build: Add --disable-bip70 configure option #11622
Conversation
|
Concept ACK generally, though I'm curious where you see this going longer-term - do we want to deprecate BIP 70 support (I think I'd be generally in favor of this, it seems to provide almost 0 utility which results in it being mostly unused, and even if it were used broadly, its unclear that it provides any real security benefit) or start shipping binaries without BIP 70 support or will this just be yet another build-time option we support (which I'd definitely use)? |
|
Concept ACK after reading the discussion on IRC |
|
Should add to travis matrix? |
|
For information, I plan to make BIP70 deprecated into NBitcoin. (By removing it from main lib, and moving it to separate package) This led me to too much dependency issues, as well as cross implementation issues as you can't check correctly the signature of the payment request without serializing the payment request exactly as all other implementations does. (Typically, my implementation works against all wallets, except copay for reasons...) As a library/service developer, I would love to see another simple standard, filling the same need, Json simple binary based, just using HTTPS for securing the communication between wallet and server. I remember there was discussions about making a new payment protocol long time ago, I think it was initiated by @sipa. Concept ACK |
My opinion on it is really divided. I like BIP70 in concept (automatic refund addresses, key expiration, allowing the wallet to directly authenticate vendors, direct transaction submission), but not the technical implementation, and also not the dependency burden it puts on bitcoin core. Additionally it also seems the code is not maintained. No one is working on BIP70 support in bitcoin core. So I'm ok with signalling that in the future we might be going to deprecate it, without any commitments - this would be the first step, to allow builders to disable it. (my personal motivation is that I want to have the option to build the GUI without protobuf and without OpenSSL after the last remnants of OpenSSL use are removed from the rest of the code)
Seems to be better design anyhow. Here it's been peppered all over the GUI code :( Also for lib-ifying, isolating the parts affected like this is the first step.
Agree that that's a good idea to warrant that this keeps working. |
src/Makefile.qt.include
Outdated
| @@ -161,6 +160,9 @@ QT_MOC_CPP = \ | |||
| qt/moc_walletmodel.cpp \ | |||
| qt/moc_walletview.cpp | |||
|
|
|||
| QT_MOC_CPP_BIP70 = \ | |||
There was a problem hiding this comment.
IMO would be cleaner to just QT_MOC_CPP += (and BITCOIN_QT_CPP +=) the actual files below, keeping all the stuff together.
There was a problem hiding this comment.
I agree, but I just followed the flow already used in the makefile for the wallet, to not have to move large blocks around (which complicates review). A refactor like that could be done separately.
| @@ -1292,6 +1313,7 @@ echo " with wallet = $enable_wallet" | |||
| echo " with gui / qt = $bitcoin_enable_qt" | |||
| if test x$bitcoin_enable_qt != xno; then | |||
| echo " qt version = $bitcoin_qt_got_major_vers" | |||
| echo " with bip70 = $enable_bip70" | |||
There was a problem hiding this comment.
Probably would be better to mention "(payment protocol)" here as well.
There was a problem hiding this comment.
Yep. Although that breaks the alignment...
src/qt/bitcoin.cpp
Outdated
| @@ -250,8 +252,10 @@ public Q_SLOTS: | |||
| ClientModel *clientModel; | |||
| BitcoinGUI *window; | |||
| QTimer *pollShutdownTimer; | |||
| #ifdef ENABLE_WALLET | |||
| #if defined(ENABLE_WALLET) && defined(ENABLE_BIP70) | |||
There was a problem hiding this comment.
Might be less messy to just leave the pointer here and not use it.
There was a problem hiding this comment.
I don't think I agree. Accidentally using it would not generate a compile error in that case anymore.
There was a problem hiding this comment.
Can't we just allow ENABLE_BIP70 if ENABLE_WALLET is true? In that case #if defined(ENABLE_BIP70) would be enough all over the place.
There was a problem hiding this comment.
That'd make sense (ENABLE_BIP70 implying ENABLE_WALLET).
src/qt/bitcoin.cpp
Outdated
| @@ -659,7 +667,7 @@ int main(int argc, char *argv[]) | |||
| // Re-initialize translations after changing application name (language in network-specific settings can be different) | |||
| initTranslations(qtTranslatorBase, qtTranslator, translatorBase, translator); | |||
|
|
|||
| #ifdef ENABLE_WALLET | |||
| #if defined(ENABLE_WALLET) && defined(ENABLE_BIP70) | |||
There was a problem hiding this comment.
Won't this break opening non-BIP70 bitcoin: URIs?
There was a problem hiding this comment.
Yes, as a by-effect this currently removes bitcoin: URL support too.
(it probably shouldn't)
There was a problem hiding this comment.
That would break opening links from a browser or a mail client.
src/qt/coincontroldialog.cpp
Outdated
| #include "coincontroldialog.h" | ||
| #include "ui_coincontroldialog.h" | ||
|
|
||
| #include "addresstablemodel.h" | ||
| #include "base58.h" |
There was a problem hiding this comment.
These changes seem out of place here...?
There was a problem hiding this comment.
These extra includes are necessary now that paymentserver.h doesn't indirectly include them anymore.
src/qt/guiutil.cpp
Outdated
| @@ -9,6 +9,8 @@ | |||
| #include "qvalidatedlineedit.h" | |||
| #include "walletmodel.h" | |||
|
|
|||
| #include "base58.h" | |||
| #include "chainparams.h" | |||
src/qt/test/compattests.cpp
Outdated
| #include "paymentrequestplus.h" // this includes protobuf's port.h which defines its own bswap macos | ||
| #endif |
There was a problem hiding this comment.
Do we need to get bswap macros from somewhere else?
There was a problem hiding this comment.
No, we have our own bswap macros. The only reason this is tested is that there was a collision between our bswap macros and protobuf's. So commenting this out is harmless.
src/qt/test/wallettests.cpp
Outdated
| @@ -1,5 +1,6 @@ | |||
| #include "wallettests.h" | |||
|
|
|||
| #include "base58.h" | |||
|
"this breaks the dependency" -> "this removes the dependency"? I know the goal is to get rid of OpenSLL, but what's with Protobuf? Just fewer dependencies, or is there a specific problem with it? Breaking |
Advantage of less dependencies is mainly: less stuff to build while cross-compiling, less attack surface (yet another parsing library), etc.
I agree. It's |
laanwj
force-pushed
the
2017_11_bip70_disable
branch
3 times, most recently
from
c67de2e
to
a23a648
Compare
|
I've restored BIP21 functionality, sifting through paymentserver.cpp/h to disable the parts relating to payment requests, instead of removing the whole file from the build. |
laanwj
force-pushed
the
2017_11_bip70_disable
branch
from
a23a648
to
197188a
Compare
|
But |
Whoops, missed that. Fixed. |
|
Concept ACK |
|
Nice!
AFAIK OpenSSL (crypto) is still in use for the PRNG seeding (see currently closed #10299, waiting for new approach). |
Agree. The rand_ stuff should be removed in one go in a separate PR, it's orthogonal to the changes here. |
src/qt/bitcoin.cpp
Outdated
| @@ -647,7 +651,7 @@ int main(int argc, char *argv[]) | |||
| QMessageBox::critical(0, QObject::tr(PACKAGE_NAME), QObject::tr("Error: %1").arg(e.what())); | |||
| return EXIT_FAILURE; | |||
| } | |||
| #ifdef ENABLE_WALLET | |||
|
I did a I then tested BIP-21 using:
I think you need another |
laanwj
force-pushed
the
2017_11_bip70_disable
branch
2 times, most recently
from
7844b28
to
7311492
Compare
Thanks, added, also rebased and squashed. |
|
Warning is gone (also without the |
|
Concept ACK. Needs another rebase. |
This patch adds a --disable-bip70 configure option that disables BIP70 payment request support. When disabled, this removes the dependency of the GUI on OpenSSL and Protobuf.
|
It is my understanding that there are enough other wallets that do not implement BIP 70 that it probably makes sense to still target deprecating it. Either way, I think we should at least be targeting moving towards a world in which the bitcoin URI which generates a payment request includes a signature over the payment request (or a pubkey which will sign it), because the use of https/TLS alone to authenticate the payment request probably makes it end up with significantly worse overall security than simply not using BIP 70. |
|
I disagree. This is just reinventing the wheel. If you want to separate the payment processor from the merchant, just make so the payment processor give an https link to the merchant, and show the merchant domain of the merchant (+ certificate information if something could parse it before handling to the app) in the wallet inside the payment confirmation screen. Adding your own protocol for signing a payment request is a bad idea that should never have existed in the first place. It bring this kind of heavy weight dependency without any advantage. |
|
@NicolasDorier absolutely not...If you are purchasing from a merchant, then you're already interacting with their website and it is what gave you the payment link, we should be using that as a root-of-trust where at all possible, not using both that and existing SSL CAs (after all, no user is going to verify that the merchant XYZ is actually using https://co1nbase.com/ as their payment processor, or that the 1 should really be an i and they're getting mitm'd). |
|
I am not sure I understand.
Which I disagree, because the payment request already come from HTTPS link. HTTPS can be used to show who you are paying to on the mobile wallet. (no need of adding your own signature on top of that)
Which I completely agree but which seems to be the contrary of your previous sentence. |
|
@NicolasDorier My point is you start from a root of trust (the bitcoin: URI), which no one is going to do almost anything to cross-check (cause if it references co1nbase.com instead of coinbase.com, who cares? thats the link you got). We should thus be using that as the root of trust, instead of introducing a second one (CAs), where if someone has a cert for coinbase.com (either cause they broke a CA somehow, or because you have a bad CA installed due to your work/antivirus software), they can intercept a payment even after you got a good bitcoin: URI! |
|
If you get the signed payment request inside the |
|
The PKI usage in BIP70 is rarely used to verify the merchant itself, but is instead some third-party payment services provider (eg coinbase/bitpay/etc). Expecting to know which payment services provider a given merchant is using is not realistic for users, so I'm skeptical the PKI usage here is of really any value. Note that probably a better solution than requiring a signature over the payment request in the URI is requiring a public key which signs the eventual payment request in the URI. This also resolves the issue of having to get payment providers to get valid SSL/TLS certs for their domain and then use them for a secondary purpose (signing payment requests), which is generally (rightfully) considered bad practice. |
Yes I agree, PKI as used in BIP70 is useless. What I am arguing is that by successfully downloading the payment request over a HTTPS channel, you also verified PKI through whatever arbitrary trust store you use underneath. (OpenSSL, Windows trust store, or iOS trust store)
This is better, but you still have the problem of identity misbinding. How do you know that the public key which sign is coming from the merchant/coinbase? how can you be sure about the identity behind the key without relying on a PKI stack (SSL/TLS) or a web of trust? |
So what? You haven't gained anything in doing so aside from validating that your attacker is capable of getting an SSL cert issued, which is a free and automated process these days. Not sure what your point is here.
My point is you dont get that via BIP70 either, and I dont see that changing at any point in the future. Still, you do get this (somewhat) from bitcoin: URIs, as you may expect a user to only click such a link on the expected website's checkout flow (no different from where they enter their credit card). That is a very weak guarantee, but it is infinitely better than what BIP70 provides. |
|
Ah ok I think I understand you now. You then remove the PKI verification at BIP70 level (which is, as you said and I agree, useless). By doing so, you are sure that the payment uri and the payment request are at least bound together. I was confused because in general this bitcoin: uri is not generated by the merchant's website but by the payment processor. If both, the uri and the payment request is controlled by the payment processor, this scheme is not very useful. |
|
Why was this closed again? I think having an option that is disabled by default makes it easier for people to compile from source without having to pull in a ton of dependencies and build mess. See e.g. #14273, which could simply be worked around by setting |
|
AFAIK our BIP70 support isn't compatible with Bitpay anyways (because they require spec violating behaviour), so I don't know if that argument for not having this option applies. |
|
@gmaxwell I use BitPay occasionally with Bitcoin Core. The payment goes through just fine, but you get an error popup afterwards. |
…thout BIP70 support 48439b3 Don't link SSL_LIBS with GUI unless BIP70 is enabled (James Hilliard) fbb643d Add BIP70 deprecation warning (James Hilliard) 38b9850 qt: cleanup: Move BIP70 functions together in paymentserver (Wladimir J. van der Laan) 9dcf6c0 build: Add --disable-bip70 configure option (Wladimir J. van der Laan) Pull request description: This is based off of #11622 and adds a deprecation warning when a BIP70 URL is used. Rational: - BIP70 increases attack surface in multiple ways and is difficult for third party wallets to implement in a secure manner - Very few merchants use the standard BIP70 variant supported by Bitcoin Core - The one major payment processor that doesn't support BIP21 and currently uses a customized non-standard version of BIP70 has indicated that "Unfortunately the original BIP70 is not useful for us." Tree-SHA512: 1e16ee8d2cdac9499f751ee7b50d058278150f9e38a87a47ddb5105dd0353cdedabe462903f54ead6209b249b249fe5e6a10d29631531be27400f2f69c25b9b9
|
Removed "Up for grabs", this was done in #14451. |
This patch adds a --disable-bip70 configure option that disables BIP70 payment request support. When disabled, this removes the dependency of the GUI on OpenSSL and Protobuf. Github-Pull: bitcoin#11622 Rebased-From: 04c52eb
… GUI without BIP70 support 48439b3 Don't link SSL_LIBS with GUI unless BIP70 is enabled (James Hilliard) fbb643d Add BIP70 deprecation warning (James Hilliard) 38b9850 qt: cleanup: Move BIP70 functions together in paymentserver (Wladimir J. van der Laan) 9dcf6c0 build: Add --disable-bip70 configure option (Wladimir J. van der Laan) Pull request description: This is based off of bitcoin#11622 and adds a deprecation warning when a BIP70 URL is used. Rational: - BIP70 increases attack surface in multiple ways and is difficult for third party wallets to implement in a secure manner - Very few merchants use the standard BIP70 variant supported by Bitcoin Core - The one major payment processor that doesn't support BIP21 and currently uses a customized non-standard version of BIP70 has indicated that "Unfortunately the original BIP70 is not useful for us." Tree-SHA512: 1e16ee8d2cdac9499f751ee7b50d058278150f9e38a87a47ddb5105dd0353cdedabe462903f54ead6209b249b249fe5e6a10d29631531be27400f2f69c25b9b9
… GUI without BIP70 support 48439b3 Don't link SSL_LIBS with GUI unless BIP70 is enabled (James Hilliard) fbb643d Add BIP70 deprecation warning (James Hilliard) 38b9850 qt: cleanup: Move BIP70 functions together in paymentserver (Wladimir J. van der Laan) 9dcf6c0 build: Add --disable-bip70 configure option (Wladimir J. van der Laan) Pull request description: This is based off of bitcoin#11622 and adds a deprecation warning when a BIP70 URL is used. Rational: - BIP70 increases attack surface in multiple ways and is difficult for third party wallets to implement in a secure manner - Very few merchants use the standard BIP70 variant supported by Bitcoin Core - The one major payment processor that doesn't support BIP21 and currently uses a customized non-standard version of BIP70 has indicated that "Unfortunately the original BIP70 is not useful for us." Tree-SHA512: 1e16ee8d2cdac9499f751ee7b50d058278150f9e38a87a47ddb5105dd0353cdedabe462903f54ead6209b249b249fe5e6a10d29631531be27400f2f69c25b9b9
… GUI without BIP70 support 48439b3 Don't link SSL_LIBS with GUI unless BIP70 is enabled (James Hilliard) fbb643d Add BIP70 deprecation warning (James Hilliard) 38b9850 qt: cleanup: Move BIP70 functions together in paymentserver (Wladimir J. van der Laan) 9dcf6c0 build: Add --disable-bip70 configure option (Wladimir J. van der Laan) Pull request description: This is based off of bitcoin#11622 and adds a deprecation warning when a BIP70 URL is used. Rational: - BIP70 increases attack surface in multiple ways and is difficult for third party wallets to implement in a secure manner - Very few merchants use the standard BIP70 variant supported by Bitcoin Core - The one major payment processor that doesn't support BIP21 and currently uses a customized non-standard version of BIP70 has indicated that "Unfortunately the original BIP70 is not useful for us." Tree-SHA512: 1e16ee8d2cdac9499f751ee7b50d058278150f9e38a87a47ddb5105dd0353cdedabe462903f54ead6209b249b249fe5e6a10d29631531be27400f2f69c25b9b9
… GUI without BIP70 support 48439b3 Don't link SSL_LIBS with GUI unless BIP70 is enabled (James Hilliard) fbb643d Add BIP70 deprecation warning (James Hilliard) 38b9850 qt: cleanup: Move BIP70 functions together in paymentserver (Wladimir J. van der Laan) 9dcf6c0 build: Add --disable-bip70 configure option (Wladimir J. van der Laan) Pull request description: This is based off of bitcoin#11622 and adds a deprecation warning when a BIP70 URL is used. Rational: - BIP70 increases attack surface in multiple ways and is difficult for third party wallets to implement in a secure manner - Very few merchants use the standard BIP70 variant supported by Bitcoin Core - The one major payment processor that doesn't support BIP21 and currently uses a customized non-standard version of BIP70 has indicated that "Unfortunately the original BIP70 is not useful for us." Tree-SHA512: 1e16ee8d2cdac9499f751ee7b50d058278150f9e38a87a47ddb5105dd0353cdedabe462903f54ead6209b249b249fe5e6a10d29631531be27400f2f69c25b9b9
… GUI without BIP70 support 48439b3 Don't link SSL_LIBS with GUI unless BIP70 is enabled (James Hilliard) fbb643d Add BIP70 deprecation warning (James Hilliard) 38b9850 qt: cleanup: Move BIP70 functions together in paymentserver (Wladimir J. van der Laan) 9dcf6c0 build: Add --disable-bip70 configure option (Wladimir J. van der Laan) Pull request description: This is based off of bitcoin#11622 and adds a deprecation warning when a BIP70 URL is used. Rational: - BIP70 increases attack surface in multiple ways and is difficult for third party wallets to implement in a secure manner - Very few merchants use the standard BIP70 variant supported by Bitcoin Core - The one major payment processor that doesn't support BIP21 and currently uses a customized non-standard version of BIP70 has indicated that "Unfortunately the original BIP70 is not useful for us." Tree-SHA512: 1e16ee8d2cdac9499f751ee7b50d058278150f9e38a87a47ddb5105dd0353cdedabe462903f54ead6209b249b249fe5e6a10d29631531be27400f2f69c25b9b9
… GUI without BIP70 support 48439b3 Don't link SSL_LIBS with GUI unless BIP70 is enabled (James Hilliard) fbb643d Add BIP70 deprecation warning (James Hilliard) 38b9850 qt: cleanup: Move BIP70 functions together in paymentserver (Wladimir J. van der Laan) 9dcf6c0 build: Add --disable-bip70 configure option (Wladimir J. van der Laan) Pull request description: This is based off of bitcoin#11622 and adds a deprecation warning when a BIP70 URL is used. Rational: - BIP70 increases attack surface in multiple ways and is difficult for third party wallets to implement in a secure manner - Very few merchants use the standard BIP70 variant supported by Bitcoin Core - The one major payment processor that doesn't support BIP21 and currently uses a customized non-standard version of BIP70 has indicated that "Unfortunately the original BIP70 is not useful for us." Tree-SHA512: 1e16ee8d2cdac9499f751ee7b50d058278150f9e38a87a47ddb5105dd0353cdedabe462903f54ead6209b249b249fe5e6a10d29631531be27400f2f69c25b9b9
This patch adds a --disable-bip70 configure option that disables BIP70 payment request support in the wallet GUI. BIP70 support remains enabled by default.
When disabled, this breaks the dependency of the GUI on OpenSSL and Protobuf.
(triggered by discussion on IRC today)