Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194] helo=mx.sourceforge.net) by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1Us9Yy-0006Kg-7c for bitcoin-development@lists.sourceforge.net; Thu, 27 Jun 2013 10:36:28 +0000 X-ACL-Warn: Received: from edge10.ethz.ch ([82.130.75.186]) by sog-mx-4.v43.ch3.sourceforge.com with esmtps (TLSv1:AES128-SHA:128) (Exim 4.76) id 1Us9Yt-0004Pp-S8 for bitcoin-development@lists.sourceforge.net; Thu, 27 Jun 2013 10:36:28 +0000 Received: from CAS12.d.ethz.ch (172.31.38.212) by edge10.ethz.ch (82.130.75.186) with Microsoft SMTP Server (TLS) id 14.2.298.4; Thu, 27 Jun 2013 12:23:31 +0200 Received: from [10.0.1.2] (192.33.93.28) by mail.ethz.ch (172.31.38.212) with Microsoft SMTP Server (TLS) id 14.2.298.4; Thu, 27 Jun 2013 12:23:34 +0200 Message-ID: <51CC12A6.3090100@inf.ethz.ch> Date: Thu, 27 Jun 2013 12:23:34 +0200 From: Arthur Gervais User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130620 Thunderbird/17.0.7 MIME-Version: 1.0 To: X-Enigmail-Version: 1.5.1 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit X-Originating-IP: [192.33.93.28] X-Spam-Score: -1.3 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.3 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain X-Headers-End: 1Us9Yt-0004Pp-S8 Cc: Ghassan Karame , Hubert Ritzdorf Subject: [Bitcoin-development] Double-Spending Fast Payments in Bitcoin due to Client versions 0.8.1 X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Jun 2013 10:36:28 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear Bitcoin developers, We would like to report a vulnerability which might lead, under some assumptions, to a double-spending attack in a fast payment scenario. The vulnerability has been introduced due to signature encoding incompatibilities between versions 0.8.2 (or 0.8.3) and earlier Bitcoin versions. Please find at the following link a detailed description of this vulnerability: ftp://ftp.inf.ethz.ch/pub/publications/tech-reports/7xx/789.pdf We contacted and informed Gavin earlier about this problem. With best regards, Arthur Gervais -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: GPGTools - http://gpgtools.org iQEcBAEBAgAGBQJRzBKLAAoJEI2AYXeasI8/eNYH/2b45o8JPjuiOXeE0MgiYO4g HgGorNBvH3hLlSZkGh/7GxeGWi3tiEq8DKAgqFd8p+1Ay4YVHK86jJMBxAc8lzpx TqS6Szrhlx7slamMGhjeem4BJ2RmfVqSRQjidYxwdee8bMQRVH5DiBzndpZwCeHa AvlP8ojTUFozOJs5PvjEqE+sDKDe5nDC96uiZyMROK8neoiLZpJzV3+ScTUjLCeB zg34wttX80WKpkXJFvq88FTIvO5E42NGP3APnt2J/HZcey4Mi9UIhLt+/TJ7Z07l HuxFlzyXdCgRkJWvU13yn8bUP0cbeoox6Cwn7rDAIisVLn4KB9XPThPjfJbKEkg= =Y6bs -----END PGP SIGNATURE-----