Author

Topic: Bitcoin Core RPC Security Concerns (Read 270 times)

legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
October 30, 2023, 06:23:33 AM
#15
....Core isn't designed for it, but in past i've seen people have hundred to million address on their wallet.dat file for their services.

Dave bangs head on desk. Why would anyone use a personal desktop client for running a commercial service?
And even worse, one that is single-threaded for a lot of things.

Ugh.

Yes, I have done it, but usually within a bubble and with everyone knowing what was involved.

-Dave

Bitcoin Core isn't strictly personal desktop client though. There are many feature which geared towards developer for commercial service such as bitcoind, RPC-JSON, REST API and various tutorial/script provoded on Bitcoin Core on directory "doc" and "contrib".
staff
Activity: 4242
Merit: 8672
October 30, 2023, 02:19:29 PM
#12
Fair enough!  Indeed-- it shouldn't be used to make a block explorer (except as the backing node to obtain the blockchain) -- though not because of anything with the RPC, but just because it's out of scope for what it does.

The Bitcoin Core RPC isn't intended to be exposed to potentially malicious software/systems--  having to manage the attack surface of the P2P protocol is already trouble enough.  And unfortunately the 'standard' mechanisms for rpc security are endless sources of vulnerabilities, and using a non-standard method would make the RPC much less useful.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
October 30, 2023, 10:15:13 AM
#11
Because its written and reviewed by many of the foremost experts in the field.  The commercial alternatives have consistently been jokes zero peer review, zero security auditing, comical flaws aren't even the beginning... from MTGOX self-doublespending malleability tripped up private key leaking mess,  to bitcoin armory letting its keys being corrupted using shared thread unsafe memory for storing hashes, to bitpay's bitcore using 64-bit values for their nonces, to libbitcoin's recent comic fail -- there is a long history of disaster.  The fastest way to lose all your customers bitcoin's is "post your private keys online", but the second fastest way is probably to use some "commercial solution".

Bitcoin core is node software. It runs the entire network. By definition it handles the *entire* capacity of the network, even on modest hardware.



Bitcoin Core isn't strictly personal desktop client though. There are many feature which geared towards developer for commercial service such as bitcoind, RPC-JSON, REST API and various tutorial/script provoded on Bitcoin Core on directory "doc" and "contrib".

Not saying it does not. Or that it is not good software. And there are many things it does well.

But if you are running a public service you should have something very robust with a ton of security between the internet and RPC commands to core.

Core is the back end, there are a lot of things you can put in the front end to keep is isolated. Which was the original discussion, about RPC security.

That was more or less what I was trying to say.

Can you run a block explorer just with core? Yes, with some limitations but dumping everything to a database works better.
Can you run a public web wallet for people with core? Yes, but it's going to be a logistical and security nightmare if you don't put a lot of other things between it and the internet. And there are just flat out better ways to do it and just talk to core when needed.


-Dave
staff
Activity: 4242
Merit: 8672
October 30, 2023, 05:25:29 AM
#10
....Core isn't designed for it, but in past i've seen people have hundred to million address on their wallet.dat file for their services.
Dave bangs head on desk. Why would anyone use a personal desktop client for running a commercial service?
And even worse, one that is single-threaded for a lot of things.
Ugh.
Yes, I have done it, but usually within a bubble and with everyone knowing what was involved.

Because its written and reviewed by many of the foremost experts in the field.  The commercial alternatives have consistently been jokes zero peer review, zero security auditing, comical flaws aren't even the beginning... from MTGOX self-doublespending malleability tripped up private key leaking mess,  to bitcoin armory letting its keys being corrupted using shared thread unsafe memory for storing hashes, to bitpay's bitcore using 64-bit values for their nonces, to libbitcoin's recent comic fail -- there is a long history of disaster.  The fastest way to lose all your customers bitcoin's is "post your private keys online", but the second fastest way is probably to use some "commercial solution".

Bitcoin core is node software. It runs the entire network. By definition it handles the *entire* capacity of the network, even on modest hardware.

legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
October 27, 2023, 08:34:42 AM
#9
....Core isn't designed for it, but in past i've seen people have hundred to million address on their wallet.dat file for their services.

Dave bangs head on desk. Why would anyone use a personal desktop client for running a commercial service?
And even worse, one that is single-threaded for a lot of things.

Ugh.

Yes, I have done it, but usually within a bubble and with everyone knowing what was involved.

-Dave
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
October 26, 2023, 06:54:08 AM
#8
...
I develop a wallet that communicates with Core via RPC. These things will not work because it would not be sure.

WHY?
RPC is slow and not really designed for it.
Core is really not designed for it either.

Think about how long it takes when you have to rescan the blockchain for something.

And as you discovered, it's designed for single user desktop use more or less in terms of security.

And if someone has access to the PC and can get to the bitcoin.conf file, you already have other security issues going on.

-Dave
staff
Activity: 3458
Merit: 6793
Just writing some code
October 25, 2023, 02:31:42 PM
#7
Why can RPC commands not contain signatures?
RPC is not intended for public consumption - you're not supposed to expose it to the internet or to untrusted networks.

f I could sign my RPC commands, there would be no problems with RPC security at Bitcon-Core.
I hereby officially wish to be able to sign RPC commands :-)
PRs welcome.
legendary
Activity: 1260
Merit: 2014
October 25, 2023, 03:02:42 AM
#6

Why can RPC commands not contain signatures?



It could contain signatures but I think that this will not happen in the near future coz the priorities of the developers are on more critical things when it comes to security.
Bitcoin Core already provides some level of security through existing authentication mechanisms like username and password authentication or IP whitelisting for RPC access and these are simpler and faster compared to signature verification.
You can't compare these when it comes to the security level but you have to see it from the use-case perspective.
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
October 25, 2023, 02:25:49 AM
#5
Why can RPC commands not contain signatures?
That's actually a good question. I believe it has to do with the same reason we don't encrypt information with nodes' public keys in the Bitcoin network; it might be trivial to execute a man-in-the-middle attack.

I found these two:
- https://stackoverflow.com/q/12385240
- https://groups.google.com/g/grpc-io/c/SbajPhgcdqk

The TL;DR as I see it, is that security tokens provide better levels of security and are easier to implement.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
October 24, 2023, 07:58:23 AM
#4
There are some unofficial ways to front HTTPS through a Bitcoin Core node, such as this proxy right here which I saw recently: https://github.com/CodeByZ/bitcoin-json-rpc-proxy

Although, it is really only useful on an individual basis. A client program cannot expect HTTPS connections to nodes to be available on any basis, because there is a lack of such support in the Bitcoin Core client itself. Although there's a BIP I read somewhere that might allow the use of an alternate security protocol.
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
October 24, 2023, 05:42:16 AM
#3
In case you don't know to create hashed password, you can use any of these tools
https://github.com/bitcoin/bitcoin/tree/v25.1/share/rpcauth
https://jlopp.github.io/bitcoin-core-rpc-auth-generator/
staff
Activity: 3458
Merit: 6793
Just writing some code
October 23, 2023, 07:54:06 PM
#2
The passphrase can be written as a hash in the config using the rpcauth option.

Any authentication method that requires multiple rounds of communication just to be authenticated will not work for a HTTP RPC server.
full member
Activity: 161
Merit: 168
October 23, 2023, 04:34:39 PM
#1
please delete!
Jump to: