📅 Original date posted:2017-09-28
📝 Original message:On Thu, Sep 28, 2017 at 03:43:05PM +0300, Sjors Provoost via bitcoin-dev wrote:
> Andreas Schildbach wrote:
> > This feels redundant to me; the payment protocol already has an
> > expiration time.
>
> The BIP-70 payment protocol has significant overhead and most importantly requires back and forth. Emailing a bitcoin address or printing it on an invoice is much easier, so I would expect people to keep doing that.
The BIP-70 payment protocol used via BIP-72 URI's is insecure, as payment qr
codes don't cryptographically commit to the identity of the merchant, which
means a MITM attacker can redirect the payment if they can obtain a SSL cert
that the wallet accepts.
For example, if I have a wallet on my phone and go to pay a
merchant, a BIP-72 URI will look like the following(1):
bitcoin:mq7se9wy2egettFxPbmn99cK8v5AFq55Lx?amount=0.11&r=https://merchant.com/pay.php?h%3D2a8628fc2fbe
A wallet following the BIP-72 standard will "ignore the bitcoin
address/amount/label/message in the URI and instead fetch a PaymentRequest
message and then follow the payment protocol, as described in BIP 70."
So my phone will make a second connection - likely on a second network with a
totally different set of MITM attackers - to https://merchant.com
In short, while my browser may have gotten the correct URL with the correct
Bitcoin address, by using the payment protocol my wallet is discarding that
information and giving MITM attackers a second chance at redirecting my payment
to them. That wallet is also likely using an off-the-shelf SSL library, with
nothing other than an infrequently updated set of root certificates to use to
verify the certificate; your browser has access to a whole host of better
technologies, such as HSTS pinning, certificate transparency, and frequently
updated root certificate lists with proper revocation (see Symantec).
As an ad-hoc, unstandardized, extension Android Wallet for Bitcoin at least
supports a h= parameter with a hash commitment to what the payment request
should be, and will reject the MITM attacker if that hash doesn't match. But
that's not actually in the standard itself, and as far as I can tell has never
been made into a BIP.
As-is BIP-72 is very dangerous and should be depreciated, with a new BIP made
to replace it.
1) As an aside, it's absolutely hilarious that this URL taken straight from
BIP-72 has the merchant using PHP, given its truly terrible track record for
security.
--
https://petertodd.org 'peter'[:-1]@petertodd.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Digital signature
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20170928/09e0db5f/attachment.sig>;
Peter Todd [ARCHIVE] /
npub1m2…a2np2
2023-06-07 18:06:28
in reply to nevent1q…hgez
Author Public Key
npub1m230cem2yh3mtdzkg32qhj73uytgkyg5ylxsu083n3tpjnajxx4qqa2np2Published at
2023-06-07 18:06:28Event JSON
{
"id": "5f7c318e20db6f524fe1be7248d7dd8ddfec7458336774ebb6a9786bce4455f7",
"pubkey": "daa2fc676a25e3b5b45644540bcbd1e1168b111427cd0e3cf19c56194fb231aa",
"created_at": 1686161188,
"kind": 1,
"tags": [
[
"e",
"9ba68f900d90904e29f5efd02284effec6533d5cd78431d2ab1c777688de104c",
"",
"reply"
],
[
"p",
"a23dbf6c6cc83e14cc3df4e56cc71845f611908084cfe620e83e40c06ccdd3d0"
]
],
"content": "📅 Original date posted:2017-09-28\n📝 Original message:On Thu, Sep 28, 2017 at 03:43:05PM +0300, Sjors Provoost via bitcoin-dev wrote:\n\u003e Andreas Schildbach wrote:\n\u003e \u003e This feels redundant to me; the payment protocol already has an\n\u003e \u003e expiration time.\n\u003e \n\u003e The BIP-70 payment protocol has significant overhead and most importantly requires back and forth. Emailing a bitcoin address or printing it on an invoice is much easier, so I would expect people to keep doing that.\n\nThe BIP-70 payment protocol used via BIP-72 URI's is insecure, as payment qr\ncodes don't cryptographically commit to the identity of the merchant, which\nmeans a MITM attacker can redirect the payment if they can obtain a SSL cert\nthat the wallet accepts.\n\nFor example, if I have a wallet on my phone and go to pay a\nmerchant, a BIP-72 URI will look like the following(1):\n\n bitcoin:mq7se9wy2egettFxPbmn99cK8v5AFq55Lx?amount=0.11\u0026r=https://merchant.com/pay.php?h%3D2a8628fc2fbe\n\nA wallet following the BIP-72 standard will \"ignore the bitcoin\naddress/amount/label/message in the URI and instead fetch a PaymentRequest\nmessage and then follow the payment protocol, as described in BIP 70.\"\n\nSo my phone will make a second connection - likely on a second network with a\ntotally different set of MITM attackers - to https://merchant.com\n\nIn short, while my browser may have gotten the correct URL with the correct\nBitcoin address, by using the payment protocol my wallet is discarding that\ninformation and giving MITM attackers a second chance at redirecting my payment\nto them. That wallet is also likely using an off-the-shelf SSL library, with\nnothing other than an infrequently updated set of root certificates to use to\nverify the certificate; your browser has access to a whole host of better\ntechnologies, such as HSTS pinning, certificate transparency, and frequently\nupdated root certificate lists with proper revocation (see Symantec).\n\nAs an ad-hoc, unstandardized, extension Android Wallet for Bitcoin at least\nsupports a h= parameter with a hash commitment to what the payment request\nshould be, and will reject the MITM attacker if that hash doesn't match. But\nthat's not actually in the standard itself, and as far as I can tell has never\nbeen made into a BIP.\n\nAs-is BIP-72 is very dangerous and should be depreciated, with a new BIP made\nto replace it.\n\n1) As an aside, it's absolutely hilarious that this URL taken straight from\n BIP-72 has the merchant using PHP, given its truly terrible track record for\n security.\n\n-- \nhttps://petertodd.org 'peter'[:-1]@petertodd.org\n-------------- next part --------------\nA non-text attachment was scrubbed...\nName: signature.asc\nType: application/pgp-signature\nSize: 455 bytes\nDesc: Digital signature\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20170928/09e0db5f/attachment.sig\u003e",
"sig": "ddf0702d99d577e2afd19ae9389e070a685a6612d6e45210be43a15be08ad0ece6efe33db841129c424c8d895cc9fb242cc703655caab8588f5cf9145291992f"
}