Received: from sog-mx-2.v43.ch3.sourceforge.com ([172.29.43.192] helo=mx.sourceforge.net) by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1XFYew-0005Hs-HY for bitcoin-development@lists.sourceforge.net; Fri, 08 Aug 2014 01:07:54 +0000 X-ACL-Warn: Received: from mail-lb0-f175.google.com ([209.85.217.175]) by sog-mx-2.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1XFYeu-0003b7-R6 for bitcoin-development@lists.sourceforge.net; Fri, 08 Aug 2014 01:07:54 +0000 Received: by mail-lb0-f175.google.com with SMTP id 10so3249821lbg.6 for ; Thu, 07 Aug 2014 18:07:45 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=VIpoUebX6pTObFVokhzJJyFm93YcqExq8o5XtPD+wNc=; b=AiD/8+7zDd4av0G46AkhVkKfiGikNXL0zTBAm1xw1fAefUipSZik62233atuVSd7uE 32xslp6/VFZ7lsFIzMNOBxad+EKUEI+UqnThwa1Ky99D4SD/UNeM76pyiN8s036lb5yB 3Lg79PeDKEJ1U9lj4RDKRH4f+s9Fu01s8JPiNVi/8y2y4EPU+xUCd0vzHEfp/3x6oIZW BlIaHjHu8n1F5KnILkIe0sq2X9WPtgHIxinZesdKjZMD6Kd7AWABMXjleGEVPYiBC5OL 54/PeLs7le4Gf8+AsDpd/AUEQI1c4RGT0nJF7sHeJlSLrzU1czljSF+uxpJ86qrAsU+L 3L2w== X-Gm-Message-State: ALoCoQm4If8qTDO7/UsXxvneD6Jug8Qi2uyQC367oiamyPF2Z6lpquYZcdNGGIZ68ysG/wI8Tm91 X-Received: by 10.153.11.162 with SMTP id ej2mr19340945lad.15.1407460065689; Thu, 07 Aug 2014 18:07:45 -0700 (PDT) MIME-Version: 1.0 Received: by 10.112.136.131 with HTTP; Thu, 7 Aug 2014 18:07:04 -0700 (PDT) In-Reply-To: References: <201408072345.45363.luke@dashjr.org> From: Pedro Worcel Date: Fri, 8 Aug 2014 13:07:04 +1200 Message-ID: To: Christopher Franko Content-Type: multipart/alternative; boundary=001a11346d604057e9050013d549 X-Spam-Score: 2.7 (++) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 1.7 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist [URIs: dashjr.org] 1.0 HTML_MESSAGE BODY: HTML included in message X-Headers-End: 1XFYeu-0003b7-R6 Cc: "bitcoin-development@lists.sourceforge.net" Subject: Re: [Bitcoin-development] Miners MiTM X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Aug 2014 01:07:54 -0000 --001a11346d604057e9050013d549 Content-Type: text/plain; charset=UTF-8 > the only protection is SSL + certificate validation on client side. However certificate revocation and updates in miners are pain in the ass, that's why majority of pools (mine including) don't want to play with that... Another solution which would have less overhead would be to implement something akin to what openssh does. The OpenSSH client stores a certificate fingerprint, which is then verified automatically upon further connections to the server. The initial connection needs to be verified manually by the operator, though. > Certificate validation isn't needed unless the attacker can do a direct MITM at connection time, which is a lot harder to maintain than injecting a client.reconnect. This, combined with your concern about up to date certs/revokes/etc, is why BFGMiner defaults to TLS without cert checking for stratum. Seems to me that it would correctly mitigate the attack mentioned in the wired article. I am surprised that miners are not worried about losing their profits, I would personally be quite annoyed. 2014-08-08 12:37 GMT+12:00 Christopher Franko : > What exactly makes bitcoin less of a target than a "scamcoin" which I > suspect means anything that != bitcoin? > > > On 7 August 2014 20:29, slush wrote: > >> AFAIK the only protection is SSL + certificate validation on client side. >> However certificate revocation and updates in miners are pain in the ass, >> that's why majority of pools (mine including) don't want to play with >> that... >> >> slush >> >> >> On Fri, Aug 8, 2014 at 1:45 AM, Luke Dashjr wrote: >> >>> On Thursday, August 07, 2014 11:02:21 PM Pedro Worcel wrote: >>> > Hi there, >>> > >>> > I was wondering if you guys have come across this article: >>> > >>> > http://www.wired.com/2014/08/isp-bitcoin-theft/ >>> > >>> > The TL;DR is that somebody is abusing the BGP protocol to be in a >>> position >>> > where they can intercept the miner traffic. The concerning point is >>> that >>> > they seem to be having some degree of success in their endeavour and >>> > earning profits from it. >>> > >>> > I do not understand the impact of this (I don't know much about BGP, >>> the >>> > mining protocol nor anything else, really), but I thought it might be >>> worth >>> > putting it up here. >>> >>> This is old news; both BFGMiner and Eloipool were hardened against it a >>> long >>> time ago (although no Bitcoin pools have deployed it so far). I'm not >>> aware of >>> any actual case of it being used against Bitcoin, though - the target has >>> always been scamcoins. >>> >>> >>> ------------------------------------------------------------------------------ >>> Infragistics Professional >>> Build stunning WinForms apps today! >>> Reboot your WinForms applications with our WinForms controls. >>> Build a bridge from your legacy apps to the future. >>> >>> http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> Bitcoin-development mailing list >>> Bitcoin-development@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/bitcoin-development >>> >> >> >> >> ------------------------------------------------------------------------------ >> Want fast and easy access to all the code in your enterprise? Index and >> search up to 200,000 lines of code with a free copy of Black Duck >> Code Sight - the same software that powers the world's largest code >> search on Ohloh, the Black Duck Open Hub! Try it now. >> http://p.sf.net/sfu/bds >> >> _______________________________________________ >> Bitcoin-development mailing list >> Bitcoin-development@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/bitcoin-development >> >> > > > ------------------------------------------------------------------------------ > Want fast and easy access to all the code in your enterprise? Index and > search up to 200,000 lines of code with a free copy of Black Duck > Code Sight - the same software that powers the world's largest code > search on Ohloh, the Black Duck Open Hub! Try it now. > http://p.sf.net/sfu/bds > _______________________________________________ > Bitcoin-development mailing list > Bitcoin-development@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development > > --001a11346d604057e9050013d549 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
> the only protection is SSL + certificate validation on cl= ient side.=20 However certificate revocation and updates in miners are pain in the=20 ass, that's why majority of pools (mine including) don't want to pl= ay=20 with that...

Another solution which would have less overhead would = be to implement something akin to what openssh does. The OpenSSH client sto= res a certificate fingerprint, which is then verified automatically upon fu= rther connections to the server.

The initial connection needs to be verified manually by the operator, t= hough.

> Certificate validation isn't needed unless the attac= ker can do a direct MITM
at connection time, which is a lot harder to maintain than injecting a
client.reconnect. This, combined with your concern about up to date
certs/revokes/etc, is why BFGMiner defaults to TLS without cert checking fo= r
stratum.

Seems to me that it would correctly mitigate the attack me= ntioned in the wired article. I am surprised that miners are not worried ab= out losing their profits, I would personally be quite annoyed.



2014-08-08 12:37 GMT+12:00 Christopher Franko <chrisjfranko@gmail= .com>:
What exactly makes bitcoin = less of a target than a "scamcoin" which I suspect means anything= that !=3D bitcoin?


On 7 August 2014 20:29, slush <slush@centrum.cz> wr= ote:
AFAIK the only protection is SSL + certificate validation on clien= t side. However certificate revocation and updates in miners are pain in th= e ass, that's why majority of pools (mine including) don't want to = play with that...

slush


On Fri, Aug 8, 2014 at 1:45 AM, = Luke Dashjr <luke@dashjr.org> wrote:
On Thursday, August 07, 2014 11:02= :21 PM Pedro Worcel wrote:
> Hi there,
>
> I was wondering if you guys have come across this article:
>
> http://www.wired.com/2014/08/isp-bitcoin-theft/
>
> The TL;DR is that somebody is abusing the BGP protocol to be in a posi= tion
> where they can intercept the miner traffic. The concerning point is th= at
> they seem to be having some degree of success in their endeavour and > earning profits from it.
>
> I do not understand the impact of this (I don't know much about BG= P, the
> mining protocol nor anything else, really), but I thought it might be = worth
> putting it up here.

This is old news; both BFGMiner and Eloipool were hardened agai= nst it a long
time ago (although no Bitcoin pools have deployed it so far). I'm not a= ware of
any actual case of it being used against Bitcoin, though - the target has always been scamcoins.

---------------------------------------------------------------------------= ---
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls.
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gam= pad/clk?id=3D153845071&iu=3D/4140/ostg.clktrk
_______________________________________________
Bitcoin-development mailing list
Bitcoin-development@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bitcoin-de= velopment


-----------------------------------------------= -------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/b= ds

_______________________________________________ Bitcoin-development mailing list
Bitcoin-development@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bitcoin-de= velopment



-----------------------------------------------------------------------= -------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/b= ds
_______________________________________________
Bitcoin-development mailing list
Bitcoin-develo= pment@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bitcoin-de= velopment


--001a11346d604057e9050013d549--