From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id D6F85900 for ; Sat, 30 Sep 2017 15:33:12 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from blaine.gmane.org (unknown [195.159.176.226]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 02D921B4 for ; Sat, 30 Sep 2017 15:33:11 +0000 (UTC) Received: from list by blaine.gmane.org with local (Exim 4.84_2) (envelope-from ) id 1dyJlE-0001Pg-Kv for bitcoin-dev@lists.linuxfoundation.org; Sat, 30 Sep 2017 17:33:00 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: bitcoin-dev@lists.linuxfoundation.org From: Andreas Schildbach Date: Sat, 30 Sep 2017 17:33:01 +0200 Message-ID: References: <20170927160654.GA12492@savin.petertodd.org> <20170929025538.GC12303@savin.petertodd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@blaine.gmane.org User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 In-Reply-To: <20170929025538.GC12303@savin.petertodd.org> Content-Language: en-US X-Spam-Status: No, score=2.4 required=5.0 tests=DKIM_ADSP_ALL,RDNS_NONE autolearn=disabled version=3.3.1 X-Spam-Level: ** X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: Re: [bitcoin-dev] Why the BIP-72 Payment Protocol URI Standard is Insecure Against MITM Attacks X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Sep 2017 15:33:13 -0000 Generally agreed. This is why I nack'ed BIP72 years ago when we discussed about standardization. However, there are many ways to use BIP70 without BIP72. BIP72 is just a kludge to biggy-pack the payment protocol onto BIP21. And also, as you note, BIP72 can be easily fixed using a hash parameter. On 09/29/2017 04:55 AM, Peter Todd via bitcoin-dev wrote: > On Thu, Sep 28, 2017 at 03:43:05PM +0300, Sjors Provoost via bitcoin-dev wrote: >> Andreas Schildbach wrote: >>> This feels redundant to me; the payment protocol already has an >>> expiration time. >> >> The BIP-70 payment protocol has significant overhead and most importantly requires back and forth. Emailing a bitcoin address or printing it on an invoice is much easier, so I would expect people to keep doing that. > > The BIP-70 payment protocol used via BIP-72 URI's is insecure, as payment qr > codes don't cryptographically commit to the identity of the merchant, which > means a MITM attacker can redirect the payment if they can obtain a SSL cert > that the wallet accepts. > > For example, if I have a wallet on my phone and go to pay a > merchant, a BIP-72 URI will look like the following(1): > > bitcoin:mq7se9wy2egettFxPbmn99cK8v5AFq55Lx?amount=0.11&r=https://merchant.com/pay.php?h%3D2a8628fc2fbe > > A wallet following the BIP-72 standard will "ignore the bitcoin > address/amount/label/message in the URI and instead fetch a PaymentRequest > message and then follow the payment protocol, as described in BIP 70." > > So my phone will make a second connection - likely on a second network with a > totally different set of MITM attackers - to https://merchant.com > > In short, while my browser may have gotten the correct URL with the correct > Bitcoin address, by using the payment protocol my wallet is discarding that > information and giving MITM attackers a second chance at redirecting my payment > to them. That wallet is also likely using an off-the-shelf SSL library, with > nothing other than an infrequently updated set of root certificates to use to > verify the certificate; your browser has access to a whole host of better > technologies, such as HSTS pinning, certificate transparency, and frequently > updated root certificate lists with proper revocation (see Symantec). > > As an ad-hoc, unstandardized, extension Android Wallet for Bitcoin at least > supports a h= parameter with a hash commitment to what the payment request > should be, and will reject the MITM attacker if that hash doesn't match. But > that's not actually in the standard itself, and as far as I can tell has never > been made into a BIP. > > As-is BIP-72 is very dangerous and should be depreciated, with a new BIP made > to replace it. > > 1) As an aside, it's absolutely hilarious that this URL taken straight from > BIP-72 has the merchant using PHP, given its truly terrible track record for > security. > > > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >