Author: Matt Whitlock 2015-01-28 16:51:06
Published on: 2015-01-28T16:51:06+00:00
In a conversation between Giuseppe Mazzotta and Mike Hearn on January 28, 2015, the topic of using OS root stores for certificates was discussed. Hearn reminded that it is not mandatory to use the OS root store and instead suggested taking a snapshot of Mozilla/Apple/MSFT certificate stores and loading it in the app. This approach is followed by bitcoinj to prevent BIP70 requests from working on some platforms and not others, but developers can override this and use the OS root store. However, Mazzotta pointed out that Mozilla/Apple/MSFT update these certificate stores based on their policies, and a snapshot/collection might get outdated at a different pace than the OS-provided certificates. This could lead to vulnerabilities in BitcoinJ using software if a root CA gets breached and a certificate gets revoked. Mazzotta expressed his concern over BitcoinJ shipping its own root CA certificates bundle, as it could leave all BitcoinJ-using software vulnerable until BitcoinJ ships an update and the software pulls in the new update. There is a possibility that this might never happen, making it a concerning issue.
Updated on: 2023-06-09T15:29:32.774988+00:00