Delivery-date: Wed, 27 Mar 2024 14:56:30 -0700 Received: from mail-ot1-f60.google.com ([209.85.210.60]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1rpbG2-0003Rb-IH for bitcoindev@gnusha.org; Wed, 27 Mar 2024 14:56:30 -0700 Received: by mail-ot1-f60.google.com with SMTP id 46e09a7af769-6e686728cc6sf318218a34.2 for ; Wed, 27 Mar 2024 14:56:30 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1711576584; cv=pass; d=google.com; s=arc-20160816; b=nM+fmWhszXYqvMXOLgTOVEQ4XuzpT/5AuYsqLBy4cjJNPmHhfKJEgGjmw/7VKjcxUw eg+9evOEPrIXEzoX2rY90kLpNqvv9KXTVeV8ZDxeH6z7/FVLVjSggF+XpgoGydj3xu4M m7eiT1om6alAaq3iU5qVTxcwLW7mHXeP/MBOjsUwAd7Ia4kK0iJVrhsM/fzKDPraK6hP TEKeO0vCkhbTcU3svVSRbgSPWf+j0FTJP3E4zY4v1873xq3VuWYSVZQfSThNTWgP6LBt 9494ii9ph9yqas+l9u13Z3uzOZDYPYYhl3yKAojOsB6Dyh/h2e4HgIVLzqNKDAPmU4B8 OL5g== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :feedback-id:sender:dkim-signature; bh=TG25Lt7MY2ciucieX/dcu8I/XUgJ5I4YUaWjtD7mMc8=; fh=dFQuEvflQga9ScR1TZiD1YY6fiWm3ermJ1dSzfFUl3E=; b=mnTZTta0Gg7cRWSZ6zq0H3czhs0mW5PQgnndn9yU5TaKYwk4yoPOANgpJLAmQXj8I8 UP6HNSs68YsoC9subbKqN70V2PqfRlhaF8PQD3vjYsvJuj0AfgoIfzQuySAlRApcfymG aM33z9EM3ML0zSZYyOIzCyyIwdDN0AOX20mqPlmR6/Ft4khDRAa/uiXcMsBAHy/QzDTj l8m17GvU0cTLjiCrIqHUa7/agzqwpY8tb7dULw1f7bOi3hanQFTwR+b+T+gYVhnwgZtb lUU5ENkcSXyVjuhFvWZ+cX0cCEH2RWppHwP7hGzta+KA/NgxszYHdnXiK62cGpeoxOsR /YcA==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=KnQ1Aakg; spf=pass (google.com: domain of pete@petertodd.org designates 64.147.123.156 as permitted sender) smtp.mailfrom=pete@petertodd.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1711576584; x=1712181384; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:feedback-id:sender :from:to:cc:subject:date:message-id:reply-to; bh=TG25Lt7MY2ciucieX/dcu8I/XUgJ5I4YUaWjtD7mMc8=; b=uYpGB99U5oErrMVj/285N9+RdyqEwawBbegmTfJiCFvTVpVwhocS1KngWMFbts7FCs GNHNSLO8bKIvsEOOMY+XaNiwbA8tWsN5wG0SPKqw201qBM7ZjeyuYIPpbkW5PUSZn47d nYs5SBWDVrkPQiYzWp6Hs9Hc5QPwVah+Rcvska+ORtqmiaE3njmlDYt9lCfAM5UKb7Bj aMmSnVhDIQEPcotwn3NwbBlRa5t/8WlsZGYPgeSI7XCIFxu95yAXTacAChogCGUnxNrr 8QefCwJdLXxjwSDi6PlJ43v/9BTWPveg9sTFdVQCMAol7pKY5y+94uVLkLYRaocbwH75 0X5g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711576584; x=1712181384; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:feedback-id :x-beenthere:x-gm-message-state:sender:from:to:cc:subject:date :message-id:reply-to; bh=TG25Lt7MY2ciucieX/dcu8I/XUgJ5I4YUaWjtD7mMc8=; b=jy3SXbJz/jnBA3zEj0Zs/TaXRyeWubFoVQRQXPtLsQyBlYbjH7fWgLYHny7cXzHdd6 9etIFcg87qLGIJSeY4ksBhwi7yPcodgrtJDUlzDG6aMeasv2NuS9HeAQ35b5Czf7Iuu8 SSMokvuM2uTrEs1sdynjDmO228yv7JPBB+YHNV5GYl6JGQFfnMB3CQ8grGVNDTIxc8SE f+5wV6YlHrgsUXSFNdq2zXfJcH7OrOGks5txymGkUpEJ1z+5B4DPb/C9q6dSU+9/Jisd yyCcV381V2Sc7MqNd4mV+WA7EZ+B6DAhZPHnjBtDeOhb5qZDbsd5DavXkRKolTRSgFUk qLqA== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=2; AJvYcCVAs+4NIObSjQ2se7Fse8UmaGHAyNZcckdTs9xvYJ/e/pl4ntVeVaeDfnlSzx+0lKCuhmG/w2xgzAbPNEoOrtzjtORwYEU= X-Gm-Message-State: AOJu0Yywe55bSdzoqO1RvSFOaqZnB2IFHkepV8LwpKfGG4ePexDQ/S1q zMOhCLRm3Aw7GMLR0r1axgIr/LVKUoaEOxhQ3rZx5sVa9rsdi8MvsBs= X-Google-Smtp-Source: AGHT+IFNt+Pi7vIYEwKZk3s71RV3xwtdAOkgNWQzjo0qoXN55WAB4HUHIUNUjVx+Rhjl0X438P45Zg== X-Received: by 2002:a05:6870:2888:b0:221:a022:a99 with SMTP id gy8-20020a056870288800b00221a0220a99mr1028197oab.49.1711576584294; Wed, 27 Mar 2024 14:56:24 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com Received: by 2002:a05:6870:b8d:b0:22a:4ea4:7df6 with SMTP id lg13-20020a0568700b8d00b0022a4ea47df6ls470019oab.2.-pod-prod-05-us; Wed, 27 Mar 2024 14:56:23 -0700 (PDT) X-Received: by 2002:a05:6870:c1c2:b0:221:8b34:616f with SMTP id i2-20020a056870c1c200b002218b34616fmr66235oad.3.1711576583457; Wed, 27 Mar 2024 14:56:23 -0700 (PDT) Received: by 2002:a05:6808:1526:b0:3c3:c0e6:782f with SMTP id 5614622812f47-3c3de74db1dmsb6e; Wed, 27 Mar 2024 13:30:41 -0700 (PDT) X-Received: by 2002:a5e:9748:0:b0:7d0:3d39:5fbc with SMTP id h8-20020a5e9748000000b007d03d395fbcmr1257470ioq.1.1711571440786; Wed, 27 Mar 2024 13:30:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1711571440; cv=none; d=google.com; s=arc-20160816; b=Do8EP8GLgnsBFo/GapIPMk7iGXTtcvPYK3kzoFH9lmsY+fNMWwI5G1x87PwPL0gVb/ 4rp5ih4tjhPKjo6wqVDMPpOofnvLEnht8/BtJEMjvNeNOVd+ar15CZnE8sUwdLLefb4h XZea3m9j0LDrAOpEyRsaM91Ba7OoYBOcKgraZ6z6FC5M0tWlZUijitw7TwcvT2OEj6go pJb+SMqb0Wg39ECObwW3n1B95FO8+aLkoTemiS+tRHNPc9A7u6qQRPk4Mu3eoXxPLQiX +m3j0t45gY9QOjPWDFuIhjCcHIN4QlGimxWzpjX4Vonfrf4aSQVFYr9eNTkwCgQlvYXl InsA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:feedback-id:dkim-signature; bh=pb82D4+/wVx4LeCWdOfil9omyh4+jUkiav+6aAeDKK4=; fh=qAkUFgesXJOBZlEhHhc6qjOrC9x9vwcQK9K5cSmyNz0=; b=z4Jp1VkQcot3NwTCtLvCzreVKRjvLmTIBjNbRx5/J7T+GNMBASM7hUwHUVKlJ/Y9iI P2rRqGsjOYa1J0n0QTYfpO/hXJoaY2sDN0YhC7sxXKRuAsKH02BZdgg/ZnWkzI2U/KbJ ucaGqr8UXLwqQEjSYF2ZoP4aYY2dcDbiWo44kuHOaeW1gEo9BuC4goAKq6XbQc0vogoe RCj54AvC/ERgP2xMEruiZwNztQb+rjDLTlvYYKCFCH7aaLVb9p7YS0t9J7eRWRYTwBCa GJGbPlmA9GyJHoQHUklinBAOKIBppSzv6SWgSta6bidPp8DgXKJ5ZRHRqx/d1oqTne/T SkYw==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=KnQ1Aakg; spf=pass (google.com: domain of pete@petertodd.org designates 64.147.123.156 as permitted sender) smtp.mailfrom=pete@petertodd.org Received: from wfhigh5-smtp.messagingengine.com (wfhigh5-smtp.messagingengine.com. [64.147.123.156]) by gmr-mx.google.com with ESMTPS id q16-20020a056638239000b0047eb4c34459si255912jat.2.2024.03.27.13.30.40 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Mar 2024 13:30:40 -0700 (PDT) Received-SPF: pass (google.com: domain of pete@petertodd.org designates 64.147.123.156 as permitted sender) client-ip=64.147.123.156; Received: from compute2.internal (compute2.nyi.internal [10.202.2.46]) by mailfhigh.west.internal (Postfix) with ESMTP id 6D87018000A7; Wed, 27 Mar 2024 16:30:39 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute2.internal (MEProxy); Wed, 27 Mar 2024 16:30:39 -0400 X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrudduiedguddufecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepfffhvfevuffkfhggtggujgesgh dtreertddtvdenucfhrhhomheprfgvthgvrhcuvfhougguuceophgvthgvsehpvghtvghr thhouggurdhorhhgqeenucggtffrrghtthgvrhhnpeelvdellefftddukeduffejgfefje euheeileeftdfgteduteeggeevueethfejtdenucffohhmrghinhepphgvthgvrhhtohgu ugdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhroh hmpehpvghtvgesphgvthgvrhhtohguugdrohhrgh X-ME-Proxy: Feedback-ID: i525146e8:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 27 Mar 2024 16:30:38 -0400 (EDT) Received: by localhost (Postfix, from userid 1000) id 264355F834; Wed, 27 Mar 2024 20:30:34 +0000 (UTC) Date: Wed, 27 Mar 2024 20:30:34 +0000 From: Peter Todd To: "David A. Harding" Cc: bitcoindev@googlegroups.com Subject: Re: [bitcoindev] A Free-Relay Attack Exploiting RBF Rule #6 Message-ID: References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="iriQTBlc0tWbRAE3" Content-Disposition: inline In-Reply-To: X-Original-Sender: pete@petertodd.org X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=KnQ1Aakg; spf=pass (google.com: domain of pete@petertodd.org designates 64.147.123.156 as permitted sender) smtp.mailfrom=pete@petertodd.org Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.8 (/) --iriQTBlc0tWbRAE3 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline On Wed, Mar 27, 2024 at 09:50:20AM -1000, David A. Harding wrote: > On 2024-03-27 08:04, Peter Todd wrote: > > I was able to verify independently that the relevant people had seen > > the email and weren't planning on replying. > > Can you provide detail on this? I'm not going because I don't want anyone else subject to harassment over this. > > You're just harassing me here; I highly > > suspect you'd have said nothing at all if I hadn't brought up > > disclosure. > > I think I would have said something. Any time I'm writing a description for > Optech about an attack that affects existing Bitcoin software and was > responsibly disclosed, I back link to it from a special page [1]. In cases > of ambiguity about whether or not an attack was responsibly disclosed, I > investigate. > > I'm sorry this feels to you like harassment. To me it feels like whiplash: > I inferred responsible disclosure based on your original text, learned it > might not have been, and now am being told by you that it was indeed > responsible. I'm not the only person who thinks this looks like harassment. The fact is you started this conversation with: "I'm especially concerned given your past history of publicly revealing vulnerabilities before they could be quietly patched and the conflict of interest of you using this disclosure to advocate for a policy change you are championing." You haven't substantiated any of this. Nor have you even tried to argue that my take on the vulnerability is incorrect: it's just an interesting variation of well-known attacks that doesn't substantially change the situation. Anyway, this conversation is just wasting everyones' time. If this actually is a deal-breaking exploit that must be fixed quickly and quietly - the type of exploit for which responsible disclosure is necessary - what we should be talking about is how to fix it. I proposed two different design changes that mitigates it. One of which fixes other issues too. Antoine Riard also proposed potential mitigations. Do you have a useful comment on these proposals? -- https://petertodd.org 'peter'[:-1]@petertodd.org -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/ZgSB6kmLiDG08Yrd%40petertodd.org. --iriQTBlc0tWbRAE3 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE0RcYcKRzsEwFZ3N5Lly11TVRLzcFAmYEgecACgkQLly11TVR LzfVLw//XHOomL9VAp0Rk3eM47EPYTbOGvKdRT7H/eeMzD8/sAB+2a7TpauSCZ3x heXPRQgGtHAqOynYNEX7pwX+yI3G6/uPp60AIv8x6dzPRaGGlqBE3Tai8oVnm+pN hLRfZt2ZeuS1Y3YCHOekJGpOOF5DltSunrI9Vrd2GKH3kokerarDRw8P9U5oZhGQ I7XiGqF9N9UBoi/pQufxqTDJd3AFXffxoK9ucRqq6WikGI2w/HZ1dnPpcvbJC+Yt Esbills1PyrerBcjBbQfmkSPsZ541TNekBLzSPWim3gKMdw05cRU45eS7f73mIpc afznYP88rFsDA0r2gGkw8rOncvdF9tkRV7HKzlus+ODOtd2UUEbrnGOgeXQ3z9IH FN7a+7DogVCgcfb7LbeCtTUBEAsc28LqRiRnV75Q0OeSCMM2TF8oKloW3Eh9wQIK DpRnNmMjd8tmHmPBYqR3Y8EnshoY2Nhn92oeRUgAJ9Pu5ZBmXb5KnUYzf96tjb65 8oRQHLnIxPjCboO495v8Ipx6Gxh/0mt1d1IjWLIYnflufyWZobWaoRL1DME11MR3 DOP2cNoCYzIS8V+8i4KhKkMWGr19KMrtoV5W1sKMzbDklpV+qjGvvXNIsIb8zX+w 8sdExKu4KN20kwM6Oeaarc7/tDP4KZFOECRUYHdLGrELBe+o9iQ= =GRcd -----END PGP SIGNATURE----- --iriQTBlc0tWbRAE3--