Is the security of the trusted root cert the weak link in BIP-70?

[DeathAndTaxes]

Is the security of the trusted root cert the weak link in BIP-70?  While BIP-70 prevents a MITM attack or a substitution attack on the receiver's end it fails if the user's system is compromised.  If the user's system is compromised by malware (common way to steal bitcoins) then the attacker can feed the user misinformation by a number of ways including providing a false "trusted root cert".

It would seem to me that the trusted root cert would need to be inaccessible to the attacker to provide any real security from the most obvious attack vector. I assume the unstated assumption is that the user will be using some type of hardware device. Either a secure hardware bitcoin wallet, some general purpose PKI hardware device i.e. TPM (trusted platform module), or even HSM.  Am I missing anything?

[btchip]

I'd agree with that, and it's unfortunately a generic PKI validation issue, considering revocation doesn't work well either - also having the specification suggesting to 'display the "Common Name" in the first X.509 certificate' to identify the sender probably doesn't help

I'm currently testing such a scheme with our hardware wallet, which might be interesting as a reference when discussing this topic if it proves to be successful : https://ledgerhq.github.io/btchip-doc/bitcoin-technical-beta.html#_personal_bip_70_certificates_user_validation - external users can choose to trust specific Payment Requests coming from a known secure root, with their own definition of secure.

[Gavin Andresen]

If your system is compromised, and you are using a single-signature wallet, then the first time you unlock your wallet ALL your coins are gone.

root certificates are not the weak link in that case; the keys being on one device is the weak link.

[stevenh512]

If your system is compromised, and you are using a single-signature wallet, then the first time you unlock your wallet ALL your coins are gone.

this

root certificates are not the weak link in that case; the keys being on one device is the weak link.

True, in that case root certificates aren't the weak link, but I can think of situations where it would be. Trusting a root certificate implies trusting a centralized certifying authority. The authority can be compromised to issue and sign fake certificates to facilitate MITM attacks. Governments have already coerced a few CAs into facilitating MITM attacks on SSL/TLS in the past.

Not saying that there's a better way to secure the payment protocol because I don't know of one, just acknowledging the fact that in some cases trusting a root certificate can be a week link in the protocol the same way it can be a weak link in SSL/TLS.

[Gavin Andresen]

True, in that case root certificates aren't the weak link, but I can think of situations where it would be. Trusting a root certificate implies trusting a centralized certifying authority. The authority can be compromised to issue and sign fake certificates to facilitate MITM attacks. Governments have already coerced a few CAs into facilitating MITM attacks on SSL/TLS in the past.

Even in that case, the certificate is "a" weak link, not "the" weak link. Think through what would have to fail to pull off a steal-bitcoins attack in the multisig-wallet case:

1) User has to be directed to an attacker-controlled payment website. That means either DNS lookup is compromised or the user's connection to the Internet is compromised (weak link number 1).

2) Attacker serves up a signed PaymentRequest with a valid certificate signed by a compromised root certificate authority (weak link number 2).


If the attacker can accomplish (1), it is likely they would just serve up unsigned payment requests from a non-secure website and bet that the user doesn't notice the lack of a padlock in the web browser UI and agrees to pay to an unauthenticated bitcoin address.

(1) is mitigated if the payment website uses HSTS headers so any repeat visitors get a HTTPS connection-- that pushes the attack to "must compromise both the connection and be able to spoof the web server certificate".  Strike that, if their computer is compromised HSTS headers won't help.

In any case, I wouldn't say the root certificates are a single point of failure.