Myth: the Payment Protocol is bad for privacy

[Gavin Andresen]

In another thread marcus of augustus says:

Another "Troll" here:

On the minus side of the ledger, Gavin omitted to mention the X.509 privacy-destroying functionality for the unaware that has been implemented as the default behavior of the "payment protocol" in 0.9 clients.

I'll break my rule about feeding trolls again to debunk for about the hundredth time the myth that the use of X.509 certificates in the payment protocol is bad for privacy.

It is not.

If you are in a customer/merchant situation, the customer's privacy is not affected AT ALL. The merchant's identity is in the X.509 certificate, the customer is as anonymous as always (which is very often "not anonymous", because the merchant needs to know something about the customer to deliver their product).

If you are a merchant, then part of the PURPOSE of the payment protocol is to provide a cryptographically secure, verified-in-some-way identity.

If you are a merchant and want an pseudanonymous then that is easy: set up an anonymous email address and then get a free email certificate from any of the certificate authorities that provide them.

If you have a philosophical hatred of X.509 and certificate authorities... then please invent a better identity verification system and get the world to adopt it. The payment protocol is specifically designed to make it easy to slide in a better system.

(but if you have a philosophical hatred of X.509 then what are you doing posting here at bitcointalk, whose security relies on the very X.509 certificates you find so despicable? There ARE alternatives, you should go hang out in forums.i2p or a Tor-based forum...)

[1714114317]

1714114317

[1714114317]

1714114317

[1714114317]

1714114317

[BitCoinDream]

If you are in a customer/merchant situation, the customer's privacy is not affected AT ALL. The merchant's identity is in the X.509 certificate, the customer is as anonymous as always (which is very often "not anonymous", because the merchant needs to know something about the customer to deliver their product).

That is only in case of tangible products. For digital products or online services merchant may not come to know the identity of the customer unless he/she deliberately discloses it.

[genjix]

http://www.crn.com/news/security/231600847/300-000-iranian-ip-addresses-compromised-in-diginotar-ssl-hack.htm

good luck with that on silk road

[Mike Hearn]

Tor has a couple of problems and isn't very different from a security perspective to the SSL hierarchy.

One is that people obtain Tor from a regular website, which is only guaranteed to be secure via SSL. So there's a bootstrapping problem.

Another problem is that on Tor, addresses are meaningless so it's easy to MITM people with phishing attacks. Silk Road tried to solve this by brute forcing an onion key with their name in it but phishing was still pretty common. Also the Tor developers are considering a new hidden service protocol that would make the onion addresses a lot longer, at which point brute forcing a prefix would not achieve much beyond requiring phishers to match the brute force because the suffix would be un-memorisable.

The problem of binding a human understandable and memorisable name to a public key is what certificate authorities are for. Tor doesn't solve that problem or even try: it just assumes you have a way to obtain the public key (onion address) for the website in a secure manner and punts on the whole issue of how that happens. Silk Road had a key hash that was short enough that you might be able to tell it to someone using your voice and have them remember it, or you could write it down, but that's certainly not any guarantee - Zooko's triangle posits that you can have an identifier that's secure, or memorable, but not both.

There's also some other more practical issues: one is that websites aren't going to migrate to Tor just to avoid certificate authorities, so the payment protocol has to work with the regular internet, which means X.509.

Another is that Tor is more centralised than the certificate authorities are: there are only seven directory authorities, and Tor is largely funded by the US government. There are about 100 independent CAs spread around the world and they're funded by their users.

(edited to remove erroneous statement)

[piotr_n]

What a bunch of crap.

First of all, had you invented a feature that people actually needed, the community would have embraced it without you advertising the shit all over.

Second, why would we want to "invent a better identity verification"?
Unlike you, there are people who don't like wasting time on developing useless features.
We've been doing really fine without your super payment protocol, just by using the old fashion GPG and its WoT.
And trust me: we are going to be still doing fine using these archaic tools.
The already implemented stealth addresses, combined with GPG's WoT, are far much better solution, then you shitty payment protocol based on central authorities run by corporations.
But how would you even know about an existence of such things, when you don't see anything behind the tip of your nose?

And last, but not least: it is bad for privacy!
You cannot get a certificate without providing your personal data to CA. And CA is a corporation that will always give this data out - if not for money than on a government's order. You cannot seriously pretend that you don't know it.
At the other hand, from the paying side, when I get to a merchant's web page that gives me SSL authenticated bitcoin deposit address and the amount I ought to send - why in a world would it not be enough for me?
Why would I need an additional, payment request, signed with exactly the same certificate?
Well, of course I don't need it, but you obviously very much care about us needing to use your payment requests... I just wonder why.

For me it is pretty obvious that you have developed this feature because some corporations delegated you to develop it.
And on this you spent like what, two years of development? And now you are disappointed because nobody wants to use it.

You wasted two years of time to develop this useless feature, while there were so much more important issues to address in the bitcoin software.
And here we are; few years later, the blocks are getting full and the only solution the bitcoin core lead dev has to address it, is still the same: we must increase the block size! Why we must increase the block size? Well, two reasons:
1) Because Gavin has not moved a finger to address any of the scalability issues. Decentralized off-chain transaction is apparently something that he was forbidden to purchase, since these solutions would make coin tracking much more complicated. Unlike the payment protocol..
2) Because he says, he doesn't care about mining. Well, keep not caring about mining, man - that will surely pay off for you

So to wrap up my post: well done, Gavin! As a bitcoin core developer, you can be really proud of yourself, for providing the community with features that one part doesn't care about, while the other part finds hostile to the actual bitcoin principles. And all at the cost of features that the community has been actually waiting for.

[rme]

What a bunch of crap.

First of all, had you invented a feature that people actually needed, the community would have embraced it without you advertising the shit all over.

Second, why would we want to "invent a better identity verification"?
Unlike you, there are people who don't like wasting time on developing useless features.
We've been doing really fine without your super payment protocol, just by using the old fashion GPG and its WoT.
And trust me: we are going to be still doing fine using these archaic tools.
The already implemented stealth addresses, combined with GPG's WoT, are far much better solution, then you shitty payment protocol based on central authorities run by corporations.
But how would you even know about an existence of such things, when you don't see anything behind the tip of your nose?

And last, but not least: it is bad for privacy!
You cannot get a certificate without providing your personal data to CA. And CA is a corporation that will always give this data out - if not for money than on a government's order. You cannot seriously pretend that you don't know it.
At the other hand, from the paying side, when I get to a merchant's web page that gives me SSL authenticated bitcoin deposit address and the amount I ought to send - why in a world would it not be enough for me?
Why would I need an additional, payment request, signed with exactly the same certificate?
Well, of course I don't need it, but you obviously very much care about us needing to use your payment requests... I just wonder why.

For me it is pretty obvious that you have developed this feature because some corporations delegated you to develop it.
And on this you spent like what, two years of development? And now you are disappointed because nobody wants to use it.

You wasted two years of time to develop this useless feature, while there were so much more important issues to address in the bitcoin software.
And here we are; few years later, the blocks are getting full and the only solution the bitcoin core lead dev has to address it, is still the same: we must increase the block size! Why we must increase the block size? Well, two reasons:
1) Because Gavin has not moved a finger to address any of the scalability issues. Decentralized off-chain transaction is apparently something that he was forbidden to purchase, since these solutions would make coin tracking much more complicated. Unlike the payment protocol..
2) Because he says, he doesn't care about mining. Well, keep not caring about mining, man - that will surely pay off for you

So to wrap up my post: well done, Gavin! As a bitcoin core developer, you can be really proud of yourself, for providing the community with features that one part doesn't care about, while the other part finds hostile to the actual bitcoin principles. And all at the cost of features that the community has been actually waiting for.

Please show some respect, X.509 certificates are good for sites like Coinbase, Bitpay, Bitstamp deposit or similars.
They are not meant for the average user, they are meant for the average bussines.

It is very useful to click a Bitpay payment link and dont have to double check the address (Bitcoin Core already shows a green background), It is very useful to have a receipt of every payment (verificable cryptographically) if something goes wrong, Its very useful to specify a return address (satoshidice problems with hosted wallets...).

If you dont like this features you can fork Bitcoin Core 0.7 and develop by yourself, I would like to download PiotrCore 0.9.1 to see its features.

[benjyz]

Well, there is a partly alternative working system- Namecoin, although it can't deal with key distribution. If you're referring to X.509 you're actually referring to DNS. The DNS is controlled by the Internet corporation which defines who can issues certificates and domain names. So perhaps we can start with the acknowledgement of how the Internet actually works. X509 is an encoding standard. The Internet's root is controlled by a vast system of corporations and governments, and some opensource contributions (and very occasionally an Internet activist, see http://en.wikipedia.org/wiki/David_Chaum#cite_note-Cha81-20). How much do you users of the Internet (and Bitcoin) have to say about its inner workings? Is Bitcoin democratic/decentralized/anarchistic/...? And if so how does that relate to the development process? There is a mythology that Bitcoin follows the opensource model. Well, for example Linux ultimately depends on the discussion of one person (BDFL).

I think you're using the wrong terminology. What is a "payment" and what is a "merchant"? These concepts don't exist in Bitcoin. Bitcoin knows about keys, nodes and transactions. So you're imposing your own world view (literally) onto the system, without even the suggestion of an argument. The first thing would be to realize that Bitcoin is not just about cryptography and software, but economics, law, politics, etc. But you're basically stating apriori you don't want to deal with any of these complex problems. For example the whole notion of privacy is completely interlinked with law. Law of nation states operate on the principle that you can identify people (and indeed staying completely private is illegal in any country).

[piotr_n]

Please show some respect, X.509 certificates are good for sites like Coinbase, Bitpay, Bitstamp deposit or similars.
They are not meant for the average user, they are meant for the average bussines.

Exactly my point. This feature was developed for businesses, on their request, not for the bitcoin community on its request.

It is very useful to click a Bitpay payment link and dont have to double check the address (Bitcoin Core already shows a green background), It is very useful to have a receipt of every payment (verificable cryptographically) if something goes wrong, Its very useful to specify a return address (satoshidice problems with hosted wallets...).

When I read that something is "very useful", the first question that comes to my mind is: how did you measure the very usefulness of it?
Obviously you didn't measure it - you are just giving us your subjective opinion.

As I said, had bitcoin users found these things "very useful" (and safe), they would have used them.
But they don't use the payment protocol and I seriously doubt that they ever will. Maybe a few, but definitely not most of us.

People are not stupid. You are not going to lure them into endangering their privacy by giving them a receipt of a payment.

If you dont like this features you can fork Bitcoin Core 0.7 and develop by yourself, I would like to download PiotrCore 0.9.1 to see its features.

Thank you for your permission. That's very generous.

In case you didn't notice, recently there has been major movement in alternative bitcoin solutions and alternative clients are already much further with new features, especially the ones that concern privacy. And mine is one of them, though it didn't have to come from any fork, I made it from scratch.

Considering that the Bitcoin Core goes against the current and the people's demand, it is rather inevitable that sooner or later it will only be used for mining.
Though only till the moment when miners finally realize that they have an alternative so they don't need to use software developed by a guy who proudly states in public that he doesn't care about mining.

[JackH]

I dont get it, how does X.509 give us issues with anonymity piotr_n?

You dont really define what the central authority is and what data that central authority retains due to X.509 being implemented in Bitcoin. At least make your case solid by explaining the problem in details instead of screaming out with a tin foil hat on your head.

[benjyz]

Another is that Tor is more centralised than the certificate authorities are: there are only seven directory authorities, and Tor is largely funded by the US government. There are about 100 independent CAs spread around the world and they're funded by their users.

CA's are "funded by their users"? How so? If you want to find out more about how CA's work I recommend this page: https://www.icann.org/resources/pages/certificate-authority-2012-02-25-en . Starting a discussion on that basis is difficult.

Tor is more "centralized" than CA's? The claim that Tor is "funded" by the US government is pretty far out there - I would like to see more detailed evidence for such claims. Here is a list of sponsors: https://www.torproject.org/about/sponsors.html.en

The TOR protocol was basically invented by David Chaum in 1981, http://en.wikipedia.org/wiki/Mix_network. It's the same guy who laid for the foundation for Bitcoin in the 80's. Clearly the idea of a mixing network is the exact opposite of attaching identities to nodes. In the link I posted above he argued recently that all routers could/should be TOR nodes. The whole point of mixing is to detach identity from actors. The whole point of CA's is the opposite.

[genjix]

piotr has a point. this was made not because it benefits p2p transfers or small business, but because developers are working for corporations.
you know if you're pushing tech like this, and then guiding development proposing to remove the block size limit .etc that's a dangerous thing. we can totally get rid of that and all the limits and have bitcoin owned by a cartel of corporations if you like... at least then transfers will be cheap but it will be the same as the banking cartel we have now.
but i get it, bitcoin for you is a nice fun way for consumers to make payments better between their centralised coporate silos legitimised through government legislation. bitcoin for americans.
what happens when the liberatory aspects of bitcoin come in conflict with the utility as a payments system? which will you favour at the expense of the other?
the features you work to promote, are the aspects of bitcoin that are grown, and don't forget the consensus.

mike, i don't even know what you're talking about. you are such a boot licker it's hilarious.

[piotr_n]

I dont get it, how does X.509 give us issues with anonymity piotr_n?

You dont really define what the central authority is and what data that central authority retains due to X.509 being implemented in Bitcoin. At least make your case solid by explaining the problem in details instead of screaming out with a tin foil hat on your head.

I said it, but if you insist, I can elaborate.

In order to acquire a certificate (which you need to sign the payment requests with), you must leave your personal details at a CA.
Your full name, your email, where you live, even your phone number.
Who is going to do this? Basically only corporations. Plus maybe a couple of crazy people..

Now, as a payer, you do not need a certificate, but then how does the payment protocol help you with anything?
Obviously you are not going to use it for sending money to your friends or buying stuff on black markets. You are also not going to use it for p2p bitcoin trading, nor for withdrawing your bitcoins from exchanges.
You may only be using it for sending your bitcoins to corporations (or the few crazy people). But each corporations already had a web page secured by SSL certificate - so why the hell to waste bitcoin development resources on them?
Better security? Give me a break! It does not make it anyhow more secure, to let a client extract a payment address from a binary file, rather than to let me just copy it from a web page, protected by the very same certificate.

Also, when you provide the refund address, this address identifies your wallet - another privacy concern.
And of course the recipient - a "very useful" thing, as someone has just said. The thing is that storing the receipts also keeps track of your past payments, which not everyone may be a fan of.
Not to mention that both; receipts and return addresses are already used in the bitcoin world, yet without the payment protocol.

In other words: they spent couple of years of development to reinvent the wheel.
A wheel which now needs a permission from a central certificate authority in order to work.
How crazy is that?


Moreover, let me remind you that very soon after 0.9.0 was released, there was a critical security issue reported in OpenSSL.
Basically a backdoor that could even cause your private keys to leak out from your wallet, through the "secured" payment protocol channel.
It was fixed - yes, but do you really believe that this is going to be the last critical security issue ever discovered in OpenSSL? Well, if you do, then you must be a very naive person and have no much experience with software development. Everyone who is so stubborn to build secured applications around the messy openssl lib is IMHO insane.

BTW, I remember someone once assured me that the bitcoin client would not connect to any server when doing the payment protocol things. No matter what, it wasn't supposed to connect anywhere!
But then it makes me wonder: how is it possible that a payment protocol was vulnerable to the heartbleed bug, if it wasn't connecting anywhere?
Obviously someone had lied to me - obviously there are some connections, just not quite official.
So why did that someone lie to us?
Well, either because he is incompetent and he has no clue what kind of software he develops, or because he is just a liar.
Either way - a wrong person to develop a software for my needs.

[justusranvier]

So to wrap up my post: well done, Gavin! As a bitcoin core developer, you can be really proud of yourself, for providing the community with features that one part doesn't care about, while the other part finds hostile to the actual bitcoin principles. And all at the cost of features that the community has been actually waiting for.

This is the crux of the issue - the payment protocol is bad for privacy because of what it doesn't do.

One of the biggest problems for Bitcoin privacy is that the way we use it now does not allow for merge avoidance strategies. A good (privacy-respecting) payment protocol would not deliver to the client a fixed list of outputs - it would deliver information that would allow the client to construct as many outputs as it desired.

That also ties in with the plague of address reuse, which is still an unsolved problem since the standardization on deterministic wallets hasn't happened yet.

[kjj]

At the other hand, from the paying side, when I get to a merchant's web page that gives me SSL authenticated bitcoin deposit address and the amount I ought to send - why in a world would it not be enough for me?
Why would I need an additional, payment request, signed with exactly the same certificate?

Good luck taking your screenshot of the "SSL authenticated bitcoin deposit address and the amount" to court when the merchant claims you didn't pay.

In other words, you don't really understand which problems the payment protocol is trying to solve.

[benjyz]

At the other hand, from the paying side, when I get to a merchant's web page that gives me SSL authenticated bitcoin deposit address and the amount I ought to send - why in a world would it not be enough for me?
Why would I need an additional, payment request, signed with exactly the same certificate?

Good luck taking your screenshot of the "SSL authenticated bitcoin deposit address and the amount" to court when the merchant claims you didn't pay.

In other words, you don't really understand which problems the payment protocol is trying to solve.

Which court? If the merchant is in Chile and the customer in Russia, what use is this? Bitcoin is a global system, but there is no world court people can go to, to settle disputes. This can in theory only apply if the two parties agree which court settles disputes, and the court even considers itself responsible. If you're drafting social protocols you should have some understanding of how economic transactions work. Commercial transactions consist of much more than just the payment itself (what happens if there is no delivery, delivery not on time, bad deliveries, ...). And if you want to integrate with legal systems via software, you better clearly specify what you're talking about. Since when is the Bitcoin network dependent on courts?! And if the payment protocol addresses any of these issues, why is it not stated in the draft protocol. That's what these kinds of documents are there for. You would find that it would be much like writing law, because you would have to first define merchants, customers, payments. And then Bitcoin is not about "payments" between merchants and customers. It's about transactions between peers. So the nature of the system and the debate already has shifted dramatically.

[piotr_n]

Good luck taking your screenshot of the "SSL authenticated bitcoin deposit address and the amount" to court when the merchant claims you didn't pay.

Who said anything about screenshots?

I meant something like the receipts localbitcoins issues. Or whatever message "pay this amount, to this address, for this product", signed with a private key - that's all you need for a digital receipt, mr big smartass but small imagination.

And BTW, good luck taking your payment protocol receipt to court when the merchant claims you didn't pay.
You are obviously living in a dream world. Though most Americans do, so you are just following the pattern.

[benjyz]

And BTW, good luck taking your payment protocol receipt to court when the merchant claims you didn't pay.

It will work for the same jurisdiction, but not cross-jurisdiction. It could even be such that a merchant has to automatically acknowledge if a payment was received via the public blockchain. One example implementation would be forcing the merchant to use a certain address which is attached to the name (the merchant wouldn't be able to generate arbitrary addresses). In effect that's what the DAC/smart contract ideas are about. Registering a corporation is equivalent to assinging a payment address to a legal entity. A limited liability company is in a sense nothing else than a restricted account. Some of this can be implemented today, but I very much doubt that Bitcoin is going to be the system doing this (i.e. anything interesting in the future).

[piotr_n]

And BTW, good luck taking your payment protocol receipt to court when the merchant claims you didn't pay.

It will work for the same jurisdiction, but not cross-jurisdiction. It could even be such that a merchant has to automatically acknowledge if a payment was received via the public blockchain. One example implementation would be forcing the merchant to use a certain address which is attached to the name (the merchant wouldn't be able to generate arbitrary addresses). In effect that's what the DAC ideas are about.

Well, if I didn't know a few people who were told by their lawyers that digital receipts (issued by localbitcoins) would not be accepted as an evidence in court, then I would have also thought like this.

The problem is that our justice system is still in a previous century. They don't know what a digital signature is and they are more likely to accept a piece of paper that came from a printer, rather than a digitally signed file.

I am not saying that no court would ever accept a digitally signed receipt, but I am saying that they are very reluctant to do so.

[kjj]

At the other hand, from the paying side, when I get to a merchant's web page that gives me SSL authenticated bitcoin deposit address and the amount I ought to send - why in a world would it not be enough for me?
Why would I need an additional, payment request, signed with exactly the same certificate?

Good luck taking your screenshot of the "SSL authenticated bitcoin deposit address and the amount" to court when the merchant claims you didn't pay.

In other words, you don't really understand which problems the payment protocol is trying to solve.

Which court? If the merchant is in Chile and the customer in Russia, what use is this? Bitcoin is a global system, but there is no world court people can go to, to settle disputes. This can in theory only apply if the two parties agree which court settles disputes, and the court even considers itself responsible. If you're drafting social protocols you should have some understanding of how economic transactions work. Commercial transactions consist of much more than just the payment itself (what happens if there is no delivery, delivery not on time, bad delivers, ...). And if you want to integrate with legal systems via software, you better clearly specify what you're talking about. Since when is the Bitcoin network dependent on courts?! And if the payment protocol addresses any of these issues, why is not stated in the draft protocol. Just because this idea is in someone's head doesn't make it a fact. The Bitcoin developers "in charge" should really think harder about these issues. And if they claim no one is in charge, then please find someone to understand the economics and write proper protocols.

If I'm following you correctly, you think that there should be no courts because they can't help in all disputes?  That every transaction should be spelled out in complete detail, even though it is pointless because neither party needs to follow it?

The vast majority of internet transactions are "local" to one judicial system, and also follow a standard template (I pay you X, you send me Y).  A signed statement of X and Y, along with blockchain evidence that X was completed, gives the purchaser some confidence that they will have some useful recourse in the event that the vendor fails to complete Y.

Good luck taking your screenshot of the "SSL authenticated bitcoin deposit address and the amount" to court when the merchant claims you didn't pay.

Who said anything about screenshots?

I meant something like the receipts localbitcoins.com do.
Or whatever message "pay this amount, to this address, for this product", signed with either bitcoin address, or a PGP key - that's all you need for a digital receipt, mr big smartass but little imagination.

And BTW, good luck taking your payment protocol receipt to court when the merchant claims you didn't pay.
You are obviously living in a dream world. Though most Americans do, so you are just following the pattern.

And how is PGP or bitcoin signing any better?  Do you ask the court for a subpoena to search all of their records for evidence that they possess the private key that signed your receipt?  Or do you think that the judge will take your word for it that you've brought suit against the correct party?

One nice thing about being an American is knowing that our courts do, for the most part, understand cryptography and digital signatures.

[piotr_n]

And how is PGP or bitcoin signing any better?  

Not too bright.

It is better, because I don't need to send a stool sample to a corporation, in order to receive the signing key.

Do you ask the court for a subpoena to search all of their records for evidence that they possess the private key that signed your receipt?  Or do you think that the judge will take your word for it that you've brought suit against the correct party?

So what the court would do differently, with your digital receipt?
It would go just the same way; whoever signed it can simply testify that someone hacked his server, stole the key and therefore it wasn't him who signed this data.
Or better: the key leaked out through the heartbleed issue. Go ahead and prove that it didn't...

And at that moment the case is closed - you cannot use such a receipt even to wipe up your own ass.

One nice thing about being an American is knowing that our courts do, for the most part, understand cryptography and digital signatures.

Right... that must be the kind of signatures you use under the death sentences, when executing people all over the world. Shortly before the missile hits a peasant, or his kid, there is a quick and efficient algo, built into the system, that digitally signs the sentence, so they'd get executed in compliance with your very democratic constitution end extremely solid justice system.