π
Original date posted:2018-11-08
π Original message:> On Nov 7, 2018, at 13:28, Andreas Schildbach via bitcoin-dev <bitcoin-dev at lists.linuxfoundation.org> wrote:
>
> Copying addresses to the clipboard should be discouraged, rather than
> supported.
>
> It is an inherently insecure mechanism. Regardless of the OS used, any
> application can monitor the clipboard for Bitcoin addresses and replace
> any address with their own, usually without any specific permission or
> confirmation by the user. Effectively this steals Bitcoins if the user
> doesn't compare addresses manually.
>
> This is a real risk, as this kind of malware has already been seen.
One can also make the argument that if the user's clipboard is able to be read/modified, then their working environment is already compromised and that the responsibility is already not upon specific application software, but the user or OS.
Down here in the real world, an application that does not support copying and pasting of addresses is not an application that is very useful (to say the least) to many people who want to manage their own wallet, though I understand your desire to avoid such. Perhaps offering alternatives such as supporting signed BIP70 payment requests is what you mean to do.
That said, I still think working around specific malware threats and vectors isn't the application's job, especially when doing so for a tiny, tiny fraction of users that have malware outweighs the needs of the 95%+ that need to support the "I have an address on my clipboard I need to pay" case.
Best,
-jp
--
Jeffrey Paul
+1 312 361 0355
+49 176 8058 2122 (signal)
Jeffrey Paul [ARCHIVE] /
npub1ndβ¦54w0x
2023-06-07 18:15:11
in reply to nevent1qβ¦qsur
Author Public Key
npub1ndhsmnejw9cuvq3t6tuwd95q99mpdjx4szvnvx8szkp2vppqppgs254w0xPublished at
2023-06-07 18:15:11Event JSON
{
"id": "a11c1df89d8e5557f17832b275dca188752959ab3244a73c5a58a8fefffcd249",
"pubkey": "9b6f0dcf327171c6022bd2f8e69680297616c8d580993618f01582a604200851",
"created_at": 1686161711,
"kind": 1,
"tags": [
[
"e",
"6b2133cdefe033c98de94718f9aec1f0191d14197767d256b7dab51b73fd3e89",
"",
"root"
],
[
"e",
"f26eb52a46e13d4411a78b7d0a258162eb4d0972a19ed28324f582dbb452826d",
"",
"reply"
],
[
"p",
"45fe5a57f42bb740cd879288f26f61d357e7d8ca7c7d97e9dd6278bf2257d1ee"
]
],
"content": "π
Original date posted:2018-11-08\nπ Original message:\u003e On Nov 7, 2018, at 13:28, Andreas Schildbach via bitcoin-dev \u003cbitcoin-dev at lists.linuxfoundation.org\u003e wrote:\n\u003e \n\u003e Copying addresses to the clipboard should be discouraged, rather than\n\u003e supported.\n\u003e \n\u003e It is an inherently insecure mechanism. Regardless of the OS used, any\n\u003e application can monitor the clipboard for Bitcoin addresses and replace\n\u003e any address with their own, usually without any specific permission or\n\u003e confirmation by the user. Effectively this steals Bitcoins if the user\n\u003e doesn't compare addresses manually.\n\u003e \n\u003e This is a real risk, as this kind of malware has already been seen.\n\nOne can also make the argument that if the user's clipboard is able to be read/modified, then their working environment is already compromised and that the responsibility is already not upon specific application software, but the user or OS.\n\nDown here in the real world, an application that does not support copying and pasting of addresses is not an application that is very useful (to say the least) to many people who want to manage their own wallet, though I understand your desire to avoid such. Perhaps offering alternatives such as supporting signed BIP70 payment requests is what you mean to do.\n\nThat said, I still think working around specific malware threats and vectors isn't the application's job, especially when doing so for a tiny, tiny fraction of users that have malware outweighs the needs of the 95%+ that need to support the \"I have an address on my clipboard I need to pay\" case.\n\nBest,\n-jp\n\n-- \nJeffrey Paul\n+1 312 361 0355\n+49 176 8058 2122 (signal)",
"sig": "3cc0fe3d1bbc784f07e54bd08b4824508e113bf2c0a2b4237edaf74455080d05ab5e1f403a05900e19212166e7c6ded8e526179cb64ac40fffd110d9e22d907e"
}