Add Inputs.io web client

[gladoscc]

Inputs.io is a web wallet that provides many features and security measures:

• Off chain transactions network
• On page payment buttons (https://inputs.io/button) - pay Bitcoin on another site, without leaving the page.
• IP based authorization - email sent when you sign in from new location
• Google Auth 2 factor
• GPG keysigning auth
• Automatic Tor/Proxies block if your account wasn't registered using anonymous proxies.
• Sending limits
• Free & automatic mixing
• Email notifications of payments sent and received
• Desktop notifications if supported by browser
• SSLLabs A+ score
• Pending audit page which provides cryptographic proof of no fractional reserve banking
• Responsive mobile version
• Bitcoin Foundation Silver Member

Inputs.io has transferred 82,000 BTC already, and quite a few sites support Inputs already.

[saivann]

Cannot see who owns inputs.io, and for this reason, I see zero recourse a user could have in case of theft or failures.

TradeFortress seems to be respected and have done a good job with inputs.io in general. But shouldn't we at least ask for business owners not to operate them anonymously in order to be listed on bitcoin.org? Web wallets have a complete control of their users bitcoins and with this control comes a lot of responsability.

I also have not seen much good (or bad) feedback from users so far. Except this self-moderated thread:
https://bitcointalk.org/index.php?topic=248815.0

[luke-jr]

I concur with responsibility.

BitcoinTalk is poorly moderated and full of trolls, so self-moderation is really the only practical way to have a decent thread on there. I wouldn't hold that against them.

[gladoscc]

I definitely agree with the responsibility, as a significant amount of web wallets turn out to be scams - intentional or not (for example, due to hacks, thefts, or regulatory action). However, anonymity is not a preclude to trustworthyness - there's a few noteworthy examples: John K, Dread Pirate Roberts, and friedcat who has a significant role in a virtual bitcoin company with a market cap of more than a million BTC. You can't google their identity.

I'm not completely anonymous either - people who have a reason to know my identity (for example, exchanges doing AML/CTF), or trustworthy stores do know who I am, and I'm sure that'll be released if I turn out to be a scam. If you want to know why I don't publicly advertise my identity, take a look at Avalon's recent update, or BTCGARDEN.

Addressing the issue of intentional scamming, I have been part of the Bitcoin community since 2011 - search for my email, admin@glados.cc in the leaked Gox DB. I run CoinLenders and BTCINVEST, but more importantly many Bitcoin sites can tell that I have responsibly disclosed serious security vulnerabilities instead of abusing them on major websites. I have also worked on Blockchain.info's Chrome Extension, and it's technically plausible for me to sneak something into the code and I've also worked on Terrawallet (alt coin web wallet).

Regarding hacks and unintentional scamming: Inputs stores most coins in cold storage and CL nor Inputs has not been hacked before. This cannot be said for many other Bitcoin sites (I will not name specific examples here).

Making a decision based on one boolean isn't a good idea. I suggest looking into the amount of people who have had unsolved problems or concerns with Inputs. When you do things right, you don't steer up much fuss.

If you have a forum account, take a look at this page https://bitcointalk.org/index.php?action=trust;u=67058

I'm happy to address any other concerns you have. I also think it is better for Bitcoin for there to be more independent wallet providers - which makes it difficult for one network to "take over" Bitcoin. Having a more divided market share also reduces the impact if one falls.

[gladoscc]

Any update?

To give you an antidote of how much we value security, as soon as we were notified of a phishing site that was designed to steal Inputs credentials we implemented a script that would generate and submit false data to the phisher. This change has been deployed to Inputs, so the log collected by the phisher is nearly totally worthless due to the large volume of fake sign in requests (from real Inputs user IPs), and the sign in throttling.

[saivann]

Yes, I agree that inputs.io seems to have a clear past from what I've seen so far and I've recognized that.

This however doesn't dissipate my concern that if anything goes wrong for any reason, your users have zero recourse, even if you are reducing that risk by following good security practices. While I respect and I understand the reasons why you choose to stay anonymous, adding a web wallet on bitcoin.org in these conditions isn't something I think I can give myself the right to do.

So with all the respect I owe you for everything you do for Bitcoin, I am closing this pull request right now until this issue can be resolved.