Isn't this exploitable by forging a transaction? The way I thought the ecosystem worked was that bitcoin mining verified the authenticity of transactions of the page, thus creating the "confirmation". Couldn't a malicious party create a fraudulent transaction to namecheap if they aren't verifying that it's real?
Yep. It's only an issue if you are giving the buyer something irreversible.
It's essentially no greater risk than accepting credit cards; any buyer can do a chargeback and get their money back at a moment's notice, but it happens fairly infrequently and when it does happen, you just revoke their rights to the service and ban them if necessary.
As I understand it, in order to forge a transaction and construct a double-spend scenario, you have to have the ability to rapidly mine a bitcoin block, and then not submit it, thus forfeiting the 25BTC reward you'd normally get for the block. So, that type of fraud doesn't seem worth it unless you're scamming significantly more than the value of 25 BTC (currently close to $2500).
Which makes it fairly reasonable for a seller of $5-15 products that can be cancelled to take on that risk, since it's a lot less problematic and time-delayed than credit card chargebacks. "You'll gain high confidence within 10-40 minutes" seems preferable to "you might get a chargeback months later".
(Clarifying edit: I don't know if that's accurate for zero-confirmation double-spends; it's accurate for non-zero-confirmation double-spends.)
Not quite. The essence of a double-spend attack is creating two transactions spending the same bitcoin: one to the merchant (call it A) and one to another of your accounts (call it B). You send A to the merchant and secretly submit B to another node. A looks valid to the merchant, so they accept it.
Now it's basically a 50-50 chance of which transaction will make it into the ledger and which will be rejected as invalid because the input was already spent. If you have your own compute power, you can shift this, up to the extreme of having >50% of the total power, in which case you can guarantee B is accepted, since you can outmine any chain that includes A. However, there is no reason you would need to forfeit any reward if you personally mine the block with the transaction in it.
Confirmations shift the probabilities back towards the merchant, since no honest node will mine on a chain not already including A because the one including A is longer. In this case you must mine secretly on the chain including B until it exceeds the length of the chain including A. This absolutely requires more than 50% of the network compute power, since you must totally outmine the honest network. But again, if you can get the length of chain B up to the point where it exceeds chain A, the block rewards in chain B are yours and those in chain A are forfeit.
As I understand, if they wait 10-20 seconds and listen to the network to make sure no conflicting transaction is broadcast, the odds of a successful double spend drops to very very low.
This is complicated to answer in detail, but the short answer is "It is easier to make gold out of lead than forge a bitcoin transaction." Not sure where that quote originally came from.
