summaryrefslogtreecommitdiff
path: root/dd/144965c0e5ba78d5e7fc18b7a79e7e797e5e8a
blob: d31922e37b49129356f0376a518887fc1400bb7c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
Delivery-date: Wed, 27 Mar 2024 14:56:30 -0700
Received: from mail-ot1-f60.google.com ([209.85.210.60])
	by mail.fairlystable.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.94.2)
	(envelope-from <bitcoindev+bncBDRYHVHZTUGRBB5MSKYAMGQEPVULN4Y@googlegroups.com>)
	id 1rpbG2-0003Rb-IH
	for bitcoindev@gnusha.org; Wed, 27 Mar 2024 14:56:30 -0700
Received: by mail-ot1-f60.google.com with SMTP id 46e09a7af769-6e686728cc6sf318218a34.2
        for <bitcoindev@gnusha.org>; Wed, 27 Mar 2024 14:56:30 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1711576584; cv=pass;
        d=google.com; s=arc-20160816;
        b=nM+fmWhszXYqvMXOLgTOVEQ4XuzpT/5AuYsqLBy4cjJNPmHhfKJEgGjmw/7VKjcxUw
         eg+9evOEPrIXEzoX2rY90kLpNqvv9KXTVeV8ZDxeH6z7/FVLVjSggF+XpgoGydj3xu4M
         m7eiT1om6alAaq3iU5qVTxcwLW7mHXeP/MBOjsUwAd7Ia4kK0iJVrhsM/fzKDPraK6hP
         TEKeO0vCkhbTcU3svVSRbgSPWf+j0FTJP3E4zY4v1873xq3VuWYSVZQfSThNTWgP6LBt
         9494ii9ph9yqas+l9u13Z3uzOZDYPYYhl3yKAojOsB6Dyh/h2e4HgIVLzqNKDAPmU4B8
         OL5g==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date
         :feedback-id:sender:dkim-signature;
        bh=TG25Lt7MY2ciucieX/dcu8I/XUgJ5I4YUaWjtD7mMc8=;
        fh=dFQuEvflQga9ScR1TZiD1YY6fiWm3ermJ1dSzfFUl3E=;
        b=mnTZTta0Gg7cRWSZ6zq0H3czhs0mW5PQgnndn9yU5TaKYwk4yoPOANgpJLAmQXj8I8
         UP6HNSs68YsoC9subbKqN70V2PqfRlhaF8PQD3vjYsvJuj0AfgoIfzQuySAlRApcfymG
         aM33z9EM3ML0zSZYyOIzCyyIwdDN0AOX20mqPlmR6/Ft4khDRAa/uiXcMsBAHy/QzDTj
         l8m17GvU0cTLjiCrIqHUa7/agzqwpY8tb7dULw1f7bOi3hanQFTwR+b+T+gYVhnwgZtb
         lUU5ENkcSXyVjuhFvWZ+cX0cCEH2RWppHwP7hGzta+KA/NgxszYHdnXiK62cGpeoxOsR
         /YcA==;
        darn=gnusha.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
       dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=KnQ1Aakg;
       spf=pass (google.com: domain of pete@petertodd.org designates 64.147.123.156 as permitted sender) smtp.mailfrom=pete@petertodd.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlegroups.com; s=20230601; t=1711576584; x=1712181384; darn=gnusha.org;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:x-original-authentication-results
         :x-original-sender:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:feedback-id:sender
         :from:to:cc:subject:date:message-id:reply-to;
        bh=TG25Lt7MY2ciucieX/dcu8I/XUgJ5I4YUaWjtD7mMc8=;
        b=uYpGB99U5oErrMVj/285N9+RdyqEwawBbegmTfJiCFvTVpVwhocS1KngWMFbts7FCs
         GNHNSLO8bKIvsEOOMY+XaNiwbA8tWsN5wG0SPKqw201qBM7ZjeyuYIPpbkW5PUSZn47d
         nYs5SBWDVrkPQiYzWp6Hs9Hc5QPwVah+Rcvska+ORtqmiaE3njmlDYt9lCfAM5UKb7Bj
         aMmSnVhDIQEPcotwn3NwbBlRa5t/8WlsZGYPgeSI7XCIFxu95yAXTacAChogCGUnxNrr
         8QefCwJdLXxjwSDi6PlJ43v/9BTWPveg9sTFdVQCMAol7pKY5y+94uVLkLYRaocbwH75
         0X5g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1711576584; x=1712181384;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:x-original-authentication-results
         :x-original-sender:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:feedback-id
         :x-beenthere:x-gm-message-state:sender:from:to:cc:subject:date
         :message-id:reply-to;
        bh=TG25Lt7MY2ciucieX/dcu8I/XUgJ5I4YUaWjtD7mMc8=;
        b=jy3SXbJz/jnBA3zEj0Zs/TaXRyeWubFoVQRQXPtLsQyBlYbjH7fWgLYHny7cXzHdd6
         9etIFcg87qLGIJSeY4ksBhwi7yPcodgrtJDUlzDG6aMeasv2NuS9HeAQ35b5Czf7Iuu8
         SSMokvuM2uTrEs1sdynjDmO228yv7JPBB+YHNV5GYl6JGQFfnMB3CQ8grGVNDTIxc8SE
         f+5wV6YlHrgsUXSFNdq2zXfJcH7OrOGks5txymGkUpEJ1z+5B4DPb/C9q6dSU+9/Jisd
         yyCcV381V2Sc7MqNd4mV+WA7EZ+B6DAhZPHnjBtDeOhb5qZDbsd5DavXkRKolTRSgFUk
         qLqA==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=2; AJvYcCVAs+4NIObSjQ2se7Fse8UmaGHAyNZcckdTs9xvYJ/e/pl4ntVeVaeDfnlSzx+0lKCuhmG/w2xgzAbPNEoOrtzjtORwYEU=
X-Gm-Message-State: AOJu0Yywe55bSdzoqO1RvSFOaqZnB2IFHkepV8LwpKfGG4ePexDQ/S1q
	zMOhCLRm3Aw7GMLR0r1axgIr/LVKUoaEOxhQ3rZx5sVa9rsdi8MvsBs=
X-Google-Smtp-Source: AGHT+IFNt+Pi7vIYEwKZk3s71RV3xwtdAOkgNWQzjo0qoXN55WAB4HUHIUNUjVx+Rhjl0X438P45Zg==
X-Received: by 2002:a05:6870:2888:b0:221:a022:a99 with SMTP id gy8-20020a056870288800b00221a0220a99mr1028197oab.49.1711576584294;
        Wed, 27 Mar 2024 14:56:24 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com
Received: by 2002:a05:6870:b8d:b0:22a:4ea4:7df6 with SMTP id
 lg13-20020a0568700b8d00b0022a4ea47df6ls470019oab.2.-pod-prod-05-us; Wed, 27
 Mar 2024 14:56:23 -0700 (PDT)
X-Received: by 2002:a05:6870:c1c2:b0:221:8b34:616f with SMTP id i2-20020a056870c1c200b002218b34616fmr66235oad.3.1711576583457;
        Wed, 27 Mar 2024 14:56:23 -0700 (PDT)
Received: by 2002:a05:6808:1526:b0:3c3:c0e6:782f with SMTP id 5614622812f47-3c3de74db1dmsb6e;
        Wed, 27 Mar 2024 13:30:41 -0700 (PDT)
X-Received: by 2002:a5e:9748:0:b0:7d0:3d39:5fbc with SMTP id h8-20020a5e9748000000b007d03d395fbcmr1257470ioq.1.1711571440786;
        Wed, 27 Mar 2024 13:30:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1711571440; cv=none;
        d=google.com; s=arc-20160816;
        b=Do8EP8GLgnsBFo/GapIPMk7iGXTtcvPYK3kzoFH9lmsY+fNMWwI5G1x87PwPL0gVb/
         4rp5ih4tjhPKjo6wqVDMPpOofnvLEnht8/BtJEMjvNeNOVd+ar15CZnE8sUwdLLefb4h
         XZea3m9j0LDrAOpEyRsaM91Ba7OoYBOcKgraZ6z6FC5M0tWlZUijitw7TwcvT2OEj6go
         pJb+SMqb0Wg39ECObwW3n1B95FO8+aLkoTemiS+tRHNPc9A7u6qQRPk4Mu3eoXxPLQiX
         +m3j0t45gY9QOjPWDFuIhjCcHIN4QlGimxWzpjX4Vonfrf4aSQVFYr9eNTkwCgQlvYXl
         InsA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:feedback-id:dkim-signature;
        bh=pb82D4+/wVx4LeCWdOfil9omyh4+jUkiav+6aAeDKK4=;
        fh=qAkUFgesXJOBZlEhHhc6qjOrC9x9vwcQK9K5cSmyNz0=;
        b=z4Jp1VkQcot3NwTCtLvCzreVKRjvLmTIBjNbRx5/J7T+GNMBASM7hUwHUVKlJ/Y9iI
         P2rRqGsjOYa1J0n0QTYfpO/hXJoaY2sDN0YhC7sxXKRuAsKH02BZdgg/ZnWkzI2U/KbJ
         ucaGqr8UXLwqQEjSYF2ZoP4aYY2dcDbiWo44kuHOaeW1gEo9BuC4goAKq6XbQc0vogoe
         RCj54AvC/ERgP2xMEruiZwNztQb+rjDLTlvYYKCFCH7aaLVb9p7YS0t9J7eRWRYTwBCa
         GJGbPlmA9GyJHoQHUklinBAOKIBppSzv6SWgSta6bidPp8DgXKJ5ZRHRqx/d1oqTne/T
         SkYw==;
        dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=KnQ1Aakg;
       spf=pass (google.com: domain of pete@petertodd.org designates 64.147.123.156 as permitted sender) smtp.mailfrom=pete@petertodd.org
