1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
|
Return-Path: <pete@petertodd.org>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 6AD3DB14
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 29 Sep 2017 02:55:44 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.7.6
Received: from outmail148111.authsmtp.net (outmail148111.authsmtp.net
[62.13.148.111])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 968E2CF
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 29 Sep 2017 02:55:43 +0000 (UTC)
Received: from mail-c247.authsmtp.com (mail-c247.authsmtp.com [62.13.128.247])
by punt22.authsmtp.com (8.14.2/8.14.2/) with ESMTP id v8T2tfjf067471;
Fri, 29 Sep 2017 03:55:41 +0100 (BST)
Received: from petertodd.org (ec2-52-5-185-120.compute-1.amazonaws.com
[52.5.185.120]) (authenticated bits=0)
by mail.authsmtp.com (8.14.2/8.14.2/) with ESMTP id v8T2tdSf088465
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
Fri, 29 Sep 2017 03:55:40 +0100 (BST)
Received: from [127.0.0.1] (localhost [127.0.0.1])
by petertodd.org (Postfix) with ESMTPSA id 673044010A;
Fri, 29 Sep 2017 02:55:39 +0000 (UTC)
Received: by localhost (Postfix, from userid 1000)
id A2DDF205E4; Thu, 28 Sep 2017 22:55:38 -0400 (EDT)
Date: Thu, 28 Sep 2017 22:55:38 -0400
From: Peter Todd <pete@petertodd.org>
To: Sjors Provoost <sjors@sprovoost.nl>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Message-ID: <20170929025538.GC12303@savin.petertodd.org>
References: <20170927160654.GA12492@savin.petertodd.org>
<oqihpf$5gc$1@blaine.gmane.org>
<B5DE4E92-C5B3-4C01-A148-E3C46C897323@sprovoost.nl>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
protocol="application/pgp-signature"; boundary="R+My9LyyhiUvIEro"
Content-Disposition: inline
In-Reply-To: <B5DE4E92-C5B3-4C01-A148-E3C46C897323@sprovoost.nl>
User-Agent: Mutt/1.5.23 (2014-03-12)
X-Server-Quench: aded67d7-a4c1-11e7-a0cc-0015176ca198
X-AuthReport-Spam: If SPAM / abuse - report it at:
http://www.authsmtp.com/abuse
X-AuthRoute: OCd2Yg0TA1ZNQRgX IjsJECJaVQIpKltL GxAVKBZePFsRUQkR
aAdMdAsUC1AEAgsB AmEbW1deVVh7XWI7 bghPaBtcak9QXgdq
T0pMXVMcUg0MA1hV ZUgeWhF2cQAIcHtz bQgzCiUPWkMuclss
Rh1VCGwHMGB9OWBM A11YdwJRcQRMLU5E Y1gxMytEcSFfM2oS
Pjd2YGp5BTxOLSlT Xkk1N1UORk0MGnYB fTFKJikmG0EMXSl7
LgduC1gHEU0MKEh6 GFQoWFQDL31aLyxi OglkHDNQLFoaLwAA
X-Authentic-SMTP: 61633532353630.1038:706
X-AuthFastPath: 0 (Was 255)
X-AuthSMTP-Origin: 52.5.185.120/25
X-AuthVirus-Status: No virus detected - but ensure you scan with your own
anti-virus system.
X-Spam-Status: No, score=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW
autolearn=disabled version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
Subject: [bitcoin-dev] Why the BIP-72 Payment Protocol URI Standard is
Insecure Against MITM Attacks
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Sep 2017 02:55:44 -0000
--R+My9LyyhiUvIEro
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Thu, Sep 28, 2017 at 03:43:05PM +0300, Sjors Provoost via bitcoin-dev wr=
ote:
> Andreas Schildbach wrote:
> > This feels redundant to me; the payment protocol already has an
> > expiration time.
>=20
> The BIP-70 payment protocol has significant overhead and most importantly=
requires back and forth. Emailing a bitcoin address or printing it on an i=
nvoice is much easier, so I would expect people to keep doing that.
The BIP-70 payment protocol used via BIP-72 URI's is insecure, as payment qr
codes don't cryptographically commit to the identity of the merchant, which
means a MITM attacker can redirect the payment if they can obtain a SSL cert
that the wallet accepts.
For example, if I have a wallet on my phone and go to pay a
merchant, a BIP-72 URI will look like the following(1):
bitcoin:mq7se9wy2egettFxPbmn99cK8v5AFq55Lx?amount=3D0.11&r=3Dhttps://me=
rchant.com/pay.php?h%3D2a8628fc2fbe
A wallet following the BIP-72 standard will "ignore the bitcoin
address/amount/label/message in the URI and instead fetch a PaymentRequest
message and then follow the payment protocol, as described in BIP 70."
So my phone will make a second connection - likely on a second network with=
a
totally different set of MITM attackers - to https://merchant.com
In short, while my browser may have gotten the correct URL with the correct
Bitcoin address, by using the payment protocol my wallet is discarding that
information and giving MITM attackers a second chance at redirecting my pay=
ment
to them. That wallet is also likely using an off-the-shelf SSL library, with
nothing other than an infrequently updated set of root certificates to use =
to
verify the certificate; your browser has access to a whole host of better
technologies, such as HSTS pinning, certificate transparency, and frequently
updated root certificate lists with proper revocation (see Symantec).
As an ad-hoc, unstandardized, extension Android Wallet for Bitcoin at least
supports a h=3D parameter with a hash commitment to what the payment request
should be, and will reject the MITM attacker if that hash doesn't match. But
that's not actually in the standard itself, and as far as I can tell has ne=
ver
been made into a BIP.
As-is BIP-72 is very dangerous and should be depreciated, with a new BIP ma=
de
to replace it.
1) As an aside, it's absolutely hilarious that this URL taken straight from
BIP-72 has the merchant using PHP, given its truly terrible track record=
for
security.
--=20
https://petertodd.org 'peter'[:-1]@petertodd.org
--R+My9LyyhiUvIEro
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
-----BEGIN PGP SIGNATURE-----
iQEcBAEBCAAGBQJZzbYnAAoJECSBQD2l8JH79u4H/0O2NSx/c2SPCl3CZMuNN8HL
F51p+aMmMIHJwOAZI0heteh81utNCqxAOf0w7YTxOI7PqsM+MH42H/emNi376cek
be6ElZNuV2MoyfoUYvf9BAmAQtpUW/IpzxoijsbC99XMsEaBP3RiR1KI4f4YkIud
+jlFkKruJwEz9WOMVD3rGnYuwFvTuRIueFUQ84hY3NasTrgYummu56nR/5oYeiLV
rF9O2g2hYfmvxnfm+cq0yvkTMMbPvmAAQz+va0CHYAdBjszy1nnJ0jwnJj0wdiqy
M2FhbORbE1gG6aSqfbOa1k8t5ZbhhUUUSsawTaLbJH2dPsLLJ6iIiwrNds+xUXI=
=EyWE
-----END PGP SIGNATURE-----
--R+My9LyyhiUvIEro--
|
