From: Andreas Schildbach <andreas@schildbach.de>
To: bitcoin-development@lists.sourceforge.net
Subject: Re: [Bitcoin-development] Payment Protocol: BIP 70, 71, 72
Date: Wed, 25 Sep 2013 13:33:09 +0200 [thread overview]
Message-ID: <l1uhld$d68$1@ger.gmane.org> (raw)
In-Reply-To: <CANEZrP03KsGHvGqcNT1Qs6qkJ4i050CPjwvGqTRRhbdkgMf_dA@mail.gmail.com>
On 09/25/2013 01:15 PM, Mike Hearn wrote:
> It won't fit.
Why do you think that? Of course, I would skip the certificate, as its
unnecessary if you see your partner in person.
> But I don't see the logic. A URI contains instructions for
> making a payment. If that instruction is "pay to this address" or
> "download this file and do what you find there", it's no different
> unless there's potential for a MITM attack. If the request URL is HTTPS
> or a secured Bluetooth connection then there's no such possibility.
HTTPS trust is utterly broken unless you fix it by adding the
certificate or a fingerprint to the QR code. Bluetooth is not present in
every case, e.g. QR codes scanned from the web. (Also, we currently
don't have a concept of allowing both. The receiver forces you to either
use BT or HTTP.)
So yes, MITM is what I'm worrying about. When I'm scanning a QR code
from a phone, you don't have that problem (unless sophisticated optical
attacks emerge). Also, the HTTP request can fail and/or be slow, making
the whole payment process more difficult than necessary.
> On Wed, Sep 25, 2013 at 12:28 PM, Andreas Schildbach
> <andreas@schildbach.de <mailto:andreas@schildbach.de>> wrote:
>
> While it's good to save space, I'm at the moment not convinced that
> taking a de-route via an URL is a good idea to begin with.
>
> The main problem is trust. If you scan a QR code from a foreign phone,
> you trust that that phone is owned by the one you want to send money to.
> By adding the HTTP request that trust is voided.
>
> As soon as there is a BIP70 implementation, I will begin playing with
> putting the payment request directly into the QR code.
>
>
> On 09/25/2013 11:27 AM, Mike Hearn wrote:
> > We could also say that if protocol part (https://) is missing, it's
> > implied automatically. So just:
> >
> > bitcoin:1abc........?r=bob.com/r/aZgR <http://bob.com/r/aZgR>
> <http://bob.com/r/aZgR>
> >
> > I think that's about as small as possible without re-using the
> pubkey as
> > a token in the url.
> >
> >
> > On Wed, Sep 25, 2013 at 1:35 AM, Gavin Andresen
> <gavinandresen@gmail.com <mailto:gavinandresen@gmail.com>
> > <mailto:gavinandresen@gmail.com <mailto:gavinandresen@gmail.com>>>
> wrote:
> >
> > On Tue, Sep 24, 2013 at 11:52 PM, Mike Hearn <mike@plan99.net
> <mailto:mike@plan99.net>
> > <mailto:mike@plan99.net <mailto:mike@plan99.net>>> wrote:
> >
> > BTW, on the "make qrcodes more scannable" front -- is it too
> > late to change BIP 72 so the new param is just "r" instead of
> > "request"? Every byte helps when it comes to qrcodes ...
> >
> >
> > Not too late, assuming there are no objections. Smaller QR
> codes is
> > a very good reason to change it.
> >
> > --
> > --
> > Gavin Andresen
> >
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > October Webinars: Code for Performance
> > Free Intel webinars can help you accelerate application performance.
> > Explore tips for MPI, OpenMP, advanced profiling, and more. Get
> the most from
> > the latest Intel processors and coprocessors. See abstracts and
> register >
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
> >
> >
> >
> > _______________________________________________
> > Bitcoin-development mailing list
> > Bitcoin-development@lists.sourceforge.net
> <mailto:Bitcoin-development@lists.sourceforge.net>
> > https://lists.sourceforge.net/lists/listinfo/bitcoin-development
> >
>
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the
> most from
> the latest Intel processors and coprocessors. See abstracts and
> register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists.sourceforge.net
> <mailto:Bitcoin-development@lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
>
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
>
>
>
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
next prev parent reply other threads:[~2013-09-25 11:33 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-31 6:28 [Bitcoin-development] Payment Protocol: BIP 70, 71, 72 Gavin Andresen
2013-07-31 8:45 ` Roy Badami
[not found] ` <CABsx9T3Xvnw2H6awgnT7mr-HzJOqCp_nOVM57BD-B9mY4R43aQ@mail.gmail.com>
2013-07-31 11:33 ` Gavin Andresen
2013-07-31 11:45 ` Melvin Carvalho
2013-07-31 23:30 ` E willbefull
2013-07-31 23:38 ` Gavin Andresen
2013-07-31 23:52 ` E willbefull
2013-08-07 20:12 ` Roy Badami
2013-07-31 8:59 ` Mike Hearn
2013-07-31 11:19 ` Gavin Andresen
2013-08-07 20:31 ` Pieter Wuille
2013-08-07 21:10 ` Gavin Andresen
2013-08-07 21:17 ` Mike Hearn
2013-08-07 21:36 ` Pieter Wuille
2013-08-07 21:44 ` Mike Hearn
2013-08-07 21:49 ` Pieter Wuille
2013-08-07 21:28 ` Roy Badami
2013-08-07 21:47 ` Alan Reiner
2013-08-14 10:56 ` Jouke Hofman
2013-08-07 21:47 ` Roy Badami
2013-08-07 21:54 ` Pieter Wuille
2013-08-07 22:03 ` Roy Badami
2013-08-08 0:48 ` Gavin Andresen
2013-08-08 9:13 ` Mike Hearn
2013-08-08 14:13 ` Pieter Wuille
2013-08-19 22:15 ` Andreas Petersson
2013-08-19 23:19 ` Gavin Andresen
2013-08-20 10:05 ` Mike Hearn
2013-09-24 13:52 ` Mike Hearn
2013-09-24 23:35 ` Gavin Andresen
2013-09-25 9:27 ` Mike Hearn
2013-09-25 10:28 ` Andreas Schildbach
2013-09-25 11:15 ` Mike Hearn
2013-09-25 11:33 ` Andreas Schildbach [this message]
2013-09-25 11:45 ` Mike Hearn
2013-09-25 11:59 ` Andreas Schildbach
2013-09-25 14:31 ` Jeff Garzik
2013-09-25 14:38 ` Mike Hearn
2013-09-25 11:35 ` Melvin Carvalho
2013-09-25 16:12 ` The Doctor
2013-09-26 6:37 ` Peter Todd
2013-09-25 14:26 ` Jeff Garzik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='l1uhld$d68$1@ger.gmane.org' \
--to=andreas@schildbach.de \
--cc=bitcoin-development@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox