Re: [Bitcoin-development] Miners MiTM

public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed

From: Laszlo Hanyecz <laszlo@heliacal.net>
To: Jeff Garzik <jgarzik@bitpay.com>
Cc: "bitcoin-development@lists.sourceforge.net"
	<bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] Miners MiTM
Date: Fri, 8 Aug 2014 18:34:01 +0000	[thread overview]
Message-ID: <A5697066-6389-4F9A-99E6-B815ADB51006@heliacal.net> (raw)
In-Reply-To: <CAJHLa0NBJo+NFFFZEHNo81KPBwgx05tbuMwtSKMs=07+wCmQgA@mail.gmail.com>

Mutual CHAP could work.  This is commonly done in PPP and iSCSI.  The idea is simply that both sides authenticate.  The server expects the client to provide a password, and the client expects the server to provide a (different) password.  If you masquerade as the server, you won't be able to authenticate because every client has a different password they expect from the server, so they won't do work for you. MITM on the server can capture the exchange but CHAP protects against replay.

https://en.wikipedia.org/wiki/Challenge-Handshake_Authentication_Protocol

-Laszlo


On Aug 8, 2014, at 6:21 PM, Jeff Garzik <jgarzik@bitpay.com> wrote:

> gmaxwell noted on IRC that enabling TLS could be functionally, if not
> literally, a DoS on the pool servers.  Hence the thought towards a
> more lightweight method that simply prevents client payout redirection
> + server impersonation.
> 
> 
> On Fri, Aug 8, 2014 at 5:53 AM, Mike Hearn <mike@plan99.net> wrote:
>>> Certificate validation isn't needed unless the attacker can do a direct
>>> MITM
>>> at connection time, which is a lot harder to maintain than injecting a
>>> client.reconnect.
>> 
>> 
>> Surely the TCP connection will be reset once the route reconfiguration is
>> completed, either by the MITM server or by the client TCP stack when it
>> discovers the server doesn't know about the connection anymore?
>> 
>> TLS without cert validation defeats the point, you can still be connected to
>> a MITM at any point by anyone who can simply interrupt or corrupt the
>> stream, forcing a reconnect.
>> 
>> ------------------------------------------------------------------------------
>> Want fast and easy access to all the code in your enterprise? Index and
>> search up to 200,000 lines of code with a free copy of Black Duck
>> Code Sight - the same software that powers the world's largest code
>> search on Ohloh, the Black Duck Open Hub! Try it now.
>> http://p.sf.net/sfu/bds
>> _______________________________________________
>> Bitcoin-development mailing list
>> Bitcoin-development@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>> 
> 
> 
> 
> -- 
> Jeff Garzik
> Bitcoin core developer and open source evangelist
> BitPay, Inc.      https://bitpay.com/
> 
> ------------------------------------------------------------------------------
> Want fast and easy access to all the code in your enterprise? Index and
> search up to 200,000 lines of code with a free copy of Black Duck
> Code Sight - the same software that powers the world's largest code
> search on Ohloh, the Black Duck Open Hub! Try it now.
> http://p.sf.net/sfu/bds
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development

next prev parent reply	other threads:[~2014-08-08 18:53 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-08-07 23:02 [Bitcoin-development] Miners MiTM Pedro Worcel
2014-08-07 23:45 ` Luke Dashjr
2014-08-08  0:29   ` slush
2014-08-08  0:37     ` Christopher Franko
2014-08-08  1:07       ` Pedro Worcel
2014-08-08  2:22         ` slush
2014-08-08  1:01     ` Luke Dashjr
2014-08-08  9:53       ` Mike Hearn
2014-08-08 18:21         ` Jeff Garzik
2014-08-08 18:27           ` Luke Dashjr
2014-08-08 18:34           ` Laszlo Hanyecz [this message]
2014-08-09 12:15             ` Sergio Lerner
2014-08-08  3:18     ` Jeff Garzik
2014-08-08  9:42     ` Mike Hearn
2014-08-09 19:39       ` Troy Benjegerdes
2014-08-09 19:31   ` Troy Benjegerdes

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=A5697066-6389-4F9A-99E6-B815ADB51006@heliacal.net \
    --to=laszlo@heliacal.net \
    --cc=bitcoin-development@lists.sourceforge.net \
    --cc=jgarzik@bitpay.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox