Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193] helo=mx.sourceforge.net) by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1YGWg1-00006v-IS for bitcoin-development@lists.sourceforge.net; Wed, 28 Jan 2015 17:45:17 +0000 Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of gmail.com designates 74.125.82.52 as permitted sender) client-ip=74.125.82.52; envelope-from=mh.in.england@gmail.com; helo=mail-wg0-f52.google.com; Received: from mail-wg0-f52.google.com ([74.125.82.52]) by sog-mx-3.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1YGWg0-0002u7-1V for bitcoin-development@lists.sourceforge.net; Wed, 28 Jan 2015 17:45:17 +0000 Received: by mail-wg0-f52.google.com with SMTP id y19so21986365wgg.11 for ; Wed, 28 Jan 2015 09:45:11 -0800 (PST) MIME-Version: 1.0 X-Received: by 10.194.60.77 with SMTP id f13mr9408345wjr.105.1422467110988; Wed, 28 Jan 2015 09:45:10 -0800 (PST) Sender: mh.in.england@gmail.com Received: by 10.194.188.9 with HTTP; Wed, 28 Jan 2015 09:45:10 -0800 (PST) In-Reply-To: References: Date: Wed, 28 Jan 2015 18:45:10 +0100 X-Google-Sender-Auth: D6otTVqow1JahwR8mDVNQS1SFBo Message-ID: From: Mike Hearn To: Jeff Garzik Content-Type: multipart/alternative; boundary=047d7b86db8adaf282050db9eefe X-Spam-Score: -0.5 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (mh.in.england[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record 1.0 HTML_MESSAGE BODY: HTML included in message 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1YGWg0-0002u7-1V Cc: Nicolas DORIER , Bitcoin Dev Subject: Re: [Bitcoin-development] BIP70: why Google Protocol Buffers for encoding? X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jan 2015 17:45:17 -0000 --047d7b86db8adaf282050db9eefe Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable > > It is not "fear", it is field experience. > > JSON has proven to be a bug generator for the reasons already stated. > To back Jeff up on this point, today we see this story: http://www.theregister.co.uk/2015/01/27/trivial_hole_left_black_phones_open= _to_plunder/ The maker of BlackPhone =E2=80=93 a mobile marketed as offering unusually h= igh levels of security =E2=80=93 has patched *a critical vulnerability that all= ows hackers to run malicious code on the handsets*. Attackers need little more than a phone number to send a message that can compromise the devices via the Silent Text application. "The SCIMP protocol encodes messages as JSON objects, which are then transmitted to the remote party over XMPP," Dowd explained to *The Register= *. "*The flaw I discovered occurs during the deserialization of these JSON objects*. It is *a type confusion vulnerability*, which when exploited allows an attacker to overwrite a pointer in memory, either partially or in full. This pointer is later manipulated by the program and also the system allocator, allowing you to do things such as pass arbitrary pointers to free()." The C++/Java/Python protocol buffer implementations are used by Google for all internal inter-server communication. Any similar exploit in them would result in total bypass of their entire internal security and auditing system by allowing you to run code as any user. The Google security team is very good, the protobuf code is carefully reviewed and the format is relatively constrained. The chances of there being any security problems in the parsing code generated by the protobuf compilers is drastically smaller. As BIP70 requests are parsed by security sensitive code, this matters. The vision for BIP70 has always been to be a foundation for many features. We haven't really done much with it so far because there have always been higher priorities. But I hope that if Bitcoin continues to be successful and grows, one day payment requests will have many different features in them and those will likely include many complex data structures. --047d7b86db8adaf282050db9eefe Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
It is not "fear", it is f= ield experience.

JSON has proven to be a bug generator for the= reasons already stated.

To bac= k Jeff up on this point, today we see this story:


<= blockquote style=3D"margin:0 0 0 40px;border:none;padding:0px">

The maker of BlackPhone =E2=80=93 a mobile= marketed as offering unusually high levels of security =E2=80=93 has patch= ed a critical vulnerability that allows hackers to run malicious code on= the handsets.=C2=A0Atta= ckers need little more than a phone number to send a message that can compr= omise the devices via the Silent Text application.=C2=A0

"The= SCIMP protocol encodes messages as JSON objects, which are then transmitte= d to the remote party over XMPP," Dowd explained to=C2=A0The Regist= er. "The flaw I = discovered occurs during the deserialization of these JSON objects. It = is a type confusion vulnerability, which when exploited allows an at= tacker to overwrite a pointer in memory, either partially or in full.=C2=A0= This pointer is later= manipulated by the program and also the system allocator, allowing you to = do things such as pass arbitrary pointers to free()."

=
The C++/Java/Python protocol buffer implementations are used by Google f= or all internal inter-server communication. Any similar exploit in them wou= ld result in total bypass of their entire internal security and auditing sy= stem by allowing you to run code as any user. The Google security team is v= ery good, the protobuf code is carefully reviewed and the format is relativ= ely constrained. The chances of there being any security problems in the pa= rsing code generated by the protobuf compilers is drastically smaller.=C2= =A0As BIP= 70 requests are parsed by security sensitive code, this matters.
= The vision for B= IP70 has always been to be a foundation for many features. We haven't r= eally done much with it so far because there have always been higher priori= ties. But I hope that if Bitcoin continues to be successful and grows, one = day payment requests will have many different features in them and those wi= ll likely include many complex data structures.
--047d7b86db8adaf282050db9eefe--