Author

Topic: This message was too old and has been purged (Read 1797 times)

member
Activity: 96
Merit: 10
esotericnonsense
December 07, 2014, 03:56:07 PM
#6
This is rather interesting but the RPC server should not ordinarily be exposed outside of a trusted network. Certainly not with an unencrypted wallet.
This was one of the main reasons behind me creating my terminal based frontend.
The approach should be to connect using a secure tunnel like SSH and interface with the Bitcoin Core daemon from there.

Ignoring that, I would take issue with the claim that it would take around an hour to brute force the password if on same network.
I can't say I've tried but you are claiming that you can get off over a million authentication attempts per second over a network. (4294967296/3600).
Just sending a ten byte auth request would make that 10MB/s sustained.

The RPC server is not especially fast. I have not tested but it would not surprise me if you struggled to get a few hundred auth attempts per second on a local machine. That would put you at over a month. If anyone has the time it would be interesting to see how quickly you can fail auth and try again.

I don't wish to speak for the core developers here but I would not be surprised if there are numerous vulnerabilities in the RPC server - it is likely not intended to be used with unsanitised input.
legendary
Activity: 3248
Merit: 1070
December 07, 2014, 01:41:58 PM
#5
isn't that version working with the heartbleed bug? ofcourse is vulnerable, 0.9 fixed it if i remember correctly
sr. member
Activity: 293
Merit: 251
Director - www.cubeform.io
December 06, 2014, 12:39:13 PM
#4
There have been a number of distro-related issues having to do with configuration settings, but most of them don't last very long...
I think I recall seeing note of this one when it was resolved : https://bitcointalksearch.org/topic/m.3352617
staff
Activity: 4284
Merit: 8808
December 06, 2014, 11:49:47 AM
#3
Yes, the Debian packaging of Bitcoin was broken. This was known and fixed years ago, you're linking to a two year old version of the files. People building for themselves or using the Bitcoin.org binaries were never exposed to it.

The RPC is also not exposed outside of the localhost unless you go and add additional configuration, and the additional configuration results in it still being limited to particular networks normally.
legendary
Activity: 1974
Merit: 1029
December 06, 2014, 10:58:54 AM
#2
... and gone the coins are.

But only if the wallet is unencrypted. This is the RPC password, not the wallet encryption password.
legendary
Activity: 1260
Merit: 1168
December 05, 2014, 06:25:48 AM
#1
This message was too old and has been purged
Jump to: