Encrypted RPC requests #16862

issue 3s3s opened this issue on September 13, 2019
  1. 3s3s commented at 1:53 PM on September 13, 2019: none

    Is your feature request related to a problem? Please describe.

    A virus on a computer can listen to unencrypted RPC traffic and an attacker can steal Bitcoins even from an encrypted wallet

    Describe the solution you'd like

    It is necessary to implement support for encrypted public key RPC calls in Bitcoin Core as it done in the https protocol

  2. 3s3s added the label Feature on Sep 13, 2019
  3. emilengler commented at 3:38 PM on September 13, 2019: contributor

    IIRC RPC requests are over http (correct me if I am wrong). Bit I agree that we need SSL support

  4. sipa commented at 3:44 PM on September 13, 2019: member

    A virus on the computer can replace the bitcoind binary with one that steals your coins regardless. There is no way around running Bitcoin on trusted hardware.

    If you really need SSL encrypted RPCs, use stunnel or something similar. Bitcoin Core used to actually support SSL encrypted RPC, but support was removed because (1) it sets up incorrect expectations (against many attack scenarios it does not help) and (2) it was a pain to setup and maintain.

  5. 3s3s commented at 4:09 PM on September 13, 2019: none

    We can easily authenticate bitcoind with hash or other checksum, but it’s much harder to learn about listening RPC traffic and to recognize the authenticity of RPC requests

    How stunnel can help to prevent from sniffing RPC on localhost?

  6. sipa commented at 4:18 PM on September 13, 2019: member

    Again, if the attacker has that kind access to the machine that runs bitcoind, he can do lots of other things too. Overwriting the binary is just one. Another is just reading the decrypted keys from RAM, or adding his own keys to the keypool in wallet.dat, making sure change gets sent to him at some point in the future long after he left the machine.

  7. 3s3s commented at 4:38 PM on September 13, 2019: none

    I think that readig specific region of RAM from another process is too complicated operation by comparison with traffic listenig. Sniffing is the most common functionality of trojans, but RAM listenig should by designed for one specific process with one specific binary version

    And I do not known about possibility of changing encrypted wallet.dat. Is it possible?

  8. sipa commented at 4:56 PM on September 13, 2019: member

    Sorry, that's nonsensical. All it needs is one smart guy to write a tool for hijacking wallets by running in a place with sufficient access to bitcoind. The threat model cannot possibly protect against that. Trying to use encrypted traffic to circumvent that will only contribute to a false sense of security.

    Here is the discussion around removing it: #5677 (comment) and here: https://bitcoin.stackexchange.com/a/39118/208

  9. 3s3s commented at 5:15 PM on September 13, 2019: none

    That discussion is about "expose bitcoind RPC to a public accessible area" But using encrypted RPC on localhost was not discussed. I think encrypting RPC on localhost will really increase security.

  10. sipa commented at 5:20 PM on September 13, 2019: member

    I think encrypting RPC on localhost will really increasy security.

    I've shown that it cannot. At best it makes attacks a bit more complex, but the security assumptions remain the same: if you have local access to the server process, you cannot hope to have any security.

  11. 3s3s closed this on Sep 13, 2019
  12. DrahtBot locked this on Dec 16, 2021
Contributors
3s3semilenglersipa
Labels
Feature
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-29 03:15 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me