 10 2016-01-25T00:40:58  <GitHub103> [bitcoin] stale2000 opened pull request #7410: Keccak hf: Fix mining centralization (master...keccak_hf) https://github.com/bitcoin/bitcoin/pull/7410
 17 2016-01-25T01:25:35  *** zooko has joined #bitcoin-core-dev
 32 2016-01-25T02:10:06  *** pigeons_ has quit IRC
 44 2016-01-25T03:19:30  *** dcousens has quit IRC
 58 2016-01-25T04:14:03  *** Chris_Stewart_5 has joined #bitcoin-core-dev
 78 2016-01-25T07:38:05  *** pigeons has joined #bitcoin-core-dev
103 2016-01-25T10:01:23  <phantomcircuit> is anybody using the rest interface?
104 2016-01-25T10:01:46  <phantomcircuit> it seems like a non-trivial amount of code to expose as an unauthenticated endpoint
105 2016-01-25T10:03:40  <phantomcircuit> jonasschnelli, ^
106 2016-01-25T10:03:59  <jonasschnelli> phantomcircuit: mind the -rest arg
107 2016-01-25T10:04:14  <phantomcircuit> ah it has to be explicitly enabled? how did i miss that...
108 2016-01-25T10:04:22  <jonasschnelli> Yes...
109 2016-01-25T10:04:29  <jonasschnelli> But agree.
110 2016-01-25T10:04:45  <jonasschnelli> Rest could be useful for decoupling the wallet
116 2016-01-25T10:10:15  <gmaxwell> phantomcircuit: yes, it's an attack vector, thats why it's been off by default... also why we kept json out of it. (thank god..)
117 2016-01-25T10:10:28  <gmaxwell> phantomcircuit: I've fuzz tested it some but still don't feel all that confident about it's security.
118 2016-01-25T10:10:31  <jonasschnelli> gmaxwell: json is in there... :)
119 2016-01-25T10:10:41  <gmaxwell> jonasschnelli: we kept json input out of it.
120 2016-01-25T10:10:41  <jonasschnelli> Ah.. not as decoding. right.
121 2016-01-25T10:10:55  <jonasschnelli> There is encoding.
122 2016-01-25T10:11:07  <gmaxwell> which is why that bug in univalue wasn't a unauthenticated remotely exploitable bug.
123 2016-01-25T10:11:51  <jonasschnelli> Yes... long term im worries about the amount of APIs in bitcoin-core: RPC/REST/ZMQ/notify-exe/p2p....
124 2016-01-25T10:11:58  <jonasschnelli> *I'm worried
125 2016-01-25T10:12:26  <phantomcircuit> jonasschnelli, i strongly believe the zmq interface is unsafe
126 2016-01-25T10:12:27  <gmaxwell> the ZMQ libraries themselves aren't secure in my past expirence.
127 2016-01-25T10:12:30  <jonasschnelli> And I have plans to introduce another... :)
128 2016-01-25T10:12:41  <jonasschnelli> well... not anthoer.
129 2016-01-25T10:12:46  <gmaxwell> but hopefully no one is exposing ZMQ in untrusted ways.
130 2016-01-25T10:12:59  <phantomcircuit> ... what port does it listen on by default?
131 2016-01-25T10:13:10  <jonasschnelli> Writing a BIP about extending the p2p protocol for private/encrypted messages.
132 2016-01-25T10:13:21  <jonasschnelli> Things like "estimatefee", etc.
133 2016-01-25T10:13:33  <jonasschnelli> To couple a SPV wallet over p2p
134 2016-01-25T10:14:35  <phantomcircuit> jonasschnelli, keep in mind that BGP attacks are very real when proposing such a protocol
135 2016-01-25T10:14:59  <jonasschnelli> phantomcircuit: I'm not familiar with BGP attacks,.. can you explain that a little bit?
136 2016-01-25T10:16:08  <jonasschnelli> The idea I have is a "auth" p2p command,... that authenticates a nodes against a pubkey (nonce signing or similar), after the auth, do a ECDH and encrypt further communication (maybe only the additional/private commands).
137 2016-01-25T10:16:10  <phantomcircuit> jonasschnelli, essentially an attacker can claim to route a third parties traffic and perform a perfect mitm attack
138 2016-01-25T10:16:31  <jonasschnelli> I think with preshared keys and ECDH we can avoid a mitm.
139 2016-01-25T10:17:08  <jonasschnelli> The ECDH would only happen if the auth against a preshared pubkey on the node was successfull.
140 2016-01-25T10:17:16  <phantomcircuit> unfortunately i think basically what we would want is tls... except tls is a nightmare
141 2016-01-25T10:17:49  <jonasschnelli> I guess this would allow to expose things like "estimatefee" to a single node (SPV) without opening a new DOS vector.
142 2016-01-25T10:17:59  <jonasschnelli> No tls please!
143 2016-01-25T10:18:05  <jonasschnelli> It's already possible with tunneling.
144 2016-01-25T10:18:15  <jonasschnelli> But user experience is bad
145 2016-01-25T10:18:17  <phantomcircuit> jonasschnelli, i dont see a good reason to do that though
146 2016-01-25T10:18:44  <phantomcircuit> "please show me the top x MB of your mempool" is more generic and allows the client to come to it's own conclusions
147 2016-01-25T10:19:34  <jonasschnelli> main advantages of encrypted and extendable p2p com: a) SPV privacy improvement against a trusted full node (mitm impossible) b) additional wallet services
148 2016-01-25T10:19:57  <jonasschnelli> I guess: "please show me the top x MB of your mempool" is not pratical long term for SPV.
149 2016-01-25T10:20:32  <jonasschnelli> And with encrypted and extendable p2p commands, we could also decouple the node control (UI). The UI could talk with the node over p2p 8333.
150 2016-01-25T10:20:47  <jonasschnelli> (Which is somehow very difficult over RPC)
153 2016-01-25T10:28:41  <jonasschnelli> phantomcircuit: but could the UI (if detached from the node) get peer informations, mempool insights, etc?
154 2016-01-25T10:28:55  <jonasschnelli> phantomcircuit: how could the wallet get fee rates?
155 2016-01-25T10:36:25  <phantomcircuit> jonasschnelli, peer info no, mempool... yes if bandwidth between the two doesn't matter
156 2016-01-25T10:36:32  <phantomcircuit> (and it doesn't because localhost)
157 2016-01-25T10:36:35  <phantomcircuit> (or lan)
158 2016-01-25T10:36:59  <jonasschnelli> What if you wan't to have a secure SPV wallet on your cellphone?
159 2016-01-25T10:37:04  <phantomcircuit> jonasschnelli, get the full data for the last n blocks and the top n mb of mempool and build the fee estimates db itself
160 2016-01-25T10:38:01  <jonasschnelli> Not sure if you wan't to do fee ests. on a smartphone if you also run a full node at home.
161 2016-01-25T10:39:07  <jonasschnelli> somehow I think the model could be: <run your bank at home: full node>, <run your wallet on your smartphone: only trust your full-node, maybe a full p2p backup in case your node is down>, <have a vault at home: hardware wallet>
162 2016-01-25T10:39:38  <jonasschnelli> And I'm looking for a way to decouple the UI from the node.
163 2016-01-25T10:39:55  <jonasschnelli> And i don't think RPC/JSON would be good.
164 2016-01-25T10:40:40  <phantomcircuit> jonasschnelli, unfortunately request/response protocols tend to be either unreliable or super complicated
165 2016-01-25T10:42:03  <jonasschnelli> IMO the only reliable API that bitcoin provides is the p2p "api".
166 2016-01-25T10:42:30  <jonasschnelli> And it's async. RPC would result in long-polls or pulling-intervals.
167 2016-01-25T10:42:43  <jonasschnelli> And p2p is already DOS protected.
168 2016-01-25T10:44:09  <GitHub91> [bitcoin] Speed2016X2 opened pull request #7413: BIP: Block size limit based on average size (Russian) (master...master) https://github.com/bitcoin/bitcoin/pull/7413
169 2016-01-25T10:50:06  *** Guyver2 has quit IRC
179 2016-01-25T13:03:46  <GitHub27> [bitcoin] laanwj closed pull request #7413: BIP: Block size limit based on average size (Russian) (master...master) https://github.com/bitcoin/bitcoin/pull/7413
180 2016-01-25T13:30:11  *** Chris_Stewart_5 has quit IRC
188 2016-01-25T13:49:52  <GitHub140> [bitcoin] laanwj pushed 2 new commits to master: https://github.com/bitcoin/bitcoin/compare/f281caac48b9...9f796f3d2b53
189 2016-01-25T13:49:52  <GitHub140> bitcoin/master e99edc1 Andrew C: Add achow101's pgp key
190 2016-01-25T13:49:52  <GitHub140> bitcoin/master 9f796f3 Wladimir J. van der Laan: Merge #7400: Add achow101's pgp key...
191 2016-01-25T13:49:56  <GitHub27> [bitcoin] laanwj closed pull request #7400: Add achow101's pgp key (master...pgp-key) https://github.com/bitcoin/bitcoin/pull/7400
192 2016-01-25T13:50:17  *** dcousens has joined #bitcoin-core-dev
193 2016-01-25T13:58:40  <GitHub6> [bitcoin] laanwj pushed 2 new commits to master: https://github.com/bitcoin/bitcoin/compare/9f796f3d2b53...0893705ebfa6
194 2016-01-25T13:58:41  <GitHub6> bitcoin/master 17b5d38 Wladimir J. van der Laan: devtools: show pull and commit information in github-merge...
195 2016-01-25T13:58:41  <GitHub6> bitcoin/master 0893705 Wladimir J. van der Laan: Merge #7395: devtools: show pull and commit information in github-merge...
196 2016-01-25T13:58:45  <GitHub83> [bitcoin] laanwj closed pull request #7395: devtools: show pull and commit information in github-merge (master...2016_01_devtool_more_info) https://github.com/bitcoin/bitcoin/pull/7395
197 2016-01-25T14:01:49  *** AaronvanW_ has joined #bitcoin-core-dev
202 2016-01-25T14:42:39  <GitHub25> [bitcoin] laanwj pushed 2 new commits to master: https://github.com/bitcoin/bitcoin/compare/0893705ebfa6...6a5932bf2a4a
203 2016-01-25T14:42:40  <GitHub25> bitcoin/master 5ed2f16 Andrew C: [devtools] github-merge get toplevel dir without extra whitespace...
204 2016-01-25T14:42:40  <GitHub25> bitcoin/master 6a5932b Wladimir J. van der Laan: Merge #7402: [devtools] github-merge get toplevel dir without extra whitespace...
205 2016-01-25T14:42:49  <GitHub75> [bitcoin] laanwj closed pull request #7402: [devtools] github-merge get toplevel dir without extra whitespace (master...dev-tool-fix) https://github.com/bitcoin/bitcoin/pull/7402
206 2016-01-25T15:14:06  *** Guyver2 has joined #bitcoin-core-dev
211 2016-01-25T15:23:49  <GitHub26> [bitcoin] laanwj opened pull request #7415: net: Hardcoded seeds update January 2016 (master...2016_01_hardcoded_seeds) https://github.com/bitcoin/bitcoin/pull/7415
212 2016-01-25T15:30:55  *** cjcj has joined #bitcoin-core-dev
213 2016-01-25T15:32:43  <GitHub89> [bitcoin] laanwj closed pull request #7410: Keccak hf: Fix mining centralization (master...keccak_hf) https://github.com/bitcoin/bitcoin/pull/7410
227 2016-01-25T16:45:30  <GitHub107> [bitcoin] laanwj pushed 2 new commits to master: https://github.com/bitcoin/bitcoin/compare/6a5932bf2a4a...473ad1bb0269
228 2016-01-25T16:45:31  <GitHub107> bitcoin/master fae78fa MarcoFalke: [init] Clarify permitrbf help message
229 2016-01-25T16:45:31  <GitHub107> bitcoin/master 473ad1b Wladimir J. van der Laan: Merge #7391: [init] Clarify help message...
230 2016-01-25T16:45:35  <GitHub186> [bitcoin] laanwj closed pull request #7391: [init] Clarify help message (master...Mf1601-init-rbf) https://github.com/bitcoin/bitcoin/pull/7391
231 2016-01-25T17:00:05  *** murch has joined #bitcoin-core-dev
236 2016-01-25T17:21:38  *** wallet42 has joined #bitcoin-core-dev
237 2016-01-25T17:31:06  <GitHub51> [bitcoin] xor-freenet opened pull request #7416: doc: Explain effects of -prune=<n> parameter in release notes (0.12...0.12-pruning-release-notes) https://github.com/bitcoin/bitcoin/pull/7416
238 2016-01-25T17:39:00  *** murch has quit IRC
248 2016-01-25T20:05:55  *** arowser has quit IRC
279 2016-01-25T22:57:42  *** murch has quit IRC
