Published on: 2015-03-24T12:08:03+00:00
The Bitcoin-development mailing list discusses the idea of using the hash of the genesis block as the chain ID. One member argues that forking bitcoins and bitcoinsB with the same owners doesn't make sense and a new currency warrants defining a new chain. However, this is not a good reason to not adopt a hash of the genesis block as the chain ID. Another member raises concerns about interpreting messages on the wrong chain if there are two forked chains with different communities. The use of a central registry is also discussed as potentially harmful.A unique approach has been adopted to replace the network identifier with the genesis block hash. This replacement ensures compatibility with Bitcoin Core and altcoins without requiring a central registry. However, there is a possibility that interpreting messages on the wrong chain may still occur if there are two forked chains with different communities.A critical vulnerability in BlackPhone has been fixed, which allowed hackers to run malicious code on the handsets. Attackers only needed a phone number to compromise the devices via the Silent Text application. The vulnerability occurred during the deserialization of JSON objects and was a type confusion vulnerability. This flaw could allow an attacker to overwrite a pointer in memory. The use of C++/Java/Python protocol buffer implementations by Google for internal inter-server communication is also mentioned. Any exploit in these implementations could bypass their entire internal security system.JSON has been known to generate bugs due to the lack of type marshalling and input validation. Protobufs and msgpack have addressed this issue by including type support and input validation in their designs. Some developers argue that creating a JSON-to-schema marshall is not worthwhile since there are only three types - bytes, int, and string. They prefer coding the JSON wrapper classes by hand. Using third-party services to convert data to JSON has also been criticized as an unnecessary and high-effort solution.The conversation revolves around the implementation of BIP70, a payment protocol for Bitcoin. One person suggests using JSON+HTTPS instead of BIP70, as it would be easier and sufficient for today's use case. Another person argues that BIP70 was designed to support hardware wallets by keeping the code small. Embedding certificates in BIP70 requests allows them to be verifiable by third parties. The conversation touches on the challenges of targeting WinRT and other platforms with a single codebase, as well as the pros and cons of bundling a custom root store.The discussion is about the limitations of BIP70 and whether to allow both serializations or keep it as is. One of the goals of BIP70 was to support hardware wallets, which requires keeping the code small. Implementing JSON and HTTPS would increase cost, complexity, and decrease security. Embedding certificates in BIP70 requests makes them verifiable by third parties, providing a form of digital receipt. The conversation also discusses the challenges of implementing BIP70 on different platforms and the pros and cons of bundling a custom root store.The conversation between Mike Hearn and an unknown person discusses the limitations of BIP70 as a client-side technology. Using JSON and HTTPS is suggested as an alternative, but it would increase cost, complexity, and decrease security. Embedding certificates in BIP70 requests allows them to be verifiable by third parties and provides a form of digital receipt. The conversation also highlights the challenges of targeting different platforms with a single codebase.The burden of certificate verification in BIP70 is discussed. One person argues that using JSON and HTTPS would be easier for developers, while another person defends the use of certificates in BIP70 as necessary for verifiability by third parties. The conversation also touches on the difficulty of implementing BIP70 on certain platforms and the pros and cons of bundling a custom root store.The discussion revolves around the use of JSON and schema in BIP70. It is argued that for the number of fields in the spec, having a JSON to schema is not worthwhile. Some developers prefer coding the JSON wrapper classes by hand. The conversation also discusses the benefits of using cross-platform libraries for protobuf and the challenges of dealing with X509 certificates.In a conversation on January 28, 2015, using OS root stores for certificates is discussed. It is suggested that taking a snapshot of the Mozilla/Apple/MSFT certificate stores and loading it into the app would be a better approach. However, concerns are raised about outdated certificates and the potential vulnerability of BitcoinJ-using software if a root CA gets breached and a certificate is revoked.The burden of certificate verification in BIP70 is placed on developers, but there is no obligation to use the OS root store. Taking a snapshot of the Mozilla/Apple/MSFT certificate stores is suggested as an alternative. However, this approach can lead to outdated certificates and potential vulnerabilities. Shipping an app with its own snapshot of certificates can make the system less secure and harder to audit.The burden of certificate verification in BIP70 is discussed.
Updated on: 2023-08-01T11:09:13.242345+00:00