the raison d'être of bitcoin.

(though of course the software itself is completely ideologically neutral)

------
VMG
Nice to read this. The experience with paying with BTC last time I tried is
was less than pleasant - I had to wait about an hour until the funds appeared.

~~~
drcode
I hate to disappoint you, but the main stream user experience of bitcoin
remains a clusterf __k. Things are slowly improving though (new payment
protocol, hardware wallets, zero-conf transactions, lightweight wallets,
deterministic wallets, etc.)

------
RKearney
After Namecheap shut down imgur by changing their nameservers without the
owners consent, I'm wary to give them another shot.

~~~
jafaku
Why did they do that?

~~~
RKearney
[https://news.ycombinator.com/item?id=5276648](https://news.ycombinator.com/item?id=5276648)

Long story short it was alleged there was child pornography hosted on imgur.
Namecheap took it upon themselves to "Block the domain for abuse" because the
owner of the domain didn't reply in a time frame Namecheap deemed appropriate.
Since Namecheap neither hosts, nor transmits any of the content on Imgur, it
was very troublesome to hear they would shut down someones domain by their own
hand, with no involvement, nor request from law enforcement.

    
    
      > I'm the CEO of Namecheap here. Just want to let you all know  
      > that I am personally looking into this. The domain was taken  
      > down by an overzealous abuse team member who had no knowledge  
      > of who imgur was. Although we did send 6 separate emails over  
      > the last week, it should have still been escalated. I am  
      > reviewing our policy to see how we can avoid this type of  
      > situation further in the future. To the folks at IMGUR, I want  
      > to sincerely apologize for this situation and the extreme  
      > inconvenience this has caused you. If you can connect me with  
      > someone in your company. I'd like to give you a personal call  
      > and discuss the matter further.  
      >  
      >  -Rick Kirkendall - CEO
    

I just don't feel comfortable leaving my domain name in the hands a lone abuse
department team member that can evidentially change any domains nameservers
without any approval or oversight.

Additionally, the new nameservers Namecheap picked had a 48 hour TTL, meaning
the website was potentially down for 2 days for some people.

~~~
mseebach
You're holding them to an unreasonable standard here, IMO. They've got "cheap"
in their name - you can't have your cake (dirt cheap product) and eat it too
(perfect service and procedures).

The profound apology and promise of fixing the procedure is already above and
beyond what anyone (again, IMO) has a right to expect from a vendor of a _$4
product_.

------
plg
they don't need confirmation, they can find you without it if they need to
(and so can the NSA)