Received: from wfhigh5-smtp.messagingengine.com (wfhigh5-smtp.messagingengine.com. [64.147.123.156])
        by gmr-mx.google.com with ESMTPS id q16-20020a056638239000b0047eb4c34459si255912jat.2.2024.03.27.13.30.40
        for <bitcoindev@googlegroups.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 27 Mar 2024 13:30:40 -0700 (PDT)
Received-SPF: pass (google.com: domain of pete@petertodd.org designates 64.147.123.156 as permitted sender) client-ip=64.147.123.156;
Received: from compute2.internal (compute2.nyi.internal [10.202.2.46])
	by mailfhigh.west.internal (Postfix) with ESMTP id 6D87018000A7;
	Wed, 27 Mar 2024 16:30:39 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
  by compute2.internal (MEProxy); Wed, 27 Mar 2024 16:30:39 -0400
X-ME-Sender: <xms:7oEEZsbj8sHl-zyGhFYGzTwLMDGtMxs7zIjhkHiBXN4Il6Q5EWnJMQ>
    <xme:7oEEZnb7jMMExHgoVrLryC1uZz7C4EKoSX9bwLIHHtcHqsqLZxGFVxFpuguw-E-xC
    xXblBuGtnBYbDEx-eI>
X-ME-Received: <xmr:7oEEZm9tGwlMYoGH3L1Xd5CCj4ilXQndwnm5DKNz17Z4SWQ8Qw4OaK2XXA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrudduiedguddufecutefuodetggdotefrod
    ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh
    necuuegrihhlohhuthemuceftddtnecunecujfgurhepfffhvfevuffkfhggtggujgesgh
    dtreertddtvdenucfhrhhomheprfgvthgvrhcuvfhougguuceophgvthgvsehpvghtvghr
    thhouggurdhorhhgqeenucggtffrrghtthgvrhhnpeelvdellefftddukeduffejgfefje
    euheeileeftdfgteduteeggeevueethfejtdenucffohhmrghinhepphgvthgvrhhtohgu
    ugdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhroh
    hmpehpvghtvgesphgvthgvrhhtohguugdrohhrgh
X-ME-Proxy: <xmx:7oEEZmq-Nu7V9trWgE8e2vnwrlpwEE2iXX2oHeLBTn954gA6Iv2pKQ>
    <xmx:7oEEZnoTXk7QV4NJ5QF3ynstw608kFDaquA_-drD3XwgUOWptW8v6A>
    <xmx:7oEEZkSD7CRqB6j1oKEKMGepoLkeL9H1dIhZroClruoMwuOxhPyXWw>
    <xmx:7oEEZnqN8KMF5Ge7Qhgp14ipAFiOVUJ_QlriqgULOnlIdwkzNOZL6w>
    <xmx:7oEEZofGmEU1oMWxHSzCcBA_qtY-6QTWLnOWFofeHJIZ8szkIvPX7m5YukY>
Feedback-ID: i525146e8:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed,
 27 Mar 2024 16:30:38 -0400 (EDT)
Received: by localhost (Postfix, from userid 1000)
	id 264355F834; Wed, 27 Mar 2024 20:30:34 +0000 (UTC)
Date: Wed, 27 Mar 2024 20:30:34 +0000
From: Peter Todd <pete@petertodd.org>
To: "David A. Harding" <dave@dtrt.org>
Cc: bitcoindev@googlegroups.com
Subject: Re: [bitcoindev] A Free-Relay Attack Exploiting RBF Rule #6
Message-ID: <ZgSB6kmLiDG08Yrd@petertodd.org>
References: <f7fbeb4f58904fc5a24b6fc2d829036c@dtrt.org>
 <ZgRfvrYatcpqPNRn@petertodd.org>
 <bbc33ff01e464f8c84a593ac05c5722c@dtrt.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="iriQTBlc0tWbRAE3"
Content-Disposition: inline
In-Reply-To: <bbc33ff01e464f8c84a593ac05c5722c@dtrt.org>
X-Original-Sender: pete@petertodd.org
X-Original-Authentication-Results: gmr-mx.google.com;       dkim=pass
 header.i=@messagingengine.com header.s=fm2 header.b=KnQ1Aakg;       spf=pass
 (google.com: domain of pete@petertodd.org designates 64.147.123.156 as
 permitted sender) smtp.mailfrom=pete@petertodd.org
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
 <https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.8 (/)


