📅 Original date posted:2019-01-02
📝 Original message:
ZmnSCPxj schreef op wo 02-01-2019 om 13:02 [+0000]:
> I wonder however if this is a "small enough" hole that leaving it is
> an acknowledged security vulnerability may be better than replacing
> it with a trusted third party.
> One may compare with the SSH "trust the first pubkey, verify the
> second onwards" weakness, to SSL "trust the certificate authority to
> say whose pubkey is whose".
SSH's problem (non-authenticated initial key exchange) is small,
because there is a very small time window for an attack, and an
attacker has to place itself in the route *and* stay in the route to
not be detected later.
SSL's problem (trusted third parties for key authentication) is big,
because each website only uses a single certificate issuer, so you need
to trust every certificate issuer to be able to visit every website,
even the more questionable certificate issuers; the combined security
is as strong as the weakest certificate issuer.
Route Makers (RM) (maybe I should change that name) are not a big
problem, because, unlike websites, OMs and OTs are very fungible
towards each other, especially on popular asset pairs: it's not a big
deal if you lose, say, 10% of potential trading partners because you
don't want to use a certain RM. Also, a single attack by a RM is not
typically a big deal, and it is easily detectable. False positives are
possible though (both accidental and deliberate), so you might want to
suspend a RM after abuse detection for a while, and then give it
another chance after some time.
> The hop node just before the RM can provide proof that it offered an
> HTLC and the RM allowed the HTLC offer to be made.
> It can provide a commitment transaction signed by itself and the RM,
> with that commitment transaction containing the HTLC in question.
> This is proof that the RM *could* pull the HTLC, but did not do so
> quickly enough.
>
> Since RM nodes are publicly known, perhaps we can make a different
> routing from S to RM, one that reveals (to hop nodes) their distance
> to RM, but not to S.
> RM nodes provide a service to the network and we can argue that the
> loss of their privacy here is acceptable, as long as the payee S is
> still able to keep its privacy, as an acceptable cost to ensuring
> that RM behaves honestly.
>
> If the just-before-last node (let us call this G or "guard" node) can
> monitor the time that RM pulls the HTLC, then it can provide proof
> that RM had the ability to pull the HTLC but did not do so.
This, and the rest of your proposal, sounds like a lot of trouble,
while it hardly solves anything.
RM can have its node surrounded by other nodes also controlled by
itself. So it is possible that RM controls all nodes that can possibly
fulfill the 'G' role, and thereby stop any evidence being generated
against the RM node. If you then want to build evidence against the G
nodes, you end up recursively involving every single Lightning node in
trying to solve your problem. Maybe it is possible, but I'd like not to
do that. I like to see the exchange function as a higher layer (layer
3) on top of the Lightning layer, and have each layer solve its own
problems in a clean and elegant way. I prefer that nodes that aren't
involved in exchanging assets don't need to deal with its complexities
either.
CJP
CJP [ARCHIVE] /
npub13q…cuzdm
2023-06-09 12:53:42
in reply to nevent1q…20dn
Author Public Key
npub13q863scgpsaanrjhfn7dd4h48lgnupgkcs828arzj4pckrq8hh6s4cuzdmPublished at
2023-06-09 12:53:42Event JSON
{
"id": "7813922ad8b171bb79cdae8a0497a808912e1e6bbed67cd48abac44a8858b44b",
"pubkey": "880fa8c3080c3bd98e574cfcd6d6f53fd13e0516c40ea3f46295438b0c07bdf5",
"created_at": 1686315222,
"kind": 1,
"tags": [
[
"e",
"ca4ba408a7f58042d7f13af4ffdac9ce35c46314a12c4b25cf60835498578c43",
"",
"root"
],
[
"e",
"d35bd633cb03b15f0656ec6cf612f5a2d434d043a48d2a378f42c73a01b00a18",
"",
"reply"
],
[
"p",
"4505072744a9d3e490af9262bfe38e6ee5338a77177b565b6b37730b63a7b861"
]
],
"content": "📅 Original date posted:2019-01-02\n📝 Original message:\nZmnSCPxj schreef op wo 02-01-2019 om 13:02 [+0000]:\n\u003e I wonder however if this is a \"small enough\" hole that leaving it is\n\u003e an acknowledged security vulnerability may be better than replacing\n\u003e it with a trusted third party.\n\u003e One may compare with the SSH \"trust the first pubkey, verify the\n\u003e second onwards\" weakness, to SSL \"trust the certificate authority to\n\u003e say whose pubkey is whose\".\n\nSSH's problem (non-authenticated initial key exchange) is small,\nbecause there is a very small time window for an attack, and an\nattacker has to place itself in the route *and* stay in the route to\nnot be detected later.\n\nSSL's problem (trusted third parties for key authentication) is big,\nbecause each website only uses a single certificate issuer, so you need\nto trust every certificate issuer to be able to visit every website,\neven the more questionable certificate issuers; the combined security\nis as strong as the weakest certificate issuer.\n\nRoute Makers (RM) (maybe I should change that name) are not a big\nproblem, because, unlike websites, OMs and OTs are very fungible\ntowards each other, especially on popular asset pairs: it's not a big\ndeal if you lose, say, 10% of potential trading partners because you\ndon't want to use a certain RM. Also, a single attack by a RM is not\ntypically a big deal, and it is easily detectable. False positives are\npossible though (both accidental and deliberate), so you might want to\nsuspend a RM after abuse detection for a while, and then give it\nanother chance after some time.\n\n\u003e The hop node just before the RM can provide proof that it offered an\n\u003e HTLC and the RM allowed the HTLC offer to be made.\n\u003e It can provide a commitment transaction signed by itself and the RM,\n\u003e with that commitment transaction containing the HTLC in question.\n\u003e This is proof that the RM *could* pull the HTLC, but did not do so\n\u003e quickly enough.\n\u003e \n\u003e Since RM nodes are publicly known, perhaps we can make a different\n\u003e routing from S to RM, one that reveals (to hop nodes) their distance\n\u003e to RM, but not to S.\n\u003e RM nodes provide a service to the network and we can argue that the\n\u003e loss of their privacy here is acceptable, as long as the payee S is\n\u003e still able to keep its privacy, as an acceptable cost to ensuring\n\u003e that RM behaves honestly.\n\u003e \n\u003e If the just-before-last node (let us call this G or \"guard\" node) can\n\u003e monitor the time that RM pulls the HTLC, then it can provide proof\n\u003e that RM had the ability to pull the HTLC but did not do so.\n\nThis, and the rest of your proposal, sounds like a lot of trouble,\nwhile it hardly solves anything.\n\nRM can have its node surrounded by other nodes also controlled by\nitself. So it is possible that RM controls all nodes that can possibly\nfulfill the 'G' role, and thereby stop any evidence being generated\nagainst the RM node. If you then want to build evidence against the G\nnodes, you end up recursively involving every single Lightning node in\ntrying to solve your problem. Maybe it is possible, but I'd like not to\ndo that. I like to see the exchange function as a higher layer (layer\n3) on top of the Lightning layer, and have each layer solve its own\nproblems in a clean and elegant way. I prefer that nodes that aren't\ninvolved in exchanging assets don't need to deal with its complexities\neither.\n\nCJP",
"sig": "6e028492240f26232a05e0d7492bb63cb85fd36a8668d888126057068b1f9d22b9e7c3ed60b332c718ef4b8dfcd62e4de9bc6bb2064d231d946dcdfedd8644f0"
}