1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
|
Return-Path: <omarshib@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 483F8AF7
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 29 Sep 2017 04:21:11 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-io0-f173.google.com (mail-io0-f173.google.com
[209.85.223.173])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 8978A41D
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 29 Sep 2017 04:21:10 +0000 (UTC)
Received: by mail-io0-f173.google.com with SMTP id v36so524854ioi.1
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 28 Sep 2017 21:21:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:in-reply-to:references:from:date:message-id:subject:to
:cc; bh=tgxaYQeaycPo5sWbzMKLKNOYV8RzSSc7/AailRdi30c=;
b=pLXpnjvnIorqI6GcLe/yb05do8Cb0nzJKcC/25GGGeTqFots/USqE3sobJbSOWl6MS
lOTXt85z00X++DWD3GxchryI5TstOOadVFyGWzgAYkN2ZeJisbqVorrrhZ+i/wL6jqQq
NQYaJS/K6GAreL4qwXnQbToC2S1EEPBnlw2wNWsb7dLAC/7Dd2Zlqb/byr/ChajafkdI
cTIylMTtX3oJWkLIxs6DwuaH6fVwQddAGlhAq9T5YB82bUvm7vJNh5I2eBwpWGfEwobb
Dc1EZ0A9spaBGYplXRm+TNSZ3+lJA3EPPL2ooJEDjVKgWfMsOyG4PAaWHfxOIL+XYUSx
5gLg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:in-reply-to:references:from:date
:message-id:subject:to:cc;
bh=tgxaYQeaycPo5sWbzMKLKNOYV8RzSSc7/AailRdi30c=;
b=GgREV6jp0AEae+IvpoAWZdIUkK5wzIQn1s8duIufUKtv1EfmvamAvC0aRijJYeeGuy
l3i8KfJRbhuWcC02yceFGiD3OaUZ4+VOxKirhPrZ9i/FG/86PMq+s0va2GwBoLEzDIGx
7FoZ8aVDqEb3DZlsuVR2v/z9EQMF+h9ZoCeHIFuYjlpdODEBwL4LooILtcKkMIHy8uBw
IJXFv8Y+82licZ0UmlddAePy8RkDZcDbgiKu46JtTId8Be+UJDi9A//ba4gzlnG3hbf7
n0+LixfqbCbe7TVudUQ3mg8fveZDsTPlveKgsOdBZCBXlupFA4Pn44kEp+CWw7pNhOWc
5slw==
X-Gm-Message-State: AHPjjUgoYQmZS7yX2tWyk/5wBdMoWBJ0PGMmpqukJKjSchdftiDSdkux
3EEsgAsckWgjVre0oPBXm/c8xP9Or+yvOF7VGV5LAC7C
X-Google-Smtp-Source: AOwi7QBFFKGzXqFkraw5ZFg+g28hxVvh4Chk9XhcqdrL3yk5A+05GlhqZm9H5wjd9J3XZjh4/M7YlhBi2JnMTMPyToc=
X-Received: by 10.107.36.83 with SMTP id k80mr10267194iok.176.1506658869896;
Thu, 28 Sep 2017 21:21:09 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.2.21.25 with HTTP; Thu, 28 Sep 2017 21:21:09 -0700 (PDT)
In-Reply-To: <20170929025538.GC12303@savin.petertodd.org>
References: <20170927160654.GA12492@savin.petertodd.org>
<oqihpf$5gc$1@blaine.gmane.org>
<B5DE4E92-C5B3-4C01-A148-E3C46C897323@sprovoost.nl>
<20170929025538.GC12303@savin.petertodd.org>
From: Omar Shibli <omarshib@gmail.com>
Date: Fri, 29 Sep 2017 07:21:09 +0300
Message-ID: <CAE3EOfi6wz=5oduOambZgBT51=OsYGUG2Ps_gJHis=fTCq80Dg@mail.gmail.com>
To: Peter Todd <pete@petertodd.org>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="001a11402f20bce9e5055a4c5adb"
X-Spam-Status: No, score=0.4 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,
RCVD_IN_SORBS_SPAM autolearn=disabled version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
X-Mailman-Approved-At: Fri, 29 Sep 2017 11:56:38 +0000
Subject: Re: [bitcoin-dev] Why the BIP-72 Payment Protocol URI Standard is
Insecure Against MITM Attacks
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Sep 2017 04:21:11 -0000
--001a11402f20bce9e5055a4c5adb
Content-Type: text/plain; charset="UTF-8"
Thank you for sharing, this is indefinitely valuable.
I think that risk could be mitigated if instead of ignoring the bitcoin
address/amount/..., the wallet use this address for integrity checks.
Furthermore, I think this BIP could be improved by actually applying the
homomorphic property and deriving the bitcoin address from merchant pub key
and the hash itself. that would allow both the customer and merchant to be
able generate address independently.
On Fri, Sep 29, 2017 at 5:55 AM, Peter Todd via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> On Thu, Sep 28, 2017 at 03:43:05PM +0300, Sjors Provoost via bitcoin-dev
> wrote:
> > Andreas Schildbach wrote:
> > > This feels redundant to me; the payment protocol already has an
> > > expiration time.
> >
> > The BIP-70 payment protocol has significant overhead and most
> importantly requires back and forth. Emailing a bitcoin address or printing
> it on an invoice is much easier, so I would expect people to keep doing
> that.
>
> The BIP-70 payment protocol used via BIP-72 URI's is insecure, as payment
> qr
> codes don't cryptographically commit to the identity of the merchant, which
> means a MITM attacker can redirect the payment if they can obtain a SSL
> cert
> that the wallet accepts.
>
> For example, if I have a wallet on my phone and go to pay a
> merchant, a BIP-72 URI will look like the following(1):
>
> bitcoin:mq7se9wy2egettFxPbmn99cK8v5AFq55Lx?amount=0.11&r=https://
> merchant.com/pay.php?h%3D2a8628fc2fbe
>
> A wallet following the BIP-72 standard will "ignore the bitcoin
> address/amount/label/message in the URI and instead fetch a PaymentRequest
> message and then follow the payment protocol, as described in BIP 70."
>
> So my phone will make a second connection - likely on a second network
> with a
> totally different set of MITM attackers - to https://merchant.com
>
> In short, while my browser may have gotten the correct URL with the correct
> Bitcoin address, by using the payment protocol my wallet is discarding that
> information and giving MITM attackers a second chance at redirecting my
> payment
> to them. That wallet is also likely using an off-the-shelf SSL library,
> with
> nothing other than an infrequently updated set of root certificates to use
> to
> verify the certificate; your browser has access to a whole host of better
> technologies, such as HSTS pinning, certificate transparency, and
> frequently
> updated root certificate lists with proper revocation (see Symantec).
>
> As an ad-hoc, unstandardized, extension Android Wallet for Bitcoin at least
> supports a h= parameter with a hash commitment to what the payment request
> should be, and will reject the MITM attacker if that hash doesn't match.
> But
> that's not actually in the standard itself, and as far as I can tell has
> never
> been made into a BIP.
>
> As-is BIP-72 is very dangerous and should be depreciated, with a new BIP
> made
> to replace it.
>
> 1) As an aside, it's absolutely hilarious that this URL taken straight from
> BIP-72 has the merchant using PHP, given its truly terrible track
> record for
> security.
>
> --
> https://petertodd.org 'peter'[:-1]@petertodd.org
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
>
--001a11402f20bce9e5055a4c5adb
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div>Thank you for sharing, this is indefinitely valuable.=
</div><div><br></div><div>I think that risk could be mitigated if instead o=
f ignoring the bitcoin address/amount/..., the wallet use this address for =
integrity checks.</div><div>Furthermore, I think this BIP could be improved=
by actually applying the homomorphic property and deriving the bitcoin add=
ress from merchant pub key and the hash itself. that would allow both the c=
ustomer and merchant to be able=C2=A0generate address independently.</div><=
/div><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">On Fri, Sep =
29, 2017 at 5:55 AM, Peter Todd via bitcoin-dev <span dir=3D"ltr"><<a hr=
ef=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">bitco=
in-dev@lists.linuxfoundation.org</a>></span> wrote:<br><blockquote class=
=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padd=
ing-left:1ex">On Thu, Sep 28, 2017 at 03:43:05PM +0300, Sjors Provoost via =
bitcoin-dev wrote:<br>
> Andreas Schildbach wrote:<br>
> > This feels redundant to me; the payment protocol already has an<b=
r>
> > expiration time.<br>
><br>
> The BIP-70 payment protocol has significant overhead and most importan=
tly requires back and forth. Emailing a bitcoin address or printing it on a=
n invoice is much easier, so I would expect people to keep doing that.<br>
<br>
The BIP-70 payment protocol used via BIP-72 URI's is insecure, as payme=
nt qr<br>
codes don't cryptographically commit to the identity of the merchant, w=
hich<br>
means a MITM attacker can redirect the payment if they can obtain a SSL cer=
t<br>
that the wallet accepts.<br>
<br>
For example, if I have a wallet on my phone and go to pay a<br>
merchant, a BIP-72 URI will look like the following(1):<br>
<br>
=C2=A0 =C2=A0 bitcoin:<wbr>mq7se9wy2egettFxPbmn99cK8v5AFq<wbr>55Lx?amount=
=3D0.11&r=3D<a href=3D"https://merchant.com/pay.php?h%3D2a8628fc2fbe" r=
el=3D"noreferrer" target=3D"_blank">https://<wbr>merchant.com/pay.php?h%<wb=
r>3D2a8628fc2fbe</a><br>
<br>
A wallet following the BIP-72 standard will "ignore the bitcoin<br>
address/amount/label/message in the URI and instead fetch a PaymentRequest<=
br>
message and then follow the payment protocol, as described in BIP 70."=
<br>
<br>
So my phone will make a second connection - likely on a second network with=
a<br>
totally different set of MITM attackers - to <a href=3D"https://merchant.co=
m" rel=3D"noreferrer" target=3D"_blank">https://merchant.com</a><br>
<br>
In short, while my browser may have gotten the correct URL with the correct=
<br>
Bitcoin address, by using the payment protocol my wallet is discarding that=
<br>
information and giving MITM attackers a second chance at redirecting my pay=
ment<br>
to them. That wallet is also likely using an off-the-shelf SSL library, wit=
h<br>
nothing other than an infrequently updated set of root certificates to use =
to<br>
verify the certificate; your browser has access to a whole host of better<b=
r>
technologies, such as HSTS pinning, certificate transparency, and frequentl=
y<br>
updated root certificate lists with proper revocation (see Symantec).<br>
<br>
As an ad-hoc, unstandardized, extension Android Wallet for Bitcoin at least=
<br>
supports a h=3D parameter with a hash commitment to what the payment reques=
t<br>
should be, and will reject the MITM attacker if that hash doesn't match=
. But<br>
that's not actually in the standard itself, and as far as I can tell ha=
s never<br>
been made into a BIP.<br>
<br>
As-is BIP-72 is very dangerous and should be depreciated, with a new BIP ma=
de<br>
to replace it.<br>
<br>
1) As an aside, it's absolutely hilarious that this URL taken straight =
from<br>
=C2=A0 =C2=A0BIP-72 has the merchant using PHP, given its truly terrible tr=
ack record for<br>
=C2=A0 =C2=A0security.<br>
<span class=3D"HOEnZb"><font color=3D"#888888"><br>
--<br>
<a href=3D"https://petertodd.org" rel=3D"noreferrer" target=3D"_blank">http=
s://petertodd.org</a> 'peter'[:-1]@<a href=3D"http://petertodd.org"=
rel=3D"noreferrer" target=3D"_blank">petertodd.org</a><br>
</font></span><br>______________________________<wbr>_________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org">bitcoin-dev@lists.=
<wbr>linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.<wbr>org=
/mailman/listinfo/bitcoin-<wbr>dev</a><br>
<br></blockquote></div><br></div>
--001a11402f20bce9e5055a4c5adb--
|