path: root/7e/e6a55d3b0001de93373168414ae8848865b4a3

Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193]
	helo=mx.sourceforge.net)
	by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
	(envelope-from <mh.in.england@gmail.com>) id 1YGWg1-00006v-IS
	for bitcoin-development@lists.sourceforge.net;
	Wed, 28 Jan 2015 17:45:17 +0000
Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of gmail.com
	designates 74.125.82.52 as permitted sender)
	client-ip=74.125.82.52; envelope-from=mh.in.england@gmail.com;
	helo=mail-wg0-f52.google.com; 
Received: from mail-wg0-f52.google.com ([74.125.82.52])
	by sog-mx-3.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
	(Exim 4.76) id 1YGWg0-0002u7-1V
	for bitcoin-development@lists.sourceforge.net;
	Wed, 28 Jan 2015 17:45:17 +0000
Received: by mail-wg0-f52.google.com with SMTP id y19so21986365wgg.11
	for <bitcoin-development@lists.sourceforge.net>;
	Wed, 28 Jan 2015 09:45:11 -0800 (PST)
MIME-Version: 1.0
X-Received: by 10.194.60.77 with SMTP id f13mr9408345wjr.105.1422467110988;
	Wed, 28 Jan 2015 09:45:10 -0800 (PST)
Sender: mh.in.england@gmail.com
Received: by 10.194.188.9 with HTTP; Wed, 28 Jan 2015 09:45:10 -0800 (PST)
In-Reply-To: <CAJHLa0MCyzm_t47R5Z5MPL9ruqM=uq15u26W3dwRsBy57K11=w@mail.gmail.com>
References: <CALYO6Xt-jTYwpywUaH-s4YPYyGUp1_BLSEswscnwX+Vu166Lcw@mail.gmail.com>
	<alpine.DEB.2.10.1501281419110.21680@nzrgulfg.ivfhpber.pbz>
	<CALYO6Xv=k+Ztvke90SDB91StFBL7C0U49ufMD-WjG91uHLshFg@mail.gmail.com>
	<CANEZrP3PCHaTO3-HA3GHFxwuJJpW2dbvPuV4R1sFPcFW49uGgw@mail.gmail.com>
	<CAJHLa0Mu3Mjn=N-fTQ_fjwp+NUpfBqpdnXZiHoKz1s3tcZa+Cg@mail.gmail.com>
	<CALYO6Xs_20YpKeqmtu8N6Vt2uCSV4hM6S=6=zLhfBb_GCyuikg@mail.gmail.com>
	<CAJHLa0MCyzm_t47R5Z5MPL9ruqM=uq15u26W3dwRsBy57K11=w@mail.gmail.com>
Date: Wed, 28 Jan 2015 18:45:10 +0100
X-Google-Sender-Auth: D6otTVqow1JahwR8mDVNQS1SFBo
Message-ID: <CANEZrP3GgDYiHt+grWjX+gpDDh9HUvPDGLqi-mpgddEMd24q7w@mail.gmail.com>
From: Mike Hearn <mike@plan99.net>
To: Jeff Garzik <jgarzik@bitpay.com>
Content-Type: multipart/alternative; boundary=047d7b86db8adaf282050db9eefe
X-Spam-Score: -0.5 (/)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
	See http://spamassassin.org/tag/ for more details.
	-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
	sender-domain
	0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
	(mh.in.england[at]gmail.com)
	-0.0 SPF_PASS               SPF: sender matches SPF record
	1.0 HTML_MESSAGE           BODY: HTML included in message
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Headers-End: 1YGWg0-0002u7-1V
Cc: Nicolas DORIER <nicolas.dorier@gmail.com>,
	Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] BIP70: why Google Protocol Buffers for
	encoding?
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Wed, 28 Jan 2015 17:45:17 -0000

--047d7b86db8adaf282050db9eefe
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

>
> It is not "fear", it is field experience.
>
> JSON has proven to be a bug generator for the reasons already stated.
>

To back Jeff up on this point, today we see this story:

http://www.theregister.co.uk/2015/01/27/trivial_hole_left_black_phones_open=
_to_plunder/

The maker of BlackPhone =E2=80=93 a mobile marketed as offering unusually h=
igh
levels of security =E2=80=93 has patched *a critical vulnerability that all=
ows
hackers to run malicious code on the handsets*. Attackers need little more
than a phone number to send a message that can compromise the devices via
the Silent Text application.

"The SCIMP protocol encodes messages as JSON objects, which are then
transmitted to the remote party over XMPP," Dowd explained to *The Register=
*.
"*The flaw I discovered occurs during the deserialization of these JSON
objects*. It is *a type confusion vulnerability*, which when exploited
allows an attacker to overwrite a pointer in memory, either partially or in
full. This pointer is later manipulated by the program and also the system
allocator, allowing you to do things such as pass arbitrary pointers to
free()."

The C++/Java/Python protocol buffer implementations are used by Google for
all internal inter-server communication. Any similar exploit in them would
result in total bypass of their entire internal security and auditing
system by allowing you to run code as any user. The Google security team is
very good, the protobuf code is carefully reviewed and the format is
relatively constrained. The chances of there being any security problems in
the parsing code generated by the protobuf compilers is drastically
smaller. As BIP70 requests are parsed by security sensitive code, this
matters.

The vision for BIP70 has always been to be a foundation for many features.
We haven't really done much with it so far because there have always been
higher priorities. But I hope that if Bitcoin continues to be successful
and grows, one day payment requests will have many different features in
them and those will likely include many complex data structures.

--047d7b86db8adaf282050db9eefe
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_extra"><div class=3D"gmail_quote"><blo=
ckquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left=
-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;paddi=
ng-left:1ex"><div dir=3D"ltr"><div><div>It is not &quot;fear&quot;, it is f=
ield experience.<br><br></div>JSON has proven to be a bug generator for the=
 reasons already stated.</div></div></blockquote><div><br></div><div>To bac=
k Jeff up on this point, today we see this story:</div><div><br></div><div>=
<a href=3D"http://www.theregister.co.uk/2015/01/27/trivial_hole_left_black_=
phones_open_to_plunder/">http://www.theregister.co.uk/2015/01/27/trivial_ho=
le_left_black_phones_open_to_plunder/</a></div><div><br></div></div></div><=
blockquote style=3D"margin:0 0 0 40px;border:none;padding:0px"><div class=
=3D"gmail_extra"><div class=3D"gmail_quote"><p style=3D"margin-top:0px;colo=
r:rgb(0,0,0);font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:14px=
;line-height:16.7999992370605px">The maker of BlackPhone =E2=80=93 a mobile=
 marketed as offering unusually high levels of security =E2=80=93 has patch=
ed <b>a critical vulnerability that allows hackers to run malicious code on=
 the handsets</b>.=C2=A0<span style=3D"line-height:16.7999992370605px">Atta=
ckers need little more than a phone number to send a message that can compr=
omise the devices via the Silent Text application.</span><span style=3D"fon=
t-family:arial,sans-serif;font-size:small;line-height:normal;color:rgb(34,3=
4,34)">=C2=A0</span></p></div></div><div class=3D"gmail_extra"><div class=
=3D"gmail_quote"><p style=3D"color:rgb(0,0,0);font-family:Arial,FreeSans,He=
lvetica,sans-serif;font-size:14px;line-height:16.7999992370605px">&quot;The=
 SCIMP protocol encodes messages as JSON objects, which are then transmitte=
d to the remote party over XMPP,&quot; Dowd explained to=C2=A0<i>The Regist=
er</i>. &quot;<span style=3D"line-height:16.7999992370605px"><b>The flaw I =
discovered occurs during the deserialization of these JSON objects</b>. It =
is <b>a type confusion vulnerability</b>, which when exploited allows an at=
tacker to overwrite a pointer in memory, either partially or in full.=C2=A0=
</span><span style=3D"line-height:16.7999992370605px">This pointer is later=
 manipulated by the program and also the system allocator, allowing you to =
do things such as pass arbitrary pointers to free().&quot;</span></p></div>=
</div></blockquote><font color=3D"#000000" face=3D"Arial, FreeSans, Helveti=
ca, sans-serif"><span style=3D"font-size:14px;line-height:16.7999992370605p=
x">The C++/Java/Python protocol buffer implementations are used by Google f=
or all internal inter-server communication. Any similar exploit in them wou=
ld result in total bypass of their entire internal security and auditing sy=
stem by allowing you to run code as any user. The Google security team is v=
ery good, the protobuf code is carefully reviewed and the format is relativ=
ely constrained. The chances of there being any security problems in the pa=
rsing code generated by the protobuf compilers is drastically smaller.=C2=
=A0</span></font><span style=3D"color:rgb(0,0,0);font-family:Arial,FreeSans=
,Helvetica,sans-serif;font-size:14px;line-height:16.7999992370605px">As BIP=
70 requests are parsed by security sensitive code, this matters.</span><div=
><span style=3D"font-size:14px;line-height:16.7999992370605px;color:rgb(0,0=
,0);font-family:Arial,FreeSans,Helvetica,sans-serif"><br></span></div><div>=
<font color=3D"#000000" face=3D"Arial, FreeSans, Helvetica, sans-serif"><sp=
an style=3D"font-size:14px;line-height:16.7999992370605px">The vision for B=
IP70 has always been to be a foundation for many features. We haven&#39;t r=
eally done much with it so far because there have always been higher priori=
ties. But I hope that if Bitcoin continues to be successful and grows, one =
day payment requests will have many different features in them and those wi=
ll likely include many complex data structures.</span></font></div></div>

--047d7b86db8adaf282050db9eefe--