Author: Peter Todd 2017-09-29 02:55:38
Published on: 2017-09-29T02:55:38+00:00
During a discussion on the Bitcoin development mailing list, it was suggested that the BIP-70 payment protocol is insecure. This payment protocol has significant overhead and requires back and forth communication. Instead of following the BIP-72 standard, which is deemed to be very dangerous and should be deprecated, people may continue to email a bitcoin address or print it on an invoice. The problem with the BIP-72 standard is that payment QR codes don't cryptographically commit to the identity of the merchant, meaning a MITM attacker can redirect the payment if they can obtain an SSL cert that the wallet accepts. A wallet following the BIP-72 standard will ignore the bitcoin address/amount/label/message in the URI and instead fetch a PaymentRequest message and then follow the payment protocol as described in BIP 70. Wallets are also likely using an off-the-shelf SSL library, with nothing other than an infrequently updated set of root certificates to use to verify the certificate. As an ad-hoc unstandardized extension, Android Wallet for Bitcoin supports a h= parameter with a hash commitment to what the payment request should be, and will reject the MITM attacker if that hash doesn't match. But that's not actually in the standard itself, and as far as we can tell has never been made into a BIP.
Updated on: 2023-05-20T04:07:34.712260+00:00