Closed JWWeatherman closed 3 years ago
ChristopherA
commented
3 years ago I think this is a good point if your node has spendable keys. Personally, I either use my full-node for watch-only services, or one key of many in a multi-sig (1 of a 4 of 9 is one of my planned scenarios I'm evaluating now). The security requirements for this are less than that of a node holding single-signature spending keys.
JWWeatherman
commented
3 years ago I'd think a warning could say "if you are testing or only plan to use this node with multisig." It would certainly be better than nothing, but I think:
These are just a couple of issues off the top of my head, but I'm sure there are a lot of ways a hacker can screw over a user that is trusting a node to do anything that has malware.
Fonta1n3
commented
3 years ago JW, I think the point you are missing here is with the Gordian architecture it does not matter if its multi-sig or single sig the node is never capable of spending on its own, ever. End of the day you should be raising this issue on the Bitcoin Core repo really...
Personally I run bitcoind on my everyday laptop and have no issues with doing that, and would not agree that we should discourage people from running bitcoind.
If people want to put their life savings on a hot wallet on their every day use computer perhaps they deserve to learn the hard way? Do you really think someone who would do something like that would be dissuaded not to by some pop up message? Is it really our responsibility to take the burden/liability of every dumb thing someone may do with their money simply bc we built an app that installs bitcoind? I think not. Best we can do is design our wallet in a way that prevents bad behavior, which we have done.
Having said that I think it is still a good exercise to put our tin foil hats on and consider the possibility that Bitcoin Core could be completely compromised. I think a far more effective way to address that possibility would be to add more functionality to Gordian Wallet to prevent the possibility of a compromised node from deriving incorrect invoice addresses or constructing transactions that do not include addresses the app actually owns. To be fair we already do that but we could do more. Simple 2FA checks where we cross check invoice addresses against what can be derived locally when creating transactions/invoices would go a long way to prevent any compromised instance of bitcoind from carrying out an attack.
JWWeatherman
commented
3 years ago My concerns already assume that there is not the ability to spend on the node only.
Yes, I think it is our responsibility to guide users to use our software in a reasonable way and I don't think it is reasonable to use your software on a daily driver laptop for the reasons I've stated above - especially given your target audience with this software. These problems also can't be addressed without taking reasonable steps to remove malware.
I'll go ahead and close this as I don't think we will make worthwhile progress via text, but happy to jump on a call to discuss as we might make more progress on that medium. And I appreciate you considering it and responding so quickly.
Fonta1n3
commented
3 years ago @JWWeatherman I think a good compromise would be for Gordian Server to check total balances every so often and offer a warning "hey you should be using this on a dedicated machine!", with particularly harsh warnings for any hot wallets. Personally just not a fan of making the experience of spinning up a node more scary then it needs to be...
Rspigler
commented
3 years ago I know this is closed, but I was late to the party. Just commenting this once. It doesn't matter if the node has the ability to spend or not. Bitcoin depends on a node to operate properly, so if you can't trust your node, your system fails. Your node therefore needs to be on a trusted machine.
Otherwise, you are open to various attacks (accepting fake coins, paying multiple times, etc).
Fonta1n3
commented
3 years ago I know this is closed, but I was late to the party. Just commenting this once. It doesn't matter if the node has the ability to spend or not. Bitcoin depends on a node to operate properly, so if you can't trust your node, your system fails. Your node therefore needs to be on a trusted machine.
Otherwise, you are open to various attacks (accepting fake coins, paying multiple times, etc).
Sure, hence my comments that a wallet such as Gordian Wallet can do a lot to prevent this sort of thing by simply deriving addresses locally as a 2FA check to ensure bitcoind is not compromised. Warning when balances get large and dissuading users from using hot wallets also makes sense. "Requiring" users to use a dedicated OS/machine for everything they may ever do that involves money or privacy sensitive information is not practical. Another simple solution is to run more than one node, use more than one wallet in conjunction with msig, that also alleviates these concerns to a huge degree.
If in Yeti you encourage people to derive all seeds from one machine and add all xprvs to that one machine then I can see your concerns are a lot more valid for Yeti, Gordian does no such thing.
Would be great if, as part of the setup flow, users were instructed to setup a dedicated computer with a freshly installed OS as part of setup. Otherwise users might be encouraged to run bitcoin core on their daily driver laptop even if they are using the node with significant sums. Daily driver laptops are not a best practice because users run a ton of software, from various sources, open email attachments, visit websites that could be malicous, etc.
This is such an important issue that it should require positive action on behalf of the user to do the "wrong thing" during setup. For example select a radio button that says "this is a dedicated machine used for nothing else" or "I won't use this node for significant sums of bitcoin."