Author: Pedro Worcel 2014-08-08 01:07:04
Published on: 2014-08-08T01:07:04+00:00
In response to a Wired article about Bitcoin mining being targeted by attackers using the BGP protocol, Luke Dashjr explains that this is old news and that BFGMiner and Eloipool were both hardened against it some time ago. He adds that he has no knowledge of any actual case of such an attack being used against Bitcoin, though the target has always been scamcoins. Slush chimes in with the fact that SSL and certificate validation on the client side are currently the only protection, but the majority of pools do not want to deal with the pain of certificate revocation and updates in miners. Certificate validation isn't needed unless the attacker can do direct MITM at connection time, which is harder to maintain than injecting a client.reconnect. This is why BFGMiner defaults to TLS without cert checking for stratum. One solution would be to implement something similar to what OpenSSH does. The OpenSSH client stores a certificate fingerprint, which is then verified automatically upon further connections to the server. However, the initial connection needs to be verified manually by the operator. It appears that this solution would correctly mitigate the attack mentioned in the Wired article.
Updated on: 2023-06-09T01:59:44.103762+00:00