--iriQTBlc0tWbRAE3
Content-Type: text/plain; charset="UTF-8"
Content-Disposition: inline

On Wed, Mar 27, 2024 at 09:50:20AM -1000, David A. Harding wrote:
> On 2024-03-27 08:04, Peter Todd wrote:
> > I was able to verify independently that the relevant people had seen
> > the email and weren't planning on replying.
> 
> Can you provide detail on this?

I'm not going because I don't want anyone else subject to harassment over this.

> > You're just harassing me here; I highly
> > suspect you'd have said nothing at all if I hadn't brought up
> > disclosure.
> 
> I think I would have said something.  Any time I'm writing a description for
> Optech about an attack that affects existing Bitcoin software and was
> responsibly disclosed, I back link to it from a special page [1].  In cases
> of ambiguity about whether or not an attack was responsibly disclosed, I
> investigate.
> 
> I'm sorry this feels to you like harassment.  To me it feels like whiplash:
> I inferred responsible disclosure based on your original text, learned it
> might not have been, and now am being told by you that it was indeed
> responsible.

I'm not the only person who thinks this looks like harassment. The fact is you
started this conversation with: "I'm especially concerned given your past
history of publicly revealing vulnerabilities before they could be quietly
patched and the conflict of interest of you using this disclosure to advocate
for a policy change you are championing."

You haven't substantiated any of this. Nor have you even tried to argue that my
take on the vulnerability is incorrect: it's just an interesting variation of
well-known attacks that doesn't substantially change the situation.

Anyway, this conversation is just wasting everyones' time. If this actually is
a deal-breaking exploit that must be fixed quickly and quietly - the type of
exploit for which responsible disclosure is necessary - what we should be
talking about is how to fix it. I proposed two different design changes that
mitigates it. One of which fixes other issues too. Antoine Riard also proposed
potential mitigations.

Do you have a useful comment on these proposals?

-- 
https://petertodd.org 'peter'[:-1]@petertodd.org

-- 
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/ZgSB6kmLiDG08Yrd%40petertodd.org.

--iriQTBlc0tWbRAE3
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE0RcYcKRzsEwFZ3N5Lly11TVRLzcFAmYEgecACgkQLly11TVR
LzfVLw//XHOomL9VAp0Rk3eM47EPYTbOGvKdRT7H/eeMzD8/sAB+2a7TpauSCZ3x
heXPRQgGtHAqOynYNEX7pwX+yI3G6/uPp60AIv8x6dzPRaGGlqBE3Tai8oVnm+pN
hLRfZt2ZeuS1Y3YCHOekJGpOOF5DltSunrI9Vrd2GKH3kokerarDRw8P9U5oZhGQ
I7XiGqF9N9UBoi/pQufxqTDJd3AFXffxoK9ucRqq6WikGI2w/HZ1dnPpcvbJC+Yt
Esbills1PyrerBcjBbQfmkSPsZ541TNekBLzSPWim3gKMdw05cRU45eS7f73mIpc
afznYP88rFsDA0r2gGkw8rOncvdF9tkRV7HKzlus+ODOtd2UUEbrnGOgeXQ3z9IH
FN7a+7DogVCgcfb7LbeCtTUBEAsc28LqRiRnV75Q0OeSCMM2TF8oKloW3Eh9wQIK
DpRnNmMjd8tmHmPBYqR3Y8EnshoY2Nhn92oeRUgAJ9Pu5ZBmXb5KnUYzf96tjb65
8oRQHLnIxPjCboO495v8Ipx6Gxh/0mt1d1IjWLIYnflufyWZobWaoRL1DME11MR3
DOP2cNoCYzIS8V+8i4KhKkMWGr19KMrtoV5W1sKMzbDklpV+qjGvvXNIsIb8zX+w
8sdExKu4KN20kwM6Oeaarc7/tDP4KZFOECRUYHdLGrELBe+o9iQ=
=GRcd
-----END PGP SIGNATURE-----

--iriQTBlc0tWbRAE3